Forgot your password?
typodupeerror
Security Hardware IT

Attack of the Trojan Printers 144

Posted by samzenpus
from the it's-crowded-in-there dept.
snydeq writes "Security professionals are tapping Trojan horse access points cloaked in printers and other office equipment to infiltrate clients who want their defenses tested, InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive. Once the device is connected to the network, the penetration testers have a platform behind any perimeter defenses from which to attack. 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?' one security researcher says of the method. A variant of the attack, presented by Errata Security at the Defcon hacking convention, uses an attack-tool-laden iPhone mailed to a target company to get inside the firm's network defenses."
This discussion has been archived. No new comments can be posted.

Attack of the Trojan Printers

Comments Filter:
  • an attractive USB device could host something undesirable. Smart clients won't touch them.

    • Re: (Score:2, Troll)

      by Anon-Admin (443764)

      Wow where did you find "Smart Clients"?

      The average person will pick up a USB pen drive from the parking lot and plug it into there PC or Laptop. Heck, I bed 99% would run a program on it called "Owner_Information.exe" To see who to return it to.
      I bet good 50% would run a program called "Run_Me.exe" lol

      In all honesty most Technical people over think most hacks. It is like watching a person try to pick the lock on a door when the window next to the door is open.

      • The average person will pick up a USB pen drive from the parking lot and plug it into there PC or Laptop.

        I did that last month.

        I run Linux though, so I'm not really worried about the things most people worry about. All that was on it was an exceptionally boring PowerPoint file which I deleted before giving the stick to my wife (who uses a Macbook)

        • Re: (Score:3, Funny)

          by oldspewey (1303305)

          before giving the stick to my wife

          Pics or it didn't happen.

          • I didn't understand your response until I expanded it and read the quote. Well done.

            My wife has already forbidden sexy time pics though...sorry.

      • by Hylandr (813770)
        Can we say "Autorun"?

        - Dan.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Good luck trying to mail someone a printer right now :-)

    • by arivanov (12034) on Wednesday December 01, 2010 @04:18PM (#34409128) Homepage

      Printer is indeed a better choice.

      Some printers can have a full attack kit loaded and have WiFi. While most printers are yet to be hacked, the possibility is there. The bigger ones have a fully blown OS of some description doing the management functionality. Some of it is also hopelessly out of date securitywise. I have seen stuff like Win2000 being used on the print centers by one well known big company. Rooting that is trivial.

      The ones that cannot be routed can still have a MIM put in between their built-in network functionality and the customer network. If done properly it will _NOT_ have any "cables sticking out" either. A microcontroller with two Ethernets which bridges between the printer original Ether and a fake one sticking out can be put in something the size of an match box nowdays. With most IT depts putting indiscriminately power over ethernet nobody will notice if it is powered from the net. And so on. There are lots of variations on this theme and having "more than one cable sticking out" actually means a very lame job on the side of whoever did it.

      • Indeed. Printer? It's a box, with an Ethernet connection. You could sniff traffic, figure out a routable IP address for yourself, pick the lowest numerical IP addresses that get traffic, and send a few feelers that way. In D&D terms, it's a Mimic.

        Or to paraphrase a certain Pixar character, once you're plugged into the switch, all sorts of culinary experiences open up.

  • by Megahard (1053072) on Wednesday December 01, 2010 @03:24PM (#34408200)
    Beware of geeks bearing gifts.
    • by dgatwood (11270)

      Here's what I don't get. An extra power cable? If you're inside the printer anyway, why not just tap its power supply. It's not like the printer is right at the edge of what its power supply can put out, and if it is, you could always build a bigger power supply. Likewise, tap the printer's Ethernet connection---slice the traces to the printer guts itself, and embed a small passive Ethernet hub that provides a connection to both to the sliced traces on the board and to your sniffer. Done, and done. Un

      • by drinkypoo (153816)

        We're talking about networked printers, they are connected directly to mains, not to an external power supply. You just tap the mains power from inside the printer. If you can't do this and make it look factory you're probably not even interested in doing it.

        • by dgatwood (11270)

          Way too hard. Tap the +12V or +5V output of the power supply and DC-DC it to whatever voltages you need. Then you don't have to find room for another full size power supply inside the machine.

          • by drinkypoo (153816)

            You don't need a full-size power supply anyway, you use a tiny switching supply. They cost more but not dramatically so. This gets you out of situations where you might overload some part of the power supply and cause a failure, thus bringing attention to the device.

