LAS VEGAS—Printers have been part of the modern home and office for decades, despite numerous attempts to go "paperless." But at the Black Hat conference here, Jens Müller of Ruhr University Bochum reminded attendees that just because something is ubiquitous doesn't mean it should be trusted.
Müller first reminded the crowd how far printer technology had come, displaying a photo of an old dot-matrix printer and sleek, new laser printer. But despite the powerful capabilities of today's printers, there "still tends to produce a paper jam," he said.
Add the ability to access the printer via USB, local network, or over the internet, and you have the recipe for a devastating attack. In fact, security researchers have warned for years that connected devices like printers, routers, and even VoIP phones could be used as beachheads for an attacker. The phone might not be very useful for an attacker, but perhaps they could use it to pivot to your secure network.
Müller found enough within the humble printer to keep him busy without trying to escalate an attack. The problem, he said, are the printing protocols that translate the files on your computer into something the printer can put to paper. One such protocol—aptly named the Printer Job Language—was developed in the early 90s by HP, and it can make permanent changes to the printer, not just the current print job. Another, called PostScript, was developed by Adobe and was originally intended for document exchange. It's been largely replaced by the PDF, but is still heavily used in laser printers. These two languages make up the backbone of Müller's attacks.
The key point about these printer languages is that the printers executed code written in these languages that is contained within print jobs. "There's no separation between administrative functionality and documents being printed," he explained. "You have data and code over the same channel, and that's always a bad idea."
The 4 Horsemen of the Printocalypse
Müller noted that the initial work on the weaknesses inside printer protocols was done some 15 years ago, and is still an issue today. By studying the standards that outline PostScript and PJL, Müller found four classes of attack: Denial of service; protection bypass; print job manipulation; and information disclosure.
The denial of service attack was the simplest. PostScript, Müller reminded the crowd, is a programming language and an attacker can use all the tools contained therein. By sending a print job that contained a single line of PosctScript code, Müller set the printer into an infinite loop, preventing others from using it. A more advanced attack, he said, could use the same command to continually write to the printer's memory until it became exhausted.
In a protection bypass attack, Müller considered a scenario whereby a savvy administrator placed password protection on all vulnerable services and devices, including network printers. On some HP printers, Müller found that a single line of PJL code sent in a normal print job could reset the device to factory settings. This would remove the password assigned by the administrator and leave the device vulnerable.
To manipulate print jobs, Müller used the unusual facet of PostScript where a change made with one print job could be made permanent and affect all future print jobs. In this case, Müller used the overlay command to place a Black Hat logo over any document that emerged from the printer. He encouraged the crowd to get creative. For example, "you could introduce misspellings in the print job for certain users you don't like!"
For an information disclosure attack, Müller found that it was possible to induce a printer to store print jobs in its local memory for retrieval by the attacker at a later date. He admitted that, in practice, this was very difficult because it required the attacker to find memory available in the printer in the first place. That said, it took only a single command to induce the printer to save its print jobs, and just one more to retrieve it.
Real Life. Real News. Real Voices
Help us tell more of the stories that matterBecome a founding member
Müller took this attack one step further by imagining a scenario in which the target printer is behind a firewall that prevents an attacker from receiving information back from a network printer. By using port 9100 on the printer, and some clever work to trick the network into thinking a privileged HTTP server was running inside the firewall, Müller found that it was indeed possible to retrieve print jobs.
Notably, printers aren't the only platforms that execute PostScript code. Google Cloud Print, a service that lets you send print jobs from your phone to network printers, executes PostScript code as it converts files to PDFs for printing. Dropbox does the same thing with certain files. In these cases, Müller embedded a command to receive information about the file structure within these services and found that they were indeed executed. However, both Dropbox and Google Cloud Print use isolation techniques that prevent anything useful from being obtained by this attack.
The same problem, however, could exist wherever PostScript files are processed. A site administrator might not think this affects them, but if your site lets users upload a user picture, or creates thumbnails from uploaded images, the potential for attack is there, Müller pointed out.
The Scope of the Problem
A cursory search of Shodan, a favorite search engine of hackers that finds devices connected to the internet, returned some 34,800 printers—but that's much lower than the actual number, according to Müller. The point is, though, there are a lot of printers connected to the web.
And that doesn't include vulnerable printers that aren't connected to the internet. "Is your department's copy room always locked?" he asked the crowd. "Are your conference printers really never, never unattended?" he asked, more emphatically, as a picture of Black Hat registration area flashed on the screen, its dozen laser printers very noticeably unattended.
As to how widespread the vulnerabilities are, Müller and his team picked over 20 different printers from eight different manufacturers. Results were mixed, with some attacks working on whole lines of printers and others failing in odd places. The problem, he stressed, is that the vulnerabilities are in the languages and those are widespread.
- Researchers Reveal Secrets of SHA-1 Hash Collision Researchers Reveal Secrets of SHA-1 Hash Collision
"In the long-term actually we need to get rid of insecure printer languages," said Müller, but that's a long-term solution, he conceded.
In the short term, he advised sandboxing network printers into a separate VLAN that is only reachable through a hardened (and he emphasized "hardened") print server. Printer vendors need to "consider undoing some insecure decisions," and browser vendors could block port 9100.
And, of course, "always keep the copy room locked."
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe