Attack of the Trojan Printers

← Back to Stories (view on slashdot.org)

Attack of the Trojan Printers

Posted by samzenpus on Wednesday December 1, 2010 @07:19AM from the it's-crowded-in-there dept.

snydeq writes "Security professionals are tapping Trojan horse access points cloaked in printers and other office equipment to infiltrate clients who want their defenses tested, InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive. Once the device is connected to the network, the penetration testers have a platform behind any perimeter defenses from which to attack. 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?' one security researcher says of the method. A variant of the attack, presented by Errata Security at the Defcon hacking convention, uses an attack-tool-laden iPhone mailed to a target company to get inside the firm's network defenses."

28 of 144 comments (clear)

Min score:

Reason:

Sort:

tried that with a Flip cam by lpaul55 · 2010-12-01 07:22 · Score: 2

an attractive USB device could host something undesirable. Smart clients won't touch them.

--
... now back to the bit mines.
1. Re:tried that with a Flip cam by Anonymous Coward · 2010-12-01 07:33 · Score: 2, Funny
  
  Good luck trying to mail someone a printer right now :-)
2. Re:tried that with a Flip cam by arivanov · 2010-12-01 08:18 · Score: 4, Insightful
  
  Printer is indeed a better choice.
  Some printers can have a full attack kit loaded and have WiFi. While most printers are yet to be hacked, the possibility is there. The bigger ones have a fully blown OS of some description doing the management functionality. Some of it is also hopelessly out of date securitywise. I have seen stuff like Win2000 being used on the print centers by one well known big company. Rooting that is trivial.
  The ones that cannot be routed can still have a MIM put in between their built-in network functionality and the customer network. If done properly it will _NOT_ have any "cables sticking out" either. A microcontroller with two Ethernets which bridges between the printer original Ether and a fake one sticking out can be put in something the size of an match box nowdays. With most IT depts putting indiscriminately power over ethernet nobody will notice if it is powered from the net. And so on. There are lots of variations on this theme and having "more than one cable sticking out" actually means a very lame job on the side of whoever did it.
  
  --
  Baker's Law: Misery no longer loves company. Nowadays it insists on it
  http://www.sigsegv.cx/
3. Re:tried that with a Flip cam by Crudely_Indecent · 2010-12-01 08:30 · Score: 2
  
  The average person will pick up a USB pen drive from the parking lot and plug it into there PC or Laptop.
  I did that last month.
  I run Linux though, so I'm not really worried about the things most people worry about. All that was on it was an exceptionally boring PowerPoint file which I deleted before giving the stick to my wife (who uses a Macbook)
  
  --
  
  "Lame" - Galaxar
4. Re:tried that with a Flip cam by oldspewey · 2010-12-01 08:53 · Score: 3, Funny
  
  before giving the stick to my wife
  Pics or it didn't happen.
  
  --
  If libertarians are so opposed to effective government, why don't they all move to Somalia?
That old saying applies by Megahard · 2010-12-01 07:24 · Score: 5, Funny

Beware of geeks bearing gifts.

--
I eat only the real part of complex carbohydrates.
1. Re:That old saying applies by Schadrach · 2010-12-01 08:38 · Score: 3, Insightful
  
  The point is that your situation is unlike most, especially small businesses who will generally run on a "How much will i cost to do it right? OK, you get half that," budget.
2. Re:That old saying applies by Mr.+Freeman · 2010-12-01 09:47 · Score: 2
  
  Better yet, there's a lot of printers nowadays that have wireless networking capability built-in.
  
  Some custom firmware and all of a sudden you've turned this printer into an access point as well. No glued shut trays, no mysterious power cables, etc.
  
