Slashdot Mirror
Attack of the Trojan Printers
snydeq writes "Security professionals are tapping Trojan horse access points cloaked in printers and other office equipment to infiltrate clients who want their defenses tested, InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive. Once the device is connected to the network, the penetration testers have a platform behind any perimeter defenses from which to attack. 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?' one security researcher says of the method. A variant of the attack, presented by Errata Security at the Defcon hacking convention, uses an attack-tool-laden iPhone mailed to a target company to get inside the firm's network defenses."
an attractive USB device could host something undesirable. Smart clients won't touch them.
... now back to the bit mines.
Beware of geeks bearing gifts.
I eat only the real part of complex carbohydrates.
Wikileaks option?
Yours In Minsk,
Kilgore T.
Apparently our government made use of printers to destroy targets way back when Desert Storm kicked off. Somehow on high end printers, circuits were hidden that would direct smart missiles right into a window. The assumption was that high end printers usually sold to governmental entities or to infrastructure agencies. Apparently it worked well.
We also saw a brand of cell phones sold only by the DEA that were wired to deliver all phone calls to law enforcement as well as the intended conversant. The phones were so superior in quality, and pricey, that drug dealers were almost exclusively buying them. The Miami area lost a lot of drug dealers from that planting.
Nothing really new here, other than perhaps people realizing that printers are a network entity (which they have been at least since the HP LaserJet cards). As for housing a blackhat-usable machine, that has been done for ages, as it isn't hard to just plug in a laptop or network powered biscuit PC and start firing up nmap.
How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.
this has been talked about since at least the first Gulf war. There was an urban legend of Iraqi air defenses being taken out by a covertly U.S. supplied printer.
every anarchist is a baffled dictator. Benito_Mussolini
Dumb people being tricked?! News at 11.
Technically, if you've got extra wires hanging out of your Trojan Printer, you just might be the biggest idiot in fuckheadland. Integrate your spyshit to the motherboard and feed off the built-in network connection and power system! Sorry, I don't click on *world.com articles due to high ad noise and shitty page layout, but I get the drift, Ned. Not even close. NEXT?!
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
...there only needs to be ONE visible power cable coming out of the back.
A little splicing here, a new fuse, bham, one power cable.
Something like FitPC, Gumstix, Arduino, or even something as simple as a hackable router / modem. (probably much easier to use that actually)
A wall-wart could be a fantastic tool inside a printer for hacking in to a companies network. Just remove it from the casing, wire it up to the printer power, throw some tools on there, "printer breaks", you come pick it up with the number you placed on the printer previously, enjoy your secrets.
This happens occasionally on educational grounds, whether it is a rather smart kid in school or someone in University.
In fact, i remember someone done it in a local University so they could access the network externally and use it as a server for files and such.
They used Hamachi to access it. Got around thousands of £s in security systems.
This sounds like a modern version of when the CIA planted a camera inside the Xerox machine in the Soviet embassy.
There's no -1 for "I don't get it."
802.1X, if you don't want rogue devices on your network (and you still believe in "hard shell soft center" security, that is.)
These are pretty cool tactics, but are they warranted? Is the world of corporate espionage so devious and sophisticated that these would be legitimate vectors of attack in the wild?
It is a lot simpler than that. Last month I turned on my laptop's WiFi while replicating some troubleshooting steps and it popped saying it found 3 Wifi networks, not the usual 2 company-provided, password-protected ones. Turned out someone brought a router inside, plugged it in and used it for God-knows-what, then left it there, turned ON. Free WiFi for everyone!
This was a HUGE security breach, process breach, you-name-it breach. The guy was canned afterwards, but that's not the issue. What's funny is that pretty much all companies' buildings in that area have at least one unprotected WiFi network, freely accessible from any device. No username or password required.
You want to browse through most of the Top50 companies' "secured" networks? You got it. Sometimes I wonder where are all the damn hackers...
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?'
I, for one, would certainly notice THAT. But who in the corporate world would notice or even care?
Also interesting is that the article links to an eWeek article that in turn links to a Slashdot article from 2007 about this same thing.
He who knows best knows how little he knows. - Thomas Jefferson
I personally would hide some sort of bridged network device inside printer or any other networked device. Device then logs all network data going to printer. Some of those Linksys devices with Linux would be good for this purpose. Logged data would be sended to 'secret' server using mobile data (Linksys boxes have USB connector?). What else... oh, we need to add some microswitch that fries my SIM card and hacked Linksys box if printer case is ever opened. That would be perfect!
you could say the companies need better....protection?
Did that years ago.