      • Better yet, there's a lot of printers nowadays that have wireless networking capability built-in.

        Some custom firmware and all of a sudden you've turned this printer into an access point as well. No glued shut trays, no mysterious power cables, etc.
  • by mlts (1038732) * on Wednesday December 01, 2010 @03:26PM (#34408234)

    Nothing really new here, other than perhaps people realizing that printers are a network entity (which they have been at least since the HP LaserJet cards). As for housing a blackhat-usable machine, that has been done for ages, as it isn't hard to just plug in a laptop or network powered biscuit PC and start firing up nmap.

    How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.

    • by hawguy (1600213) on Wednesday December 01, 2010 @03:47PM (#34408618)

      How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.

      Agreed -- we use 802.1x authentication on all of our switch pots, only domain computers are allowed on the network. We do MAC address bypass on specific ports for known network printers, etc, but they go on a limited access VLAN. No one outside of IT can receive a printer in the mail and just plug it in and have it on our network.

      I thought all midsized and larger businesses used some sort of port control to control network access?

      Small business are usually so lax in computer security that there are so many holes in their network making it unnecessary to send them a Trojan Printer to hack in. I've done work for a number of small businesses that use 40 bit WEP to "protect" their Wifi network -- and no amount of persuading from me will make them change it.

      • by bored (40072)

        Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet. This means that plugging joe random promiscuous mode adapter into a switch won't give you visibility to the whole network.

        That said, unless the designer of the trojan is stupid there will only be a single mac address exported to the network by the printer. Sure, no one is going to just plug a random printer in, b

        • Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet.

          That's the definition of a switch. So I would hope that the majority of them do that.

        • by afidel (530433)
          On the hidden wireless interface our Cisco WLAN controllers would detect it as a rogue AP.
          • by bored (40072)

            Really, even when its a proprietary, or edge/wimax/etc type adapter? If it does then it must be getting enough false positives to cause you heartache... If someone is putting a wireless interface in a device for back-channel communications I would assume there are much better choices than a normal 802 wireless interface.

        • by hawguy (1600213)

          Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet. This means that plugging joe random promiscuous mode adapter into a switch won't give you visibility to the whole network.

          I'm not worried about someone snooping packets (well, I am, but that's not why I use 802.1x). I'm more worried about someone plugging into the corporate VLAN and having unfettered access to try to hack into all of my endpoints. While we do have antivirus and a pretty decent patching policy, I'm not really ready to declare that all of my hosts are immune to attack. Network access control is just one layer in my security and keeping non 802.1x authenticated devices off of my main corporate network is trivial

          • by bored (40072)

            Network access control is just one layer in my security and keeping non 802.1x authenticated devices off of my main corporate network is trivial to implement and prevents someone from spoofing my printer's MAC address to give him full network access.

            Locking the mac to a given switch port achieves the same functionality.

            I mean really, what possible harm could someone do if all they can do is send/receive traffic to any port on any of my internal hosts?

            My point is that unless your very careful the vlan probab

            • by hawguy (1600213)

              Locking the mac to a given switch port achieves the same functionality.

              how does locking a MAC to a particular port prevent someone from spoofing that printer's MAC on his laptop and plugging into the same switch port to gain the same network access that the printer had?

              My point is that unless your very careful the vlan probably isn't going to give you 100% protection in this regard. Vlan tagging tends to be more a "gentleman's agreement" type protocol. A device which talks MSTP could very well just change its vlan tagging.

              I'm not aware of any mechanism to allow an endpoint to access another VLAN on an switch port set as an "access" port rather than a "trunk" port. I'm not using tagged VLANs for endpoints.

              • by bored (40072)

                how does locking a MAC to a particular port prevent someone from spoofing that printer's MAC on his laptop and plugging into the same switch port to gain the same network access that the printer had?

                It doesn't, but they way I understood it, you had the printers on the vlan because they didn't support 802.1x anyway.

                I'm not aware of any mechanism to allow an endpoint to access another VLAN on an switch port set as an "access" port rather than a "trunk" port. I'm not using tagged VLANs for endpoints.

                Your switc

                • by hawguy (1600213)

                  It doesn't, but they way I understood it, you had the printers on the vlan because they didn't support 802.1x anyway.