  --
  -1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
3. Re:That old saying applies by bored · 2010-12-01 10:14 · Score: 2
  
  With cat6 I assume you are running GigE or better, which generally has auto MDI-X and may not even require a crossover. The problem is this crap often doesn't work as advertised, and disabling auto negotiation often forces the speed to 100Mbit, or worse (cause auto negotiation is required for GigE per the spec). I've seen adapters that expect the remote side of the port to send NLP/FLP sequences before they wake up. Get two adapters like that, and they won't talk.
Physical access == pwnage by mlts · 2010-12-01 07:26 · Score: 3, Insightful

Nothing really new here, other than perhaps people realizing that printers are a network entity (which they have been at least since the HP LaserJet cards). As for housing a blackhat-usable machine, that has been done for ages, as it isn't hard to just plug in a laptop or network powered biscuit PC and start firing up nmap.
How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.
1. Re:Physical access == pwnage by hawguy · 2010-12-01 07:47 · Score: 4, Interesting
  
  How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.
  Agreed -- we use 802.1x authentication on all of our switch pots, only domain computers are allowed on the network. We do MAC address bypass on specific ports for known network printers, etc, but they go on a limited access VLAN. No one outside of IT can receive a printer in the mail and just plug it in and have it on our network.
  I thought all midsized and larger businesses used some sort of port control to control network access?
  Small business are usually so lax in computer security that there are so many holes in their network making it unnecessary to send them a Trojan Printer to hack in. I've done work for a number of small businesses that use 40 bit WEP to "protect" their Wifi network -- and no amount of persuading from me will make them change it.
2. Re:Physical access == pwnage by Score+Whore · 2010-12-01 09:37 · Score: 2
  
  Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet.
  That's the definition of a switch. So I would hope that the majority of them do that.
3. Re:Physical access == pwnage by hawguy · 2010-12-01 12:05 · Score: 2
  
  Yes, I have described all facets of my security in 2 sentences and it consists entirely of port access control on my switches. Oh, I forgot to include the admin passwords for the switches, they are all set to "RngZr". Come hack me, please.
Re: Old News by wjousts · 2010-12-01 07:29 · Score: 5, Informative

Urban myth, read the first two paragraphs of TFA

Way back in 1991, InfoWorld reported on an advanced threat hitchhiking inside printers shipped to Iraq. The virus, known as AF/91 and implanted by the U.S. government, reportedly shut down Iraqi radar installations before escaping to spread among Windows computers.

The article, published on April 1, was a spoof. But it spawned an urban myth that has been reported as fact in many circles.
Old trick, upgraded by MrEricSir · 2010-12-01 07:31 · Score: 2

This sounds like a modern version of when the CIA planted a camera inside the Xerox machine in the Soviet embassy.

--
There's no -1 for "I don't get it."
1. Re:Old trick, upgraded by Kittenman · 2010-12-01 07:43 · Score: 3, Funny
  
  Was that when the CIA just got multiple close-up photos of Russian butts from the Soviet embassy party?
  
  --
  "The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
2. Re:Old trick, upgraded by Dthief · 2010-12-01 07:49 · Score: 2
  
  Ya, I think I saw those ass-shots on wikileaks
  
  --
  www.RacquetUp.org - Helping Detroit Youth
Cool by mr100percent · 2010-12-01 07:32 · Score: 2

These are pretty cool tactics, but are they warranted? Is the world of corporate espionage so devious and sophisticated that these would be legitimate vectors of attack in the wild?
Why make it complicated? by war4peace · 2010-12-01 07:32 · Score: 5, Interesting

It is a lot simpler than that. Last month I turned on my laptop's WiFi while replicating some troubleshooting steps and it popped saying it found 3 Wifi networks, not the usual 2 company-provided, password-protected ones. Turned out someone brought a router inside, plugged it in and used it for God-knows-what, then left it there, turned ON. Free WiFi for everyone!
This was a HUGE security breach, process breach, you-name-it breach. The guy was canned afterwards, but that's not the issue. What's funny is that pretty much all companies' buildings in that area have at least one unprotected WiFi network, freely accessible from any device. No username or password required.
You want to browse through most of the Top50 companies' "secured" networks? You got it. Sometimes I wonder where are all the damn hackers...

