Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Print at Your Own Risk

Security researcher finds overlooked vulnerabilities in printers and other embedded devices

Your network is under attack. You've checked for penetration by outside attackers, and by insiders using servers or client machines. But this attack isn't coming from any of those sources; it's coming from the one place you're least likely to look: your printer/copier.

Sound like a stretch? It isn't. In fact, at the Black Hat Inc. conference later this month, a security researcher will publish proof-of-concept code that demonstrates how an attacker could use a networked printer or copier to take control of a server and launch an exploit across an enterprise.

Brendan O'Connor, a security engineer who prefers not to share his location or the name of his company, says he has discovered several ways to exploit the server-like capabilities inherent in many embedded devices -- such as printers, copiers, routers, and other innocent-looking systems -- to break into the network and attack other hosts.

"This is the type of vulnerability that usually goes overlooked," says O'Connor. "The last place a sys admin or security engineer is going to look for as the source of network attacks is the copier at the end of the hall."

The problem, O'Connor explains, is that many manufacturers of "embedded systems" quietly build a fully featured Linux operating system into their equipment in order to make them programmable. "The manufacturer doesn't tell you that your product has an ext2 file system, a Linux-based IP stack, a bash shell, and many well-known Unix/Linux tools and commands," he says. "If we start treating it like a server, we can exploit it like a server."

An embedded-system exploit would likely be an inside job, performed by an employee or by someone posing as a service technician, O'Connor states. "A toolbelt, a laptop, and a phony work order will get you into most organizations. 'I'm here to fix the copier' is a statement that no one will question." Attackers could also get access to printers by querying the LAN controller, doing a search for printer ports, or simply walking up to a printer and printing the configuration page.

An insider couldn't do much damage through a copier's terminal shell, which is intended for use by legitimate technicians and requires a username and password, O'Connor observes. "However, there is a vulnerability in the boot process for the network control module. It is possible to interrupt the boot sequence when this module starts to load. Once the boot sequence is interrupted, an attacker can manually load the kernel with a single arbitrary argument."

Using this approach, the attacker could essentially set his own username and password, then exit the shell and let the operating system continue to load. The technician's console would then become accessible via a known username and password. "Log in and enjoy," O'Connor says, noting that the attacker could also hijack functions, steal copies of print jobs, steal usernames and passwords, or load a custom attack kit and let the device scan the network.

An embedded device attack could also take place over the network, according to O'Connor: "These devices typically have a default HTTP administrative interface, which is there by default and cannot be disabled. Using specially crafted post requests, it is possible to bypass the authentication process and gain access to all administrative functions of the Web interface. One of these functions is vulnerable to a code injection attack."

An employee who understands the vulnerabilities could secretly gain root access to a copier, printer, fax machine, or scanner, then use it to hijack network authentication functions and steal other users' login information, O'Connor says. The employee could also use the interface to take over other vulnerable printers, creating a "bot army" that could steal sensitive information from the finance or human resources department.

The embedded system attack could take place through any intelligent device on a network, including security cameras, electronic door controls, fire alarms, or PalmOS devices, O'Connor says. All of these attacks are potentially more dangerous than gaining access to a client PC, because they give the attacker server-like capabilities and possible access to similar devices. And, because these attacks don't come through PC clients, they usually are not detected by traditional security management systems, O'Connor states.

The embedded system attack is not a common approach, but it has been done before. O'Connor got his initial idea from a presentation made by another researcher, who had written an exploit for HP printers. "It took me a long time to finalize my exploit, because I had to blindly map the OS and file system one line at a time. Now that I've done a lot of the grunt work, it may be easier for other researchers to find new things on these devices."

What can enterprises do to prevent this type of attack? "The short answer is that you're pretty much screwed," O'Connor says. "Longer-term, users need to put pressure on vendors to take these types of vulnerabilities more seriously."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-28
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
PUBLISHED: 2021-01-28
A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
PUBLISHED: 2021-01-28
An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.