                  I have the printers on their own VLAN because they don't support 802.1x, and I don't allow any non-802.1x devices on the corporate VLAN. Well, another reason is because IT doesn't maintain the printers, an outside company does. I have yet another VLAN for other miscellaneous non-802.1x devices (like building control systems).

                  Your switches are probably better than most (by definition, if you can run 802.1x), in many cases a device can negotiate "trunk" (aka another switch) status on any random port. Even on devices which can disable it for all but a specified set of ports, that oftentimes is an option that must be enabled.

                  They are just run of the mill Cisco switches -- call me a Cisco fan-boy, but I wouldn't implement a secure corporate network on anything else.

                  Plus vmware and other virtual adapter type applications cause real heartache in environments like yours (cause even a non switched endpoint can have multiple mac's and don't necessary support 802.1x).

                  Yes, VMWare can be a headache, but so far

      • by geekoid (135745)

        Wow, I used to have a career breaking past security measures like your. I hope that wasn't a complete list.

        There are two major attack points and flaws in your description.

        • by hawguy (1600213)

          Yes, I have described all facets of my security in 2 sentences and it consists entirely of port access control on my switches. Oh, I forgot to include the admin passwords for the switches, they are all set to "RngZr". Come hack me, please.

      • by yuhong (1378501)

        I've done work for a number of small businesses that use 40 bit WEP to "protect" their Wifi network -- and no amount of persuading from me will make them change it.

        Do they have old hardware only capable of WEP?

    • by swb (14022)

      I thought this was pretty old news, too. I've stashed laptops, access points and even SFF desktops in desks, cabinets and above ceiling tiles, enabling all manner of access long after I had physical access to the facility.

      It was generally legitimate (ie, I was network manager) subterfuge to do troubleshooting at remote facilities, but there was one place that was a "sister company" that I was required to support but wouldn't give me any remote access. Those people got the old laptop above the ceiling tile

      • by drinkypoo (153816)

        Indeed the JetDirect stuff delivers several signed Java Applets so there's plenty of room to hide a trojan in there. But in most printers of any size there's more than enough room for a micro-hub and some kind of teeny embedded system (like a dockstar stripped out of the case.)

    • by afidel (530433)
      If you fire up nmap on my network you're caught in minutes (we physically located the pen testers inside of 15 minutes last time they came onsite for an unannounced test). Also the idea behind this is that you give the device to someone in IT to demo, that means it will likely get its MAC added to the switch. In security paranoid places all outbound traffic has to go through a proxy and there's little chance a printer would be allowed through that =)
  • Obvious trojans? (Score:2, Insightful)

    Dumb people being tricked?! News at 11.

    Technically, if you've got extra wires hanging out of your Trojan Printer, you just might be the biggest idiot in fuckheadland. Integrate your spyshit to the motherboard and feed off the built-in network connection and power system! Sorry, I don't click on *world.com articles due to high ad noise and shitty page layout, but I get the drift, Ned. Not even close. NEXT?!

    • by geekoid (135745)

      Everyone can be tricked.

      If you don't want to read the article, fuine but don't post about them. It's just additional noise for nothing.

      You want to know who the biggest idiot in fuckheadland is?

      People who comment on articles based on just the /. description. I mean, seriously, those thing are usually wrong.

  • by MrEricSir (398214) on Wednesday December 01, 2010 @03:31PM (#34408340) Homepage

    This sounds like a modern version of when the CIA planted a camera inside the Xerox machine in the Soviet embassy.

  • by mr100percent (57156) on Wednesday December 01, 2010 @03:32PM (#34408348) Homepage Journal

    These are pretty cool tactics, but are they warranted? Is the world of corporate espionage so devious and sophisticated that these would be legitimate vectors of attack in the wild?

    • by Yvan256 (722131)

      Nah, they don't use legitimate vectors of attack in the wild yet. They still use bitmaps.

      • by robot256 (1635039)
        They still use spear-phishing, spam, and "lost" flash drives since they work just as well and are easier.
    • by iluvcapra (782887)
      These tactics are plausible, even childishly simple, and were effective. I don't know, from the perspective of a black hat, what "legitimate" means here.
      • I mean is there any evidence of this happening IRL? Would someone do something this convoluted or have there been breakins before like this? For example, I'm sure my organization is vulnerable to a scuba attack, but is it that high of a risk that I should take notice?