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
1. Re:Why make it complicated? by Yvan256 · 2010-12-01 07:46 · Score: 2
  
  Sometimes I wonder where are all the damn hackers...
  Trying to hack Blizzard's servers to get some l33t gear they can't bother questing for?
2. Re:Why make it complicated? by Minwee · 2010-12-01 08:32 · Score: 2
  
  Periodically scanning for rouge WIFI access points on your company's campus would prevent this sort of thing from happening.
  But would that help you find magenta and teal access points as well?
3. Re:Why make it complicated? by FooAtWFU · 2010-12-01 08:58 · Score: 3, Informative
  
  This is why serious wireless vendors like Cisco and Aruba and the like have "rogue access point detection" which can not only triangulate the location of an unknown device given its wireless signal strength in relation to legitimate APs, they can also determine if it's hooked up to your network (if there's appropriate hardware in the packet path) and spoof packets to cause a denial of service and disconnect any clients.
  Of course, these capabilities will cost you.
  
  --
  The World Wide Web is dying. Soon, we shall have only the Internet.
4. Re:Why make it complicated? by apparently · 2010-12-01 09:56 · Score: 2
  
  Linksys thing was causing a world of trouble - luckily it was set to the default username and password otherwise we might have had difficulty grabbing the MAC Address of it.
  You need the username and password of the gateway in order to run: "arp -a" from a computer that's connected to it?
Old Hat... by Lumpy · 2010-12-01 08:11 · Score: 5, Insightful

Did that years ago.
HPLJ4 -- two power cables? what are they hiring amateurs?
Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.
Printer + network scanner/document grabber completely hidden.
Today it's even easier... Shiva plug with a HP sticker on it and it will go unnoticed for months.

--
Do not look at laser with remaining good eye.
1. Re:Old Hat... by nschubach · 2010-12-01 09:03 · Score: 2
  
  Shiva plug with a HP sticker on it and it will go unnoticed for months.
  There's a ton of truth in that... I recently walked into an office and noticed an odd outlet sized box on the ceiling with no significant markings, some slots and two LEDs (one lit red.)
  Nobody that I asked knew what it was, including building maintenance... and nobody bothered to look where the cable was going. It was joked that it was a spying device (owned by the company) to monitor workers.
  (I think it was a sensor for the HVAC...)
  
  --
  Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
2. Re:Old Hat... by nuckfuts · 2010-12-01 09:35 · Score: 2
  
  Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.
  Printer + network scanner/document grabber completely hidden.
  It's not even necessary to hide any physical equipment inside the printer. HP LaserJets can be hacked to steal documents, run port scans, host rogue FTP or HTTP servers, and more. FX from Phenoelit did some interesting work on this, but his website is now censored due to legal issues. Some of his stuff can now be found here.
Re:Glued shut with 3 cables? by war4peace · 2010-12-01 08:14 · Score: 2

Not a kludge; in fact, smart design. Those MFPs are modular. A module breaks down, plug it off, the rest works, albeit without that specific function (e.g. stapler).

--
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Crunchy on the Outside, Chewy on the Inside by dougmc · 2010-12-01 09:21 · Score: 4, Interesting

Most corporate firewalls (at least the part that most users are working behind) stop stuff from coming in, but permit most traffic going out. And even if they do block most traffic going out, they almost always permit 80/tcp out, and while they might have some sort of nanny filter there, something that just goes out to a random address at port 80 and then sends encrypted data will likely get through.
Once this machine is on the network, it can connect to a server somewhere on the Internet, and then the bad guys can come back in through this connection and do whatever they want from the printer. The important intranet sites may indeed require Smart Cards (rare, but some may do this) but all the machines that people work on are often poorly maintained, and the intranet systems that require Smart Cards often have all sorts of vulnerabilities -- the machines they reside on aren't secured, the applications have the whole spectrum of website vulnerabilities, etc. Yes, the company could secure all this stuff, but it would take time and money, and they think "it's inside the firewall, it's safe" (and yes, they're wrong.)
Perhaps some companies are different, but I'd say most are like this. Some companies separate everything internally with firewalls, but most don't, or if they do, there's lots of stuff behind each of these internal firewalls, and anything behind the same firewall as the trojan horse would be vulnerable (and really, stuff on the other side of the firewall might be too, depending on how draconian it is.)
This may not work on the NSA (assuming they follow all their policies!) but I would guess that getting a printer set up like this installed on most company's networks, coupled with skilled crackers working through it (not just script kiddies, though they might have some success too), would be able to get at all sorts of stuff they weren't supposed to get to. If it's a software company, they could get the source for their work, perhaps add their own code (back doors!), etc.