Article
Technical: Printer Hacking and Other Exotic Threats
When you think of hacking, you probably think of attacks on websites and other Internet facing servers. But there are plenty of other devices connected in some way to your network, and anything connected to the network is potentially open to attack. There is evidence that the hacker community is now starting to turn its attention to less “conventional” targets, and as organisations tighten up their core infrastructure this is a trend that’s likely to increase. In this article we look at some of these more exotic kinds of attack – conscious of the fact that today’s exotic often becomes tomorrow’s mainstream…
Blackberrys
While Blackberrys have become very popular devices for accessing email away from the office, they often receive very little attention when it comes to IT security. Blackberrys are in effect small computers with Internet connectivity and usually are configured to connect to the Corporate network via a Blackberry Enterprise Server which acts as an email relay. As such they should be considered an extension of the corporate network and treated accordingly from a security perspective.
A visit to the Blackberry website suggests that security is pretty tightly integrated, with a section of the site detailing the features such as end to end data encryption, secure authentication and RSA SecureID 2 factor compatibility.
However it is dangerous to assume any technology is inherently safe. Generally the threats to a Blackberry are actually very similar to a regular mobile computer such as a laptop.
Probably the most obvious and significant threat from Blackberrys is theft of the device. This could allow unscrupulous individuals to read private emails and potentially lead to loss of confidential information and nuisance attacks by impersonating the Blackberry user and sending prank emails to addresses in the address list.
Just like laptops, Blackberrys are also at risk of infection by malware, particularly when email attachments are viewed. If a Blackberry is infected with a virus, it may be passed onwards to the corporate network.
Blackberry themselves currently do not offer an antivirus solution, but there are third party antivirus products for the Blackberry (see for example SMobile Systems). At this time the issue is somewhat academic, as very few viruses have been found for Blackberrys and none have taken off in the wild. However it has been predicted for some time that viruses for mobile devices including Blackberrys will mushroom at some point. The fact that these predictions come from antivirus vendors doesn’t make them untrue!
The Blackberry Enterprise system makes it relatively easy to guard against some attacks by allowing an administrator to push out policy to devices. For example it is important that passwords are required on devices, and that password complexity and timeouts are enabled. However, our experience suggests that organisations vary considerably in terms of the extent to which their security regimes apply to Blackberrys. Some treat Blackberrys as part of the infrastructure, and apply security policies equally to Blackberrys just as they do to laptops. Others have not yet really taken on board the fact that a Blackberry is a part of the network, and these devices remain untouched by the organisation’s security regime.
Those who have not yet regarded Blackberrys as falling within the scope of their security regime may wish to start reconsidering their position. A proof of concept Trojan was presented at the DEF CON Black Hat hacking conference in August (1). This Trojan could be installed on a Blackberry or sent via an email attachment and allowed an attacker to open a covert channel to gain access to the corporate server– a technique tagged ‘Blackjacking’. Although the code has been released to the hacker community it has not yet taken off. That is not to say it won’t, and it is likely that over the next couple of years there will be a lot more of these kinds of threats appearing for Blackberrys and other mobile devices.
Bluetooth
Bluetooth is another technology to have become all pervasive over the past few years. Bluetooth allows short range communication between devices, typically between mobile phones and handsfree head sets or between computers and wireless mice or keyboards. Technically, Bluetooth is a radio standard and communication protocol.
While the Bluetooth protocol is based on sound authentication and encryption technologies, in practice there is a history of security related issues. On the mild end of the scale, “Bluejacking” is the sending of unsolicited messages over Bluetooth to Bluetooth enabled devices using applications that are available for computers and mobile phones. While this is harmless, it could cause confusion and potentially a user could be tricked by a fake message into doing something that could give away personal details such as passwords. A more common use is for social networking such as Bluedating where people use mobile phones to broadcast dating invitations to Bluetooth enabled mobiles within the area. Believe it or not.
At the more sinister end of the scale is “Bluesnarfing”, the theft of data from a device using Bluetooth connections. Usually it involves the theft of calendar and phonebook information from a discoverable Bluetooth phone. To minimise the risk users can set their phones to 'undiscoverable' which means that they can connect to other Bluetooth devices but other Bluetooth devices will not discover their device when searching.