  • by war4peace (1628283) on Wednesday December 01, 2010 @03:32PM (#34408352)
    It is a lot simpler than that. Last month I turned on my laptop's WiFi while replicating some troubleshooting steps and it popped saying it found 3 Wifi networks, not the usual 2 company-provided, password-protected ones. Turned out someone brought a router inside, plugged it in and used it for God-knows-what, then left it there, turned ON. Free WiFi for everyone!
    This was a HUGE security breach, process breach, you-name-it breach. The guy was canned afterwards, but that's not the issue. What's funny is that pretty much all companies' buildings in that area have at least one unprotected WiFi network, freely accessible from any device. No username or password required.
    You want to browse through most of the Top50 companies' "secured" networks? You got it. Sometimes I wonder where are all the damn hackers...
    • by Yvan256 (722131)

      Sometimes I wonder where are all the damn hackers...

      Trying to hack Blizzard's servers to get some l33t gear they can't bother questing for?

    • Periodically scanning for rouge WIFI access points on your company's campus would prevent this sort of thing from happening. Now, imagine if instead of dumping a WIFI access point, they dumped a 3G aircard? 802.1x is the best defense against unauthorized network access.
      • by Minwee (522556)

        Periodically scanning for rouge WIFI access points on your company's campus would prevent this sort of thing from happening.

        But would that help you find magenta and teal access points as well?

      • by afidel (530433)
        Oh, you are evil. I had the ethernet and wifi attacks foiled but a passive tap on the ethernet and 3G upload would be all but impossible to detect.
    • by Sulphur (1548251)

      You got it. Sometimes I wonder where are all the damn hackers...

      Chasing your WiFi?

    • by FooAtWFU (699187) on Wednesday December 01, 2010 @04:58PM (#34409804) Homepage

      This is why serious wireless vendors like Cisco and Aruba and the like have "rogue access point detection" which can not only triangulate the location of an unknown device given its wireless signal strength in relation to legitimate APs, they can also determine if it's hooked up to your network (if there's appropriate hardware in the packet path) and spoof packets to cause a denial of service and disconnect any clients.

      Of course, these capabilities will cost you.

    • Funny Similar story - one day we found one of our buildings was getting bad IP addresses. 192.168's, so thats even more odd, that whole building is on 172.21.0.whatever. We couldn't figure it out at first, nothing wrong with our servers. Tracing it back from one of the computers with a Bad IP, we determined, there was a rogue router plugged into our network, DHCP was still enabled and this little Linksys thing was causing a world of trouble - luckily it was set to the default username and password otherwise

      • Linksys thing was causing a world of trouble - luckily it was set to the default username and password otherwise we might have had difficulty grabbing the MAC Address of it.

        You need the username and password of the gateway in order to run: "arp -a" from a computer that's connected to it?

  • 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?'

    I, for one, would certainly notice THAT. But who in the corporate world would notice or even care?
    Also interesting is that the article links to an eWeek article that in turn links to a Slashdot article from 2007 about this same thing.
    • If you really think that's abnormal, you probably haven't worked that many MFPs. A fair number are modular and the modules have to be powered. Usually it's done with a power cable that plugs into the core MFP, but sometimes the separately powered modules have wholly separate cables that go into the wall. Two power cables is completely normal for several MFPs.
      • by Locke2005 (849178)
        Yes, that's a kludge, but I recall from working for Sharp that their printers really did have several separate computers inside, each for a different function. I thought it was a bad design, but I guess it made their design costs cheaper.
        • Not a kludge; in fact, smart design. Those MFPs are modular. A module breaks down, plug it off, the rest works, albeit without that specific function (e.g. stapler).
          • by Qzukk (229616)

            If I were really designing a modular MFP, all of the modules would be powered off an internal bus rather than each having their own power cord.

            If I were really designing a printer with a wireless router hacked into it, I'd spend the extra 30 minutes attaching the router power to the printer's internal power supply rather than having two power cords, since I'm likely elbow deep in the printer guts to reroute the ethernet cable in the first place.

    • 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?'

      I, for one, would certainly notice THAT. But who in the corporate world would notice or even care?

      No you wouldn't. For an extra ~$20 or so, the attacker could put a power splitter and network switch inside the box, making it just one power cable and one network cable. Given how trivial that is, any real attacker (as in a person or group expecting a hefty profit on the operation) would go that extra step. Security groups are more budget-constrained (they also proved that you don't need that level of sophistication for most targets).

