University forced to disable printer functions after vulnerability exposed

printer2THE INFORMATION Services department has been forced to disable some functions on the University’s new printers after a vulnerability was exposed that could have helped users “hack” the devices.

The printers have a function which allows users to log in to print and photocopy documents by tapping their Aber cards on the front of the device.

The printer then “reads” the card, accessing the unique student number and library barcode of each user, to authenticate their identity and allow them to release print jobs and make photocopies.

But the cards themselves appear to not be encrypted, meaning it could be possible to read them using a standard smartphone with near-field communication technology, and access the details stored on them.

It would then be simple to create a new card loaded with someone else’s details, which would enable you to trick the printers into believing you were that other user.

This means that anyone would have been able to obtain free photocopying, although not free printing, as this requires access to a user account via a PC to send a print job in the first place.

By disabling Aber Card access to printers and instead requiring users to login using their account details, this vulnerability has now been ended.

A university spokesperson said:

“At 9.30 a.m. on Thursday 24 January it was brought to the attention of Information Services that some mobile devices might make it possible to scan information from Aber cards and view the card number.

“Information Services immediately acted on this information and by 10.20am all card numbers had been removed from the system. Anyone wishing to use the system will now need to log in using their username and password.

“By using software on mobiles, it might have been possible to gain some free photocopying, but there is no evidence that anyone has actually done this.

“Information Services are now working with engineers at KonicaMinolta to resolve this issue.”

Information Services have stated that the automatic door locks installed on University computer rooms and academic buildings would not be vulerable to this exploit.

A statement on the Information Services website claimed that “problem with printing” meant “users will be unable to access the printers using their Aber Cards”.

“While this is being investigated users will need to access the printers by logging in with their usernames and passwords.”