This is part 3 of a 5-part series about one of the most significant and often overlooked danger to your I.T. environment... Your Printers and MFPs. In Parts 1 & 2, we spoke about the vulnerabilities and reframed our view on modern printers. In part three, we are going to dive into how some of these threats are realized and what they can do.
The resume of death.
The first exploit that I want to share is one that is so common it's painful. Like many organizations, you have at some point posted a job opening on one of the many popular job- sharing websites. The natural consequence of such an action is that you receive a number of "qualified" resumes from candidates who are seeking to fill the vacant position.
While most of these candidates will only meet with your delete key, a worthy few who look good on paper will remain. For those who survive the first cut, what's likely to happen prior to the interview is that their resume will get printed. This is very typical behavior and, as with many things in the tech world, it’s also where the danger lies. It is now possible to take a seemingly ordinary looking resume, go to print it, and once that innocent document hits the print stream, it is now able to rewrite the firmware on your printer or MFP thanks to embedded code hidden within the file itself.
Once overwritten, your printer— now with comprised firmware— will act as a springboard to attack other hosts and end devices on your network. This very exploit has been used to turn a standard VOIP phone which appears to be "off-hook" into bugging devices capable of recording or tweeting entire conversation.
To see how this was used check out this video from the team at Red Balloon Security:
Leaving the door open
Convenience sure is a killer sometimes. In many ways, there’s no one to blame for this exploit but ourselves. Leaving ports open and worse yet making them public facing in the name of "ease of use" or "manageability" is one of the easiest and most inviting ways to get hacked. This exploit has been realized multiple times recently with varying degrees of maliciousness.
Hacker Stack Overflow recently hacked over 160,000 printers on impulse through open public-facing ports such as 9100, 631, and 515. In this hack, which he claimed was to "raise awareness of the issue," all he did was print out ASCII art telling the victim they've been "pwned."
Click for story -> Hacker: I made 160,000 printers spew out ASCII art around the world
Taking the exploit into the obscene and offensive, Hacker Weev used public-facing ports on 20,000 printers across many college and university campuses to print out anti-Semitic Nazi propaganda and filled output tries everywhere with hate.
Weev claims he didn't "hack" anything as the printers were, in fact, public-facing and ready to receive input. Sadly, he may be correct. Poor management or deliberate configuration choices to make it easy for users to print from anywhere are largely to blame in both attacks and neither it may turn out are illegal.
There are eyes everywhere.
Spyware the ever-present danger inside of our P.C.'s has now made it's way to the print world. In spyware-based attacks hackers can retrieve a copy of every document remaining in memory or in storage. With larger and larger hard drives becoming the norm in enterprise printers this could be years of sensitive information that can be lifted at the will of the hacker. In a 2017 Black Hat talk, Jens Müller discussed the increased risk of spyware and other threats due to insecure print protocols.
You can see the slides from his presentation here:
They keep piling up
The number of exploits on printers continues to rise on a daily basis. Popular exploit framework tool Metasploit now has a host of options available to it, ready to be attached and used in an attack at a moment’s notice. There are cases of printer being used as repositories for illicit file sharing, being turned into a Minecraft server, or, as is very popular these days, being used to mine cryptocurrency. That often occurs by falling victim to and becoming a member of a botnet.
In part 4 of our series, we will take a look at countermeasures and cures to help protect our systems and prevent our printers, copiers, and MFP's from becoming victims to these increasing vulnerabilities.
About the Author
Bruce Rushton is a Solutions Architect and Printer Security Specialist with over 30 years’ experience in the I.T. space for the last nine years dedicated to providing Managed Print Solutions. At Total Print (TotalprintUSA.com) he helps companies across the United States by providing them with tailored, affordable, cost-cutting, secure printer, copier, and MFP solutions. If you have questions about your print environment or the security of your devices, you can request a free consultation with Bruce at firstname.lastname@example.org