Even worse are attacks that can crack or bypass security, intruding upon existing pairings possibly leading to attacks such as: eavesdropping and recording conversations taking place over Bluetooth headsets, keystroke logging of wireless keyboards, or remote control of pcs running Bluetooth by ‘impersonating’ a valid bluetooth keyboard. Attacks generally occur by disrupting the connection between two devices and forcing a re connection, and then snooping on the pairing process and capturing the PIN. Although an attacker would need to be within range, here is one more crazy term for your vocabulary – ‘bluesniping’. There are plenty of instructions on the Internet for constructing antennae boosted bluetooth detectors (preferably, it seems, strapped onto a rifle butt for effect!). These have been reported to detect signals from over a kilometre away.
The lessons here are not to have Bluetooth turned on unless it is in use, configure devices not to be ‘discoverable’, to use long PINs, keep software on mobile devices up to date and be suspicious if you have to re-pair devices more than once.
Printers
If ever there was an item on your network that was under the radar for security awareness it would be printers. Printers sit on every corporate network and receive very little scrutiny, but many are effectively computers handling sensitive information on a daily basis.
At the Black Hat Inc conference in July there was a presentation on major weaknesses on certain Xerox multifunction printers (2). These devices are effectively programmable linux servers which allows great flexibility to the manufacturer, but this complexity in turn increases potential risk.
These Xerox printers were shown to be susceptible to a vulnerability in the boot sequence which allowed a local attacker to create their own username and password and subsequently gain full access to the linux operating system. Once access has been gained, an attacker could steal copies of print jobs - obviously with the potential for theft of confidential information, steal usernames and passwords, or load software that could act as a Trojan horse, spying on network traffic or scanning other computers.
Xerox released a patch that they claim fixes this vulnerability earlier, in February this year. However, the hacker who found and presented the problem says that the fix is only for remote attacks via the Internet or a network – and that the risk of a local attack remains. Nonetheless, this leads us to an important point – printers not only are susceptible to vulnerabilities, but they may also need to be patched. An unpatched printer may not only be vulnerable to local attack, but by remote attack by someone sitting at a computer on the other side of the world. Are your company’s printers included in your patch management processes? If not, you’re not alone - but then again, you’re not necessarily in good company.
Another source of risk is the administrative software that connects to the printer. HP released a security bulletin in April (3) that warned of a vulnerability in their ‘Toolbox’ administrative application that could allow a remote attacker – across a network or the Internet – to access files on the computer running the software. Again, the fix is to keep the software patched and up-to-date.
And then there is the potential for rogue users to wreak havoc on your network. Printers generally have a web interface for administration. While modern printers will generally allow password administration there is no guarantee that this has been configured – and older printers may not have this functionality at all. Users who can connect to this interface may be able to view the names of current and completed print jobs. Imagine the temp staff in the mail room reading the names of documents that the CEO has been sending off to the printer – “BHP Merger.doc” perhaps. Or “Downsizing timetable.doc”.
Then there is the potential for nuisance, perhaps by changing the lcd display, cancelling jobs, spamming the printer or conducting a denial of service. A determined and technically minded pest on your network shouldn’t find these things hard. Websites such as this one have plenty of information about this kind of thing. Additionally, a remote pest could cause massive paper wastage by sending bogus 5,000 page print jobs to your printers: okay, this is not a security threat as such, but it would certainly be a major nuisance.
Perhaps the scariest prospect is of an attacker gaining access to the files that have been sent to the printer. One way to do this is to capture (‘sniff’) the traffic passing across the network from the person printing to the printer. Once this data has been captured, it could be printed later for the attacker’s own personal benefit. It may also be possible to alter the data in the file before sending it to the printer – perhaps changing a few words here or there.
So what can be done to secure printers? The first thing is to ensure that printer ports are blocked at the firewall so that external attackers cannot connect to your printer over the internet. A quick search on Google shows that a number of major organisations have accidentally (one would assume) made their printer administration consoles available to the Internet. Blocking printer ports at the firewall will ensure that you don’t make it onto lists of infamy such as this one.
The next thing to do is to lock down administration by requiring password authentication to the printer. This should be possible with modern printers. Where printers are managed through remote administration, the same precautions that would be taken with regard to remote administration of servers (identified IP addresses etc.) should equally be applied. Finally, if possible, it is best to require that printer communication uses encryption. This will reduce the risk of attackers on your network capturing the print job traffic.
Conclusion
So what are the lessons to be learnt from this overview of threats from the kinds of devices that may get overlooked when organisations are looking at their security?
Firstly, anything that connects to your network is within scope of IT security. This means that they should be covered by your security policies and they need to be considered in your implementation of security practices.
The second lesson is that although the technologies talked about here are not usually thought about in terms of regular network infrastructure, the principles are pretty much the same. The security defences recommended for these threats tend to be the same as for regular computers for example– patch management, strong access control and least privilege.
