Hacking Your Printer – the One Security Weak Point No One Thought Of Before

By on Nov 2, 2013 in Blog

We discovered an interesting new development while attending the latest BlackHat conference. It seems that the guys at Red Balloon Security have discovered a way for hackers to get into your printer – and this is something of a game changer as far as information security is concerned..

Now it is important to note that this was a theoretical demonstration to “prove the concept” – and there is (so far) no evidence of this exploit being used in practice. Also this issue is more likely to affect businesses with networked printers, but there is potential for personal home users to be affected as well.

The reason that this issue is such a big game changer is because no one has ever thought of actually securing their printers. But why would you in fact?

Printers for a long time were nothing more than “dumb terminals” – meaning they didn’t have the capability to store and execute instructions unless it was hard-coded in memory, or supplied by another “smart” computer. This is of course why if you’re an IT manager, and you tell your boss that you should be securing the printers – mostly likely you would get laughed at.

Well laughing they shall do no more. Printers today (especially big enterprise models) are very sophisticated machines with their own processors and hard drives to execute any manner of instructions (if you know how to do it right).

This is how the exploit works:

  • First you send a “bad” word document to the target and hope they print it.  If you want to target a single company this might be tricky, but if you email several hundred or thousand companies – someone will eventually print the document. Especially if for example someone sends a resume or uses a clever label such as “payroll increase” or “salary raise”.
  • Once someone prints the document, the printer becomes infected. What happens at this point is that the hacker is able to get into the “shell” of the printer – which allows them to install programs and execute instructions at will.
  • Once someone shells your printer – they can make it connect back to the “bad” host computer, and begin scanning your network to see what is available (and then download / modify accordingly).

The major security issue that arises from this (aside from the obvious) is that it is very difficult to find out that this exploit is being used. The printer will still “print”, and usually no one bothers to check what the printer is doing (aside from changing the toner) i.e. they are looking at the firewall like they’re supposed to.

Even better / worse is that it is possible to convince other devices that the printer is a file server! This allows the infiltrator to perform just about any malicious function you can think of, and no one in the company will be the wiser.

Recommendations:

  1. Patch your printers – most hardware manufacturers have firmware updates to prevent this exploit. Yes – most likely this has never ever been done before – even in a big company with (otherwise) extremely good security.
  2. Apply a password to the printer console for HTTP, Telnet, and SSH. This may not stop this particular exploit 100% but it is still a good security practice anyway.
  3. Don’t allow your printer to connect to the internet. There really is not reason they should be anyway, but if you can think of one – then put all your printers into a separate VLAN (this makes the securing process much easier).
  4. Get specialized software to monitor for this activity. OK these haven’t been released yet (to our knowledge) but something will surely be coming along very soon.

Post a Reply