Attack of the Trojan Printers

snydeq writes "Security professionals are tapping Trojan horse access points cloaked in printers and other office equipment to infiltrate clients who want their defenses tested, InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive. Once the device is connected to the network, the penetration testers have a platform behind any perimeter defenses from which to attack. 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?' one security researcher says of the method. A variant of the attack, presented by Errata Security at the Defcon hacking convention, uses an attack-tool-laden iPhone mailed to a target company to get inside the firm's network defenses."

Why make it complicated?

[war4peace]

It is a lot simpler than that. Last month I turned on my laptop's WiFi while replicating some troubleshooting steps and it popped saying it found 3 Wifi networks, not the usual 2 company-provided, password-protected ones. Turned out someone brought a router inside, plugged it in and used it for God-knows-what, then left it there, turned ON. Free WiFi for everyone!
This was a HUGE security breach, process breach, you-name-it breach. The guy was canned afterwards, but that's not the issue. What's funny is that pretty much all companies' buildings in that area have at least one unprotected WiFi network, freely accessible from any device. No username or password required.
You want to browse through most of the Top50 companies' "secured" networks? You got it. Sometimes I wonder where are all the damn hackers...

Re:Physical access == pwnage

[hawguy]

How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.

Agreed -- we use 802.1x authentication on all of our switch pots, only domain computers are allowed on the network. We do MAC address bypass on specific ports for known network printers, etc, but they go on a limited access VLAN. No one outside of IT can receive a printer in the mail and just plug it in and have it on our network.

I thought all midsized and larger businesses used some sort of port control to control network access?

Small business are usually so lax in computer security that there are so many holes in their network making it unnecessary to send them a Trojan Printer to hack in. I've done work for a number of small businesses that use 40 bit WEP to "protect" their Wifi network -- and no amount of persuading from me will make them change it.

Crunchy on the Outside, Chewy on the Inside

[dougmc]

Most corporate firewalls (at least the part that most users are working behind) stop stuff from coming in, but permit most traffic going out. And even if they do block most traffic going out, they almost always permit 80/tcp out, and while they might have some sort of nanny filter there, something that just goes out to a random address at port 80 and then sends encrypted data will likely get through.

Once this machine is on the network, it can connect to a server somewhere on the Internet, and then the bad guys can come back in through this connection and do whatever they want from the printer. The important intranet sites may indeed require Smart Cards (rare, but some may do this) but all the machines that people work on are often poorly maintained, and the intranet systems that require Smart Cards often have all sorts of vulnerabilities -- the machines they reside on aren't secured, the applications have the whole spectrum of website vulnerabilities, etc. Yes, the company could secure all this stuff, but it would take time and money, and they think "it's inside the firewall, it's safe" (and yes, they're wrong.)

Perhaps some companies are different, but I'd say most are like this. Some companies separate everything internally with firewalls, but most don't, or if they do, there's lots of stuff behind each of these internal firewalls, and anything behind the same firewall as the trojan horse would be vulnerable (and really, stuff on the other side of the firewall might be too, depending on how draconian it is.)

This may not work on the NSA (assuming they follow all their policies!) but I would guess that getting a printer set up like this installed on most company's networks, coupled with skilled crackers working through it (not just script kiddies, though they might have some success too), would be able to get at all sorts of stuff they weren't supposed to get to. If it's a software company, they could get the source for their work, perhaps add their own code (back doors!), etc.