References
(1) www.theregister.co.uk/2006/08/10/blackjack_hack_attack/
(2) news.com.com/Printers+a+weak+link+in+network+security/2100-1002_3-6102367.html
(3) www.theregister.co.uk/2006/04/06/hp_printer_security_vuln/
Blackberrys
While Blackberrys have become very popular devices for accessing email away from the office, they often receive very little attention when it comes to IT security. Blackberrys are in effect small computers with Internet connectivity and usually are configured to connect to the Corporate network via a Blackberry Enterprise Server which acts as an email relay. As such they should be considered an extension of the corporate network and treated accordingly from a security perspective.
A visit to the Blackberry website suggests that security is pretty tightly integrated, with a section of the site detailing the features such as end to end data encryption, secure authentication and RSA SecureID 2 factor compatibility.
However it is dangerous to assume any technology is inherently safe. Generally the threats to a Blackberry are actually very similar to a regular mobile computer such as a laptop.
Probably the most obvious and significant threat from Blackberrys is theft of the device. This could allow unscrupulous individuals to read private emails and potentially lead to loss of confidential information and nuisance attacks by impersonating the Blackberry user and sending prank emails to addresses in the address list.
Just like laptops, Blackberrys are also at risk of infection by malware, particularly when email attachments are viewed. If a Blackberry is infected with a virus, it may be passed onwards to the corporate network.
Blackberry themselves currently do not offer an antivirus solution, but there are third party antivirus products for the Blackberry (see for example SMobile Systems). At this time the issue is somewhat academic, as very few viruses have been found for Blackberrys and none have taken off in the wild. However it has been predicted for some time that viruses for mobile devices including Blackberrys will mushroom at some point. The fact that these predictions come from antivirus vendors doesn’t make them untrue!
The Blackberry Enterprise system makes it relatively easy to guard against some attacks by allowing an administrator to push out policy to devices. For example it is important that passwords are required on devices, and that password complexity and timeouts are enabled. However, our experience suggests that organisations vary considerably in terms of the extent to which their security regimes apply to Blackberrys. Some treat Blackberrys as part of the infrastructure, and apply security policies equally to Blackberrys just as they do to laptops. Others have not yet really taken on board the fact that a Blackberry is a part of the network, and these devices remain untouched by the organisation’s security regime.
Those who have not yet regarded Blackberrys as falling within the scope of their security regime may wish to start reconsidering their position. A proof of concept Trojan was presented at the DEF CON Black Hat hacking conference in August (1). This Trojan could be installed on a Blackberry or sent via an email attachment and allowed an attacker to open a covert channel to gain access to the corporate server– a technique tagged ‘Blackjacking’. Although the code has been released to the hacker community it has not yet taken off. That is not to say it won’t, and it is likely that over the next couple of years there will be a lot more of these kinds of threats appearing for Blackberrys and other mobile devices.
Bluetooth
Bluetooth is another technology to have become all pervasive over the past few years. Bluetooth allows short range communication between devices, typically between mobile phones and handsfree head sets or between computers and wireless mice or keyboards. Technically, Bluetooth is a radio standard and communication protocol.
While the Bluetooth protocol is based on sound authentication and encryption technologies, in practice there is a history of security related issues. On the mild end of the scale, “Bluejacking” is the sending of unsolicited messages over Bluetooth to Bluetooth enabled devices using applications that are available for computers and mobile phones. While this is harmless, it could cause confusion and potentially a user could be tricked by a fake message into doing something that could give away personal details such as passwords. A more common use is for social networking such as Bluedating where people use mobile phones to broadcast dating invitations to Bluetooth enabled mobiles within the area. Believe it or not.
At the more sinister end of the scale is “Bluesnarfing”, the theft of data from a device using Bluetooth connections. Usually it involves the theft of calendar and phonebook information from a discoverable Bluetooth phone. To minimise the risk users can set their phones to 'undiscoverable' which means that they can connect to other Bluetooth devices but other Bluetooth devices will not discover their device when searching.
Even worse are attacks that can crack or bypass security, intruding upon existing pairings possibly leading to attacks such as: eavesdropping and recording conversations taking place over Bluetooth headsets, keystroke logging of wireless keyboards, or remote control of pcs running Bluetooth by ‘impersonating’ a valid bluetooth keyboard. Attacks generally occur by disrupting the connection between two devices and forcing a re connection, and then snooping on the pairing process and capturing the PIN. Although an attacker would need to be within range, here is one more crazy term for your vocabulary – ‘bluesniping’. There are plenty of instructions on the Internet for constructing antennae boosted bluetooth detectors (preferably, it seems, strapped onto a rifle butt for effect!). These have been reported to detect signals from over a kilometre away.
