Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Print at Your Own Risk

Security researcher finds overlooked vulnerabilities in printers and other embedded devices

Your network is under attack. You've checked for penetration by outside attackers, and by insiders using servers or client machines. But this attack isn't coming from any of those sources; it's coming from the one place you're least likely to look: your printer/copier.

Sound like a stretch? It isn't. In fact, at the Black Hat Inc. conference later this month, a security researcher will publish proof-of-concept code that demonstrates how an attacker could use a networked printer or copier to take control of a server and launch an exploit across an enterprise.

Brendan O'Connor, a security engineer who prefers not to share his location or the name of his company, says he has discovered several ways to exploit the server-like capabilities inherent in many embedded devices -- such as printers, copiers, routers, and other innocent-looking systems -- to break into the network and attack other hosts.

"This is the type of vulnerability that usually goes overlooked," says O'Connor. "The last place a sys admin or security engineer is going to look for as the source of network attacks is the copier at the end of the hall."

The problem, O'Connor explains, is that many manufacturers of "embedded systems" quietly build a fully featured Linux operating system into their equipment in order to make them programmable. "The manufacturer doesn't tell you that your product has an ext2 file system, a Linux-based IP stack, a bash shell, and many well-known Unix/Linux tools and commands," he says. "If we start treating it like a server, we can exploit it like a server."

An embedded-system exploit would likely be an inside job, performed by an employee or by someone posing as a service technician, O'Connor states. "A toolbelt, a laptop, and a phony work order will get you into most organizations. 'I'm here to fix the copier' is a statement that no one will question." Attackers could also get access to printers by querying the LAN controller, doing a search for printer ports, or simply walking up to a printer and printing the configuration page.

An insider couldn't do much damage through a copier's terminal shell, which is intended for use by legitimate technicians and requires a username and password, O'Connor observes. "However, there is a vulnerability in the boot process for the network control module. It is possible to interrupt the boot sequence when this module starts to load. Once the boot sequence is interrupted, an attacker can manually load the kernel with a single arbitrary argument."

Using this approach, the attacker could essentially set his own username and password, then exit the shell and let the operating system continue to load. The technician's console would then become accessible via a known username and password. "Log in and enjoy," O'Connor says, noting that the attacker could also hijack functions, steal copies of print jobs, steal usernames and passwords, or load a custom attack kit and let the device scan the network.

An embedded device attack could also take place over the network, according to O'Connor: "These devices typically have a default HTTP administrative interface, which is there by default and cannot be disabled. Using specially crafted post requests, it is possible to bypass the authentication process and gain access to all administrative functions of the Web interface. One of these functions is vulnerable to a code injection attack."

An employee who understands the vulnerabilities could secretly gain root access to a copier, printer, fax machine, or scanner, then use it to hijack network authentication functions and steal other users' login information, O'Connor says. The employee could also use the interface to take over other vulnerable printers, creating a "bot army" that could steal sensitive information from the finance or human resources department.

The embedded system attack could take place through any intelligent device on a network, including security cameras, electronic door controls, fire alarms, or PalmOS devices, O'Connor says. All of these attacks are potentially more dangerous than gaining access to a client PC, because they give the attacker server-like capabilities and possible access to similar devices. And, because these attacks don't come through PC clients, they usually are not detected by traditional security management systems, O'Connor states.

The embedded system attack is not a common approach, but it has been done before. O'Connor got his initial idea from a presentation made by another researcher, who had written an exploit for HP printers. "It took me a long time to finalize my exploit, because I had to blindly map the OS and file system one line at a time. Now that I've done a lot of the grunt work, it may be easier for other researchers to find new things on these devices."

What can enterprises do to prevent this type of attack? "The short answer is that you're pretty much screwed," O'Connor says. "Longer-term, users need to put pressure on vendors to take these types of vulnerabilities more seriously."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.