Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Print at Your Own Risk

Security researcher finds overlooked vulnerabilities in printers and other embedded devices

Your network is under attack. You've checked for penetration by outside attackers, and by insiders using servers or client machines. But this attack isn't coming from any of those sources; it's coming from the one place you're least likely to look: your printer/copier.

Sound like a stretch? It isn't. In fact, at the Black Hat Inc. conference later this month, a security researcher will publish proof-of-concept code that demonstrates how an attacker could use a networked printer or copier to take control of a server and launch an exploit across an enterprise.

Brendan O'Connor, a security engineer who prefers not to share his location or the name of his company, says he has discovered several ways to exploit the server-like capabilities inherent in many embedded devices -- such as printers, copiers, routers, and other innocent-looking systems -- to break into the network and attack other hosts.

"This is the type of vulnerability that usually goes overlooked," says O'Connor. "The last place a sys admin or security engineer is going to look for as the source of network attacks is the copier at the end of the hall."

The problem, O'Connor explains, is that many manufacturers of "embedded systems" quietly build a fully featured Linux operating system into their equipment in order to make them programmable. "The manufacturer doesn't tell you that your product has an ext2 file system, a Linux-based IP stack, a bash shell, and many well-known Unix/Linux tools and commands," he says. "If we start treating it like a server, we can exploit it like a server."

An embedded-system exploit would likely be an inside job, performed by an employee or by someone posing as a service technician, O'Connor states. "A toolbelt, a laptop, and a phony work order will get you into most organizations. 'I'm here to fix the copier' is a statement that no one will question." Attackers could also get access to printers by querying the LAN controller, doing a search for printer ports, or simply walking up to a printer and printing the configuration page.

An insider couldn't do much damage through a copier's terminal shell, which is intended for use by legitimate technicians and requires a username and password, O'Connor observes. "However, there is a vulnerability in the boot process for the network control module. It is possible to interrupt the boot sequence when this module starts to load. Once the boot sequence is interrupted, an attacker can manually load the kernel with a single arbitrary argument."

Using this approach, the attacker could essentially set his own username and password, then exit the shell and let the operating system continue to load. The technician's console would then become accessible via a known username and password. "Log in and enjoy," O'Connor says, noting that the attacker could also hijack functions, steal copies of print jobs, steal usernames and passwords, or load a custom attack kit and let the device scan the network.

An embedded device attack could also take place over the network, according to O'Connor: "These devices typically have a default HTTP administrative interface, which is there by default and cannot be disabled. Using specially crafted post requests, it is possible to bypass the authentication process and gain access to all administrative functions of the Web interface. One of these functions is vulnerable to a code injection attack."

An employee who understands the vulnerabilities could secretly gain root access to a copier, printer, fax machine, or scanner, then use it to hijack network authentication functions and steal other users' login information, O'Connor says. The employee could also use the interface to take over other vulnerable printers, creating a "bot army" that could steal sensitive information from the finance or human resources department.

The embedded system attack could take place through any intelligent device on a network, including security cameras, electronic door controls, fire alarms, or PalmOS devices, O'Connor says. All of these attacks are potentially more dangerous than gaining access to a client PC, because they give the attacker server-like capabilities and possible access to similar devices. And, because these attacks don't come through PC clients, they usually are not detected by traditional security management systems, O'Connor states.

The embedded system attack is not a common approach, but it has been done before. O'Connor got his initial idea from a presentation made by another researcher, who had written an exploit for HP printers. "It took me a long time to finalize my exploit, because I had to blindly map the OS and file system one line at a time. Now that I've done a lot of the grunt work, it may be easier for other researchers to find new things on these devices."

What can enterprises do to prevent this type of attack? "The short answer is that you're pretty much screwed," O'Connor says. "Longer-term, users need to put pressure on vendors to take these types of vulnerabilities more seriously."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.