The lessons here are not to have Bluetooth turned on unless it is in use, configure devices not to be ‘discoverable’, to use long PINs, keep software on mobile devices up to date and be suspicious if you have to re-pair devices more than once.
Printers
If ever there was an item on your network that was under the radar for security awareness it would be printers. Printers sit on every corporate network and receive very little scrutiny, but many are effectively computers handling sensitive information on a daily basis.
At the Black Hat Inc conference in July there was a presentation on major weaknesses on certain Xerox multifunction printers (2). These devices are effectively programmable linux servers which allows great flexibility to the manufacturer, but this complexity in turn increases potential risk.
These Xerox printers were shown to be susceptible to a vulnerability in the boot sequence which allowed a local attacker to create their own username and password and subsequently gain full access to the linux operating system. Once access has been gained, an attacker could steal copies of print jobs - obviously with the potential for theft of confidential information, steal usernames and passwords, or load software that could act as a Trojan horse, spying on network traffic or scanning other computers.
Xerox released a patch that they claim fixes this vulnerability earlier, in February this year. However, the hacker who found and presented the problem says that the fix is only for remote attacks via the Internet or a network – and that the risk of a local attack remains. Nonetheless, this leads us to an important point – printers not only are susceptible to vulnerabilities, but they may also need to be patched. An unpatched printer may not only be vulnerable to local attack, but by remote attack by someone sitting at a computer on the other side of the world. Are your company’s printers included in your patch management processes? If not, you’re not alone - but then again, you’re not necessarily in good company.
Another source of risk is the administrative software that connects to the printer. HP released a security bulletin in April (3) that warned of a vulnerability in their ‘Toolbox’ administrative application that could allow a remote attacker – across a network or the Internet – to access files on the computer running the software. Again, the fix is to keep the software patched and up-to-date.
And then there is the potential for rogue users to wreak havoc on your network. Printers generally have a web interface for administration. While modern printers will generally allow password administration there is no guarantee that this has been configured – and older printers may not have this functionality at all. Users who can connect to this interface may be able to view the names of current and completed print jobs. Imagine the temp staff in the mail room reading the names of documents that the CEO has been sending off to the printer – “BHP Merger.doc” perhaps. Or “Downsizing timetable.doc”.
Then there is the potential for nuisance, perhaps by changing the lcd display, cancelling jobs, spamming the printer or conducting a denial of service. A determined and technically minded pest on your network shouldn’t find these things hard. Websites such as this one have plenty of information about this kind of thing. Additionally, a remote pest could cause massive paper wastage by sending bogus 5,000 page print jobs to your printers: okay, this is not a security threat as such, but it would certainly be a major nuisance.
Perhaps the scariest prospect is of an attacker gaining access to the files that have been sent to the printer. One way to do this is to capture (‘sniff’) the traffic passing across the network from the person printing to the printer. Once this data has been captured, it could be printed later for the attacker’s own personal benefit. It may also be possible to alter the data in the file before sending it to the printer – perhaps changing a few words here or there.
So what can be done to secure printers? The first thing is to ensure that printer ports are blocked at the firewall so that external attackers cannot connect to your printer over the internet. A quick search on Google shows that a number of major organisations have accidentally (one would assume) made their printer administration consoles available to the Internet. Blocking printer ports at the firewall will ensure that you don’t make it onto lists of infamy such as this one.
The next thing to do is to lock down administration by requiring password authentication to the printer. This should be possible with modern printers. Where printers are managed through remote administration, the same precautions that would be taken with regard to remote administration of servers (identified IP addresses etc.) should equally be applied. Finally, if possible, it is best to require that printer communication uses encryption. This will reduce the risk of attackers on your network capturing the print job traffic.
Conclusion
So what are the lessons to be learnt from this overview of threats from the kinds of devices that may get overlooked when organisations are looking at their security?
Firstly, anything that connects to your network is within scope of IT security. This means that they should be covered by your security policies and they need to be considered in your implementation of security practices.
The second lesson is that although the technologies talked about here are not usually thought about in terms of regular network infrastructure, the principles are pretty much the same. The security defences recommended for these threats tend to be the same as for regular computers for example– patch management, strong access control and least privilege.
References
(1) www.theregister.co.uk/2006/08/10/blackjack_hack_attack/
(2) news.com.com/Printers+a+weak+link+in+network+security/2100-1002_3-6102367.html
(3) www.theregister.co.uk/2006/04/06/hp_printer_security_vuln/