      It should also be rather simple to use an embedded computer that con

  • Old Hat... (Score:5, Insightful)

    by Lumpy (12016) on Wednesday December 01, 2010 @04:11PM (#34409030) Homepage

    Did that years ago.

    HPLJ4 -- two power cables? what are they hiring amateurs?

    Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.

    Printer + network scanner/document grabber completely hidden.

    Today it's even easier... Shiva plug with a HP sticker on it and it will go unnoticed for months.

    • by iluvcapra (782887)
      If a supplier offered me a LaserJet 4 in this day and age I probably would just test the roof with it.
    • by batquux (323697)

      Or... just put custom firmware on the printer.

    • by nschubach (922175)

      Shiva plug with a HP sticker on it and it will go unnoticed for months.

      There's a ton of truth in that... I recently walked into an office and noticed an odd outlet sized box on the ceiling with no significant markings, some slots and two LEDs (one lit red.)

      Nobody that I asked knew what it was, including building maintenance... and nobody bothered to look where the cable was going. It was joked that it was a spying device (owned by the company) to monitor workers.

      (I think it was a sensor for the HVAC...)

      • by geekoid (135745)

        Cover it with a dark bag. You'll find out what it is eventually.

        • The three steps to resolving unknown hardware installations on your network:

          1. Disconnect the unknown hardware.
          2. See who turns up to find out why it's not working.
          3. Tell HR to prepare a P45 / pink slip (depending on country) and notify Security that there's a non employee in an employee-only area.
    • by nuckfuts (690967)

      Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.

      Printer + network scanner/document grabber completely hidden.

      It's not even necessary to hide any physical equipment inside the printer. HP LaserJets can be hacked to steal documents, run port scans, host rogue FTP or HTTP servers, and more. FX from Phenoelit did some interesting work on this, but his website [phenoelit.de] is now censored due to legal issues. Some of his stuff can now be found here [phenoelit-us.org].

  • Man, back in the day you'd send in what looks like an ordinary audio cassette and, after recording a day's worth of audio to on-board memory, it would transform into a bird, shoot its way out, and return to the chest of Soundwave who'd play back what it heard for Megatron.

  • Wow, I wish I'd thought of that sooner. Stuffing an Arduino with a battery pack and a wifi shield up my ass and asking to use the company john was really wearing on me.

  • The trojan doesn't have to be so crudely delivered so late in the supply chain. The printer could have trojan SW installed in it, attacking a host PC (and then the rest of the network) over USB, or the network directly when connected over ethernet. The printer manufacturer, or many of its OEMs, could build them to attack anyone, or specific targets among the many installations they're sleeping in. Or a government could build them in, like if the US had succeeded in requiring a Clipper chip installed in all

  • You can get a mini pc with 2 network ports and put it on the printer that is in place and put a HP printer sicker on the box and make it look like its part on the printer.

  • by Tom (822)

    Seriously? I gave and listend to speeches about this kind of stuff six years ago. I know people who've done this stuff in their security consulting work for five years. Granted, those are cutting-edge people, but the general state of the security industry is not five years behind the state of the art, is it?

    • by geekoid (135745)

      haha, sorry if this is insulting, but you are so typical of the security 'experts' in the industry and the reason I threw up my hands and left it.

      A) People are people. You can spend a year giving speeches and lectures and expect the next wave on employees to magically have that information.

      B) Comparing the state of the art to security is ignorant.

      C) technology is just a TINY part of IT security.

      D) Security it a process that needs to be part of the culture. Sending some people to a lecture and giving them a

      • by Tom (822)

        A) People are people. You can spend a year giving speeches and lectures and expect the next wave on employees to magically have that information.

        Yes, which is why I don't buy the "security awareness" crap anymore. We've been doing security awareness for 20 years now, if it would solve anything, you'd expect to be seeing some results by now.

        I don't give lectures to common employees for that reason. I speak (used to speak, been doing different stuff for a few years now) at conferences for security people.

        B) Comparing the state of the art to security is ignorant.

        There is a state of the art in security as in any other field. There was a time when IDS/IPS systems were cutting edge, now they are standard. There

  • printers were a common weak point. Often configure wrong and trivial to get into.

  • Umm if you don't notice that you are a moron. If you accept random electronic 'gifts' that show up in the mail you are just as stupid.

  • Printers... is there nothing they can't do?

"An open mind has but one disadvantage: it collects dirt." -- a saying at RPI

Working...