HPLJ4 -- two power cables? what are they hiring amateurs?
Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.
Printer + network scanner/document grabber completely hidden.
Today it's even easier... Shiva plug with a HP sticker on it and it will go unnoticed for months.
Do not look at laser with remaining good eye.
Hasn't al Qaida been doing this for months? http://www.wired.com/dangerroom/2010/11/qaeda-yeah-the-printer-bomb-plot-was-us/
If at first you don't succeed... How does that go again? Ah, forget it.
"InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive." Seriously...who is the facehat that let them in? I'd be far more concerned with that aspect (whether this is urban legend or not). It's called security controls and common sense...saves a lot of boolshit on the backend.
Man, back in the day you'd send in what looks like an ordinary audio cassette and, after recording a day's worth of audio to on-board memory, it would transform into a bird, shoot its way out, and return to the chest of Soundwave who'd play back what it heard for Megatron.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?'
I, for one, would certainly notice THAT. But who in the corporate world would notice or even care?
No you wouldn't. For an extra ~$20 or so, the attacker could put a power splitter and network switch inside the box, making it just one power cable and one network cable. Given how trivial that is, any real attacker (as in a person or group expecting a hefty profit on the operation) would go that extra step. Security groups are more budget-constrained (they also proved that you don't need that level of sophistication for most targets).
It should also be rather simple to use an embedded computer that controls the printer and is powered by the printer's PSU (this would let you save copies of every printed, faxed, and copied document and send them to an off-site haven whenever it is deemed most convenient/safe. This sort of system wouldn't really be suspect even if opened up; of course it has a controller board. The fact that it's aftermarket can be explained by its lower cost (which department paid for it again? It just seemed to show up one day...).
This isn't limited to printers; you can do this with any network-enabled appliance, be it a printer, file server, firewall, wifi system, etc. Just phone the company and say you're an authorized reseller of the product and that you'd like to offer them a free 90-day evaluation and then never show up to reclaim it (or actually sell it to them for a ridiculously low price claiming that you need the sale to hit your quarterly quota). Most of these appliances are full-featured x86 servers anyway, and it's quite unlikely that somebody would notice your rootkit or stealth processes.
This also isn't limited to the device itself; once you're in the network, you can seize a few Windows systems and use them instead. This lets you take the device back at the end of the free trial. With a netbook or other embedded system (e.g. a smartphone with an ethernet adapter), you could do this while in the office on a tour or while pretending to deliver a package or use the bathroom (assuming you're not chaperoned).
Use my userscript to add story images to Slashdot. There's no going back.
I was doing this (white hat pen testing) over 5 years ago with APC UPSes, Run them with no battery, use the internal space for a rogue (non-broadcasting) WAP, network connects into a legit looking network port on the back. No one suspected them, and they worked like a charm. Took in more than one Fortune 100 company with this trick. Never revealed it to anyone until now - clients were just told that rogue wireless were interjected into their networks.
Most corporate firewalls (at least the part that most users are working behind) stop stuff from coming in, but permit most traffic going out. And even if they do block most traffic going out, they almost always permit 80/tcp out, and while they might have some sort of nanny filter there, something that just goes out to a random address at port 80 and then sends encrypted data will likely get through.
Once this machine is on the network, it can connect to a server somewhere on the Internet, and then the bad guys can come back in through this connection and do whatever they want from the printer. The important intranet sites may indeed require Smart Cards (rare, but some may do this) but all the machines that people work on are often poorly maintained, and the intranet systems that require Smart Cards often have all sorts of vulnerabilities -- the machines they reside on aren't secured, the applications have the whole spectrum of website vulnerabilities, etc. Yes, the company could secure all this stuff, but it would take time and money, and they think "it's inside the firewall, it's safe" (and yes, they're wrong.)
Perhaps some companies are different, but I'd say most are like this. Some companies separate everything internally with firewalls, but most don't, or if they do, there's lots of stuff behind each of these internal firewalls, and anything behind the same firewall as the trojan horse would be vulnerable (and really, stuff on the other side of the firewall might be too, depending on how draconian it is.)
This may not work on the NSA (assuming they follow all their policies!) but I would guess that getting a printer set up like this installed on most company's networks, coupled with skilled crackers working through it (not just script kiddies, though they might have some success too), would be able to get at all sorts of stuff they weren't supposed to get to. If it's a software company, they could get the source for their work, perhaps add their own code (back doors!), etc.
Wow, I wish I'd thought of that sooner. Stuffing an Arduino with a battery pack and a wifi shield up my ass and asking to use the company john was really wearing on me.
