Your network is under attack. You've checked for penetration by outside attackers, and by insiders using servers or client machines. But this attack isn't coming from any of those sources; it's coming from the one place you're least likely to look: your printer/copier.
Sound like a stretch? It isn't. In fact, at the Black Hat Inc. conference later this month, a security researcher will publish proof-of-concept code that demonstrates how an attacker could use a networked printer or copier to take control of a server and launch an exploit across an enterprise.
Brendan O'Connor, a security engineer who prefers not to share his location or the name of his company, says he has discovered several ways to exploit the server-like capabilities inherent in many embedded devices -- such as printers, copiers, routers, and other innocent-looking systems -- to break into the network and attack other hosts.
"This is the type of vulnerability that usually goes overlooked," says O'Connor. "The last place a sys admin or security engineer is going to look for as the source of network attacks is the copier at the end of the hall."
The problem, O'Connor explains, is that many manufacturers of "embedded systems" quietly build a fully featured Linux operating system into their equipment in order to make them programmable. "The manufacturer doesn't tell you that your product has an ext2 file system, a Linux-based IP stack, a bash shell, and many well-known Unix/Linux tools and commands," he says. "If we start treating it like a server, we can exploit it like a server."
An embedded-system exploit would likely be an inside job, performed by an employee or by someone posing as a service technician, O'Connor states. "A toolbelt, a laptop, and a phony work order will get you into most organizations. 'I'm here to fix the copier' is a statement that no one will question." Attackers could also get access to printers by querying the LAN controller, doing a search for printer ports, or simply walking up to a printer and printing the configuration page.
An insider couldn't do much damage through a copier's terminal shell, which is intended for use by legitimate technicians and requires a username and password, O'Connor observes. "However, there is a vulnerability in the boot process for the network control module. It is possible to interrupt the boot sequence when this module starts to load. Once the boot sequence is interrupted, an attacker can manually load the kernel with a single arbitrary argument."
Using this approach, the attacker could essentially set his own username and password, then exit the shell and let the operating system continue to load. The technician's console would then become accessible via a known username and password. "Log in and enjoy," O'Connor says, noting that the attacker could also hijack functions, steal copies of print jobs, steal usernames and passwords, or load a custom attack kit and let the device scan the network.
An embedded device attack could also take place over the network, according to O'Connor: "These devices typically have a default HTTP administrative interface, which is there by default and cannot be disabled. Using specially crafted post requests, it is possible to bypass the authentication process and gain access to all administrative functions of the Web interface. One of these functions is vulnerable to a code injection attack."
An employee who understands the vulnerabilities could secretly gain root access to a copier, printer, fax machine, or scanner, then use it to hijack network authentication functions and steal other users' login information, O'Connor says. The employee could also use the interface to take over other vulnerable printers, creating a "bot army" that could steal sensitive information from the finance or human resources department.
The embedded system attack could take place through any intelligent device on a network, including security cameras, electronic door controls, fire alarms, or PalmOS devices, O'Connor says. All of these attacks are potentially more dangerous than gaining access to a client PC, because they give the attacker server-like capabilities and possible access to similar devices. And, because these attacks don't come through PC clients, they usually are not detected by traditional security management systems, O'Connor states.
The embedded system attack is not a common approach, but it has been done before. O'Connor got his initial idea from a presentation made by another researcher, who had written an exploit for HP printers. "It took me a long time to finalize my exploit, because I had to blindly map the OS and file system one line at a time. Now that I've done a lot of the grunt work, it may be easier for other researchers to find new things on these devices."
What can enterprises do to prevent this type of attack? "The short answer is that you're pretty much screwed," O'Connor says. "Longer-term, users need to put pressure on vendors to take these types of vulnerabilities more seriously."
Tim Wilson, Site Editor, Dark Reading
Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio