Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Print at Your Own Risk

Security researcher finds overlooked vulnerabilities in printers and other embedded devices

Your network is under attack. You've checked for penetration by outside attackers, and by insiders using servers or client machines. But this attack isn't coming from any of those sources; it's coming from the one place you're least likely to look: your printer/copier.

Sound like a stretch? It isn't. In fact, at the Black Hat Inc. conference later this month, a security researcher will publish proof-of-concept code that demonstrates how an attacker could use a networked printer or copier to take control of a server and launch an exploit across an enterprise.

Brendan O'Connor, a security engineer who prefers not to share his location or the name of his company, says he has discovered several ways to exploit the server-like capabilities inherent in many embedded devices -- such as printers, copiers, routers, and other innocent-looking systems -- to break into the network and attack other hosts.

"This is the type of vulnerability that usually goes overlooked," says O'Connor. "The last place a sys admin or security engineer is going to look for as the source of network attacks is the copier at the end of the hall."

The problem, O'Connor explains, is that many manufacturers of "embedded systems" quietly build a fully featured Linux operating system into their equipment in order to make them programmable. "The manufacturer doesn't tell you that your product has an ext2 file system, a Linux-based IP stack, a bash shell, and many well-known Unix/Linux tools and commands," he says. "If we start treating it like a server, we can exploit it like a server."

An embedded-system exploit would likely be an inside job, performed by an employee or by someone posing as a service technician, O'Connor states. "A toolbelt, a laptop, and a phony work order will get you into most organizations. 'I'm here to fix the copier' is a statement that no one will question." Attackers could also get access to printers by querying the LAN controller, doing a search for printer ports, or simply walking up to a printer and printing the configuration page.

An insider couldn't do much damage through a copier's terminal shell, which is intended for use by legitimate technicians and requires a username and password, O'Connor observes. "However, there is a vulnerability in the boot process for the network control module. It is possible to interrupt the boot sequence when this module starts to load. Once the boot sequence is interrupted, an attacker can manually load the kernel with a single arbitrary argument."

Using this approach, the attacker could essentially set his own username and password, then exit the shell and let the operating system continue to load. The technician's console would then become accessible via a known username and password. "Log in and enjoy," O'Connor says, noting that the attacker could also hijack functions, steal copies of print jobs, steal usernames and passwords, or load a custom attack kit and let the device scan the network.

An embedded device attack could also take place over the network, according to O'Connor: "These devices typically have a default HTTP administrative interface, which is there by default and cannot be disabled. Using specially crafted post requests, it is possible to bypass the authentication process and gain access to all administrative functions of the Web interface. One of these functions is vulnerable to a code injection attack."

An employee who understands the vulnerabilities could secretly gain root access to a copier, printer, fax machine, or scanner, then use it to hijack network authentication functions and steal other users' login information, O'Connor says. The employee could also use the interface to take over other vulnerable printers, creating a "bot army" that could steal sensitive information from the finance or human resources department.

The embedded system attack could take place through any intelligent device on a network, including security cameras, electronic door controls, fire alarms, or PalmOS devices, O'Connor says. All of these attacks are potentially more dangerous than gaining access to a client PC, because they give the attacker server-like capabilities and possible access to similar devices. And, because these attacks don't come through PC clients, they usually are not detected by traditional security management systems, O'Connor states.

The embedded system attack is not a common approach, but it has been done before. O'Connor got his initial idea from a presentation made by another researcher, who had written an exploit for HP printers. "It took me a long time to finalize my exploit, because I had to blindly map the OS and file system one line at a time. Now that I've done a lot of the grunt work, it may be easier for other researchers to find new things on these devices."

What can enterprises do to prevent this type of attack? "The short answer is that you're pretty much screwed," O'Connor says. "Longer-term, users need to put pressure on vendors to take these types of vulnerabilities more seriously."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
inFeedURL => http://smartbox.techweb.com/smartbox/digitaleditionadmin/getcontent?site=162801002&Section=all&endDate=5/3/2021&num_display=1&output_type=xml
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
SonicWall SSO-agent default configuration uses NetAPI to probe the associated IP's in the network, this client probing method allows a potential attacker to capture the password hash of the privileged user and potentially forces the SSO Agent to authenticate allowing an attacker to bypass firewall a...
PUBLISHED: 2021-03-05
An issue was discovered in IdentityModel (aka ScottBrady.IdentityModel) before 1.3.0. The Branca implementation allows an attacker to modify and forge authentication tokens.
PUBLISHED: 2021-03-05
An issue was discovered in channels/chan_sip.c in Sangoma Asterisk through 13.29.1, through 16.6.1, and through 17.0.0; and Certified Asterisk through 13.21-cert4. A SIP request can be sent to Asterisk that can change a SIP peer's IP address. A REGISTER does not need to occur, and calls can be hijac...
PUBLISHED: 2021-03-05
SonLogger before 6.4.1 is affected by user creation with any user permissions profile (e.g., SuperAdmin). An anonymous user can send a POST request to /User/saveUser without any authentication or session header.
PUBLISHED: 2021-03-05
SonLogger before 6.4.1 is affected by Unauthenticated Arbitrary File Upload. An attacker can send a POST request to /Config/SaveUploadedHotspotLogoFile without any authentication or session header. There is no check for the file extension or content of the uploaded file.