Proud member of the Weirdo-American community.
The trojan doesn't have to be so crudely delivered so late in the supply chain. The printer could have trojan SW installed in it, attacking a host PC (and then the rest of the network) over USB, or the network directly when connected over ethernet. The printer manufacturer, or many of its OEMs, could build them to attack anyone, or specific targets among the many installations they're sleeping in. Or a government could build them in, like if the US had succeeded in requiring a Clipper chip installed in all devices and had sourced the chips from a government-controlled manufacturer. Or similarly with either a Chinese competitor to DVD, or just Chinese manufactured chips of any kind that the Chinese government could force local manufacturers to include, possibly without knowing the trojan is inside. Or by any country, which can force manufacturers to include tech in their products and keep it secret.
In fact I'd be surprised to somehow learn that this manner of delivering trojans has never been done, and that all of everyone's machines are free of them.
--
make install -not war
You can get a mini pc with 2 network ports and put it on the printer that is in place and put a HP printer sicker on the box and make it look like its part on the printer.
outside equipment / stuff not owned by your company is easier to swap out.
Even more so if you are renting a office and the building maintenance says it's for any one of the building systems. Like the fire alarm / HVAC / keycard / door security / and so on.
Seriously? I gave and listend to speeches about this kind of stuff six years ago. I know people who've done this stuff in their security consulting work for five years. Granted, those are cutting-edge people, but the general state of the security industry is not five years behind the state of the art, is it?
Assorted stuff I do sometimes: Lemuria.org
printers were a common weak point. Often configure wrong and trivial to get into.
The Kruger Dunning explains most post on
Umm if you don't notice that you are a moron. If you accept random electronic 'gifts' that show up in the mail you are just as stupid.
---- Booth was a patriot ----
Printers... is there nothing they can't do?
Easiest way to install malware on a mac is simply to make a app bundle that when first run asks for credentials. Then name it something like "Strip Poker".
If you want it to go undetected for a longer period of time, then actually include some lame ass strip poker program on the drive. If you make one for Windows, one for Mac and one for Linux. You're nearly guaranteed that it will be installed.
The difference is, Windows users are paranoid that everything is dangerous. So there's at least a 20% chance that a windows user will at least try to run a virus checker on a flash drive from an unknown source. The Linux user, if they're really curious will run it sandboxed in a virtual machine. A Mac user will just type in their password because they're sure their system is immune to malware.
The air defence of Saddam's Iraq used french and soviet SAM missiles, directed by a nation-wide connected radar system. The central control was by french made mainframe computers sysplexed via landline WAN.
All this gear was gifted / sold to Saddam because both the west and the commies wanted him to crush islamic revolutionary Iran underfoot. Yet the arabs are really stupid and lazy people, which no amount of weapons aid can help, so the war ended in a draw against the ethnic persian Iran.
Then Saddam turned on Kuwait to loot enough valuable to finance his war debt ruined domestic economy. USA et al decided to liberate Kuwait, but there was over half a year of preparations before the international coalition started rolling. Meanwhile Iraq wanted to buy some large format printers via clandestine ways to avoid the worlwide trade embargo. Mossad found out that the printers are for the air defence mainframes, so iraqis can print large transparencies with near real-time airborne situation for use with the soviet style glass-wall war room displays.
H-P was asked to provide hardware for the CIA and the printers were fitted with a trojan chip and these were placed on the black market for easy iraqi access, who promptly bought them. The french mainframes used connection which gave printers access to the bus. The trojan chip was able to see how much usage the mainframe got, so it was programmed to flood attack with faux error signals when the activity rose very high. Therefore the allied air attack found the iraqi air defence control already under a printer-induced DoS situation and the war was easily won! USA then gifted 102pcs F-16 warplanes to the jews, grateful for the info-attack splendid idea.
A somewhat similar, but much more disastrous trick was also played against Osama bin Laden, a well-known kidney patient. Several crates of Baxter Corp. dialyser filters were poisoned by the CIA and directed towards the asian black market for use by the Al-Kaida sheik. The crates got mixed up in transit in the Netherlands and then kidney patients started to die worldwide. Baxter publicly took the shame for "faulty manufacture" and went bankrupt, while the CIA is still standing but had to part with a few billion USD to compensate Baxter shareholders. For Osama bin Laden it is anybody's guess if he is still alive or long dead and just a media effigy kept by the US gov't to keep people afraid.
No, those were Julian Assange's face shots for the media kit. Common mistake.
"uses an attack-tool-laden iPhone "
ie, a NecronomiPod. (ala Charlie Stross)
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA