Your Printer Can Steal and Deface Your Documents

LAS VEGAS—Printers take been part of the modernistic home and office for decades, despite numerous attempts to go "paperless." But at the Black Hat conference hither, Jens Müller of Ruhr University Bochum reminded attendees that merely because something is ubiquitous doesn't mean information technology should be trusted.

Müller first reminded the crowd how far printer applied science had come, displaying a photograph of an old dot-matrix printer and sleek, new laser printer. But despite the powerful capabilities of today's printers, there "even so tends to produce a paper jam," he said.

Add the ability to admission the printer via USB, local network, or over the internet, and you accept the recipe for a devastating assail. In fact, security researchers have warned for years that connected devices similar printers, routers, and even VoIP phones could exist used every bit beachheads for an aggressor. The phone might not be very useful for an assaulter, but perhaps they could use it to pivot to your secure network.

Müller found enough within the apprehensive printer to go on him busy without trying to escalate an set on. The problem, he said, are the printing protocols that interpret the files on your computer into something the printer tin put to paper. One such protocol—aptly named the Printer Job Language—was adult in the early 90s by HP, and information technology tin make permanent changes to the printer, not just the electric current print job. Another, called PostScript, was developed by Adobe and was originally intended for document commutation. It's been largely replaced past the PDF, but is notwithstanding heavily used in laser printers. These two languages make upwards the backbone of Müller's attacks.

The primal indicate about these printer languages is that the printers executed code written in these languages that is independent within impress jobs. "At that place's no separation betwixt administrative functionality and documents being printed," he explained. "You lot have data and code over the same channel, and that's always a bad thought."

The 4 Horsemen of the Printocalypse

Müller noted that the initial work on the weaknesses within printer protocols was done some xv years agone, and is all the same an issue today. By studying the standards that outline PostScript and PJL, Müller found iv classes of attack: Deprival of service; protection featherbed; print job manipulation; and information disclosure.

The denial of service attack was the simplest. PostScript, Müller reminded the crowd, is a programming language and an attacker can use all the tools independent therein. By sending a impress chore that independent a single line of PosctScript code, Müller fix the printer into an infinite loop, preventing others from using it. A more advanced assault, he said, could apply the same control to continually write to the printer's retention until information technology became wearied.

In a protection bypass attack, Müller considered a scenario whereby a savvy ambassador placed countersign protection on all vulnerable services and devices, including network printers. On some HP printers, Müller found that a single line of PJL code sent in a normal print job could reset the device to factory settings. This would remove the password assigned past the ambassador and exit the device vulnerable.

To dispense print jobs, Müller used the unusual facet of PostScript where a alter fabricated with ane print job could be made permanent and affect all futurity print jobs. In this case, Müller used the overlay command to place a Black Hat logo over any document that emerged from the printer. He encouraged the crowd to go artistic. For example, "you could introduce misspellings in the print chore for certain users you don't like!"

For an data disclosure attack, Müller found that information technology was possible to induce a printer to store impress jobs in its local memory for retrieval past the attacker at a later on appointment. He admitted that, in practice, this was very difficult because it required the attacker to find memory available in the printer in the beginning place. That said, it took only a single command to induce the printer to save its impress jobs, and only one more than to retrieve it.

Müller took this attack one step further by imagining a scenario in which the target printer is behind a firewall that prevents an attacker from receiving information back from a network printer. By using port 9100 on the printer, and some clever work to play a trick on the network into thinking a privileged HTTP server was running inside the firewall, Müller constitute that it was indeed possible to retrieve print jobs.

Notably, printers aren't the only platforms that execute PostScript code. Google Cloud Impress, a service that lets yous ship impress jobs from your phone to network printers, executes PostScript code equally it converts files to PDFs for printing. Dropbox does the same thing with certain files. In these cases, Müller embedded a command to receive data virtually the file construction within these services and constitute that they were indeed executed. Nevertheless, both Dropbox and Google Cloud Print apply isolation techniques that forestall anything useful from being obtained by this assail.

The same problem, however, could exist wherever PostScript files are processed. A site administrator might not recollect this affects them, merely if your site lets users upload a user motion-picture show, or creates thumbnails from uploaded images, the potential for attack is at that place, Müller pointed out.

The Telescopic of the Trouble

A cursory search of Shodan, a favorite search engine of hackers that finds devices connected to the internet, returned some 34,800 printers—simply that's much lower than the actual number, according to Müller. The indicate is, though, at that place are a lot of printers connected to the spider web.

And that doesn't include vulnerable printers that aren't connected to the internet. "Is your department's copy room always locked?" he asked the crowd. "Are your conference printers actually never, never unattended?" he asked, more emphatically, as a picture of Blackness Hat registration area flashed on the screen, its dozen light amplification by stimulated emission of radiation printers very noticeably unattended.

Every bit to how widespread the vulnerabilities are, Müller and his team picked over xx unlike printers from eight different manufacturers. Results were mixed, with some attacks working on whole lines of printers and others failing in odd places. The problem, he stressed, is that the vulnerabilities are in the languages and those are widespread.

"In the long-term actually nosotros need to get rid of insecure printer languages," said Müller, but that's a long-term solution, he conceded.

In the short term, he advised sandboxing network printers into a dissever VLAN that is only reachable through a hardened (and he emphasized "hardened") print server. Printer vendors need to "consider undoing some insecure decisions," and browser vendors could block port 9100.

And, of grade, "e'er keep the copy room locked."

Source: https://sea.pcmag.com/news/16769/your-printer-can-steal-and-deface-your-documents

Posted by: mccormacktookents.blogspot.com

Share this post