|FROM ||Ruben Safir
|SUBJECT ||Subject: [Hangout - NYLXS] printer attacks
|From hangout-bounces-at-nylxs.com Sun Aug 6 23:02:51 2017
Received: from www.mrbrklyn.com (www.mrbrklyn.com [126.96.36.199])
by mrbrklyn.com (Postfix) with ESMTP id 8A58B163F55;
Sun, 6 Aug 2017 23:02:44 -0400 (EDT)
Received: from [10.0.0.62] (flatbush.mrbrklyn.com [10.0.0.62])
by mrbrklyn.com (Postfix) with ESMTP id C6455160876;
Sun, 6 Aug 2017 23:02:39 -0400 (EDT)
From: Ruben Safir
Date: Sun, 6 Aug 2017 23:02:39 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Subject: [Hangout - NYLXS] printer attacks
List-Id: NYLXS Tech Talk and Politics
Content-Type: text/plain; charset="utf-8"
Its not good to have devices in your house that connect to the "cloud"
Your Printer Can Steal and Deface Your Documents
Because of weaknesses in decades-old protocols, printers can become a
spy and a vandal lurking in your home or office.
Max Eddy Icon
By Max Eddy
July 28, 2017 12:43PM EST
LAS VEGAS=E2=80=94Printers have been part of the modern home and office for
decades, despite numerous attempts to go "paperless." But at the Black
Hat conference here, Jens M=C3=BCller of Ruhr University Bochum reminded
attendees that just because something is ubiquitous doesn't mean it
should be trusted.
Black Hat Bug ArtM=C3=BCller first reminded the crowd how far printer
technology had come, displaying a photo of an old dot-matrix printer and
sleek, new laser printer. But despite the powerful capabilities of
today's printers, there "still tends to produce a paper jam," he said.
Add the ability to access the printer via USB, local network, or over
the internet, and you have the recipe for a devastating attack. In fact,
security researchers have warned for years that connected devices like
printers, routers, and even VoIP phones could be used as beachheads for
an attacker. The phone might not be very useful for an attacker, but
perhaps they could use it to pivot to your secure network.
M=C3=BCller found enough within the humble printer to keep him busy without
trying to escalate an attack. The problem, he said, are the printing
protocols that translate the files on your computer into something the
printer can put to paper. One such protocol=E2=80=94aptly named the Printer=
Language=E2=80=94was developed in the early 90s by HP, and it can make perm=
changes to the printer, not just the current print job. Another, called
PostScript, was developed by Adobe and was originally intended for
document exchange. It's been largely replaced by the PDF, but is still
heavily used in laser printers. These two languages make up the backbone
of M=C3=BCller's attacks.
The key point about these printer languages is that the printers
executed code written in these languages that is contained within print
jobs. "There's no separation between administrative functionality and
documents being printed," he explained. "You have data and code over the
same channel, and that's always a bad idea."
The 4 Horsemen of the Printocalypse
M=C3=BCller noted that the initial work on the weaknesses inside printer
protocols was done some 15 years ago, and is still an issue today. By
studying the standards that outline PostScript and PJL, M=C3=BCller found
four classes of attack: Denial of service; protection bypass; print job
manipulation; and information disclosure.
The denial of service attack was the simplest. PostScript, M=C3=BCller
reminded the crowd, is a programming language and an attacker can use
all the tools contained therein. By sending a print job that contained a
single line of PosctScript code, M=C3=BCller set the printer into an infini=
loop, preventing others from using it. A more advanced attack, he said,
could use the same command to continually write to the printer's memory
until it became exhausted.
In a protection bypass attack, M=C3=BCller considered a scenario whereby a
savvy administrator placed password protection on all vulnerable
services and devices, including network printers. On some HP printers,
M=C3=BCller found that a single line of PJL code sent in a normal print job
could reset the device to factory settings. This would remove the
password assigned by the administrator and leave the device vulnerable.
To manipulate print jobs, M=C3=BCller used the unusual facet of PostScript
where a change made with one print job could be made permanent and
affect all future print jobs. In this case, M=C3=BCller used the overlay
command to place a Black Hat logo over any document that emerged from
the printer. He encouraged the crowd to get creative. For example, "you
could introduce misspellings in the print job for certain users you
Black Hat 2017
For an information disclosure attack, M=C3=BCller found that it was possible
to induce a printer to store print jobs in its local memory for
retrieval by the attacker at a later date. He admitted that, in
practice, this was very difficult because it required the attacker to
find memory available in the printer in the first place. That said, it
took only a single command to induce the printer to save its print jobs,
and just one more to retrieve it.
M=C3=BCller took this attack one step further by imagining a scenario in
which the target printer is behind a firewall that prevents an attacker
from receiving information back from a network printer. By using port
9100 on the printer, and some clever work to trick the network into
thinking a privileged HTTP server was running inside the firewall,
M=C3=BCller found that it was indeed possible to retrieve print jobs.
Notably, printers aren't the only platforms that execute PostScript
code. Google Cloud Print, a service that lets you send print jobs from
your phone to network printers, executes PostScript code as it converts
files to PDFs for printing. Dropbox does the same thing with certain
files. In these cases, M=C3=BCller embedded a command to receive information
about the file structure within these services and found that they were
indeed executed. However, both Dropbox and Google Cloud Print use
isolation techniques that prevent anything useful from being obtained by
Black Hat 2017
The same problem, however, could exist wherever PostScript files are
processed. A site administrator might not think this affects them, but
if your site lets users upload a user picture, or creates thumbnails
from uploaded images, the potential for attack is there, M=C3=BCller pointe=
The Scope of the Problem
A cursory search of Shodan, a favorite search engine of hackers that
finds devices connected to the internet, returned some 34,800
printers=E2=80=94but that's much lower than the actual number, according to
M=C3=BCller. The point is, though, there are a lot of printers connected to
And that doesn't include vulnerable printers that aren't connected to
the internet. "Is your department's copy room always locked?" he asked
the crowd. "Are your conference printers really never, never
unattended?" he asked, more emphatically, as a picture of Black Hat
registration area flashed on the screen, its dozen laser printers very
As to how widespread the vulnerabilities are, M=C3=BCller and his team pick=
over 20 different printers from eight different manufacturers. Results
were mixed, with some attacks working on whole lines of printers and
others failing in odd places. The problem, he stressed, is that the
vulnerabilities are in the languages and those are widespread.
Researchers Reveal Secrets of SHA-1 Hash Collision
Researchers Reveal Secrets of SHA-1 Hash Collision
"In the long-term actually we need to get rid of insecure printer
languages," said M=C3=BCller, but that's a long-term solution, he conceded.
In the short term, he advised sandboxing network printers into a
separate VLAN that is only reachable through a hardened (and he
emphasized "hardened") print server. Printer vendors need to "consider
undoing some insecure decisions," and browser vendors could block port 9100.
And, of course, "always keep the copy room locked."
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
Hangout mailing list