Lock, Stock, and Two Smoking Printers: Hacking and Securing Multifunction Printers
“Right. Let’s sort the buyers from the spyers, the needy from the greedy, and those who trust me from the ones who don’t, because if you can’t see value here today, you’re not up here shopping. You’re up here shoplifting. Squeeze in if you can. Left leg, right leg, your body will follow. They call it walking. You want one as well, darling? You do? That’s it. They’re waking up. Treat the wife. Treat somebody else’s wife. It’s a lot more fun if you don’t get caught.
Hold on. You want one as well? Okay, darling, show me a bit of life then. It’s no good standing out there like one o’clock half-struck. Buy them, you better buy them. These are not stolen, they just haven’t been paid for, and we can’t get them again. They’ve changed the bloody locks. Here. One for you. It’s no good coming back later when I’ve sold out. Too late, too late will be the cry when the man with the bargains has passed you by. If you got no money on you now, you’ll be crying tears as big as October cabbages.”
How perfect of a preface to an article on how to rob a company blind through their multifunction printers (“MFPs”) than through their locked doors eh? Not to mention a mighty October cabbage to reel all of you through a hook line and sinker into reading it in the first place.
Right, so let’s sort the “buyers from the spyers, the needy from the greedy.”
Over the last few years, I’ve not seen a rise in any other attack surface than through multifunction printers. Printer forensics you say? That’s the next big thing, I assure you. Over the last decade, we’ve responded to a startling number of incidents involving multifunction printers and successfully looted companies of data in multiple industries than any other network device (remember, humans are Layer 8:)) Okay, well that’s not totally true, but it’s a lot! Though with wearables, I wouldn’t be surprised if you started seeing people walk around with CAT6 Ethernet jacks in the back of their head.. nah, too Hollywood. Next Keanu Reeves movie maybe?
Printers? Yeah, I said it, it had to be said! Printers! </shameless Chris Rock imitation>. </nauseating introduction to keep you entertained>
Yes, those were HTML closing tags I used in my blog, I’m that nerdy. Because networked printers are often configured with access to the organization’s file server, email server, and active directory, the potential risk is enormous and unfortunately printers are the last device that the IT Security team even thinks about. As a matter of fact, in almost every single engagement we’ve been on at Brier & Thorn, it was the Infrastructure & Operations (“IT”) team that handled printer deployments and didn’t even go through IT security for hardening. The printers are simply unboxed, connected to the corporate wireless network or Ethernet and configured.
The fact of the matter is (CISOs reading this article, this is for you) — this is unfortunately an ingress point into your networks that goes right around your other security controls that you’ve unfortunately not been thinking about. We’ll cover some of the vulnerabilities that have been exploited in previous compromises we’ve investigated as well as ingress points we’ve used to either pivot around in the network, gain domain administrative privileges, and even loot data right off the printer without authentication. We’ll first address the attack surface, decomposing the vulnerabilities into categories of Architecture & Design Vulnerabilities; Informational Vulnerabilities; Input Validation Vulnerabilities; Authentication and Authorization Vulnerabilities; and Misconfiguration Vulnerabilities; then we’ll discuss some remediation options.
Architecture & Design Vulnerabilities
Segmentation and micro-segmentation: This is a topic I very much like to discuss, and something that we need to all consider with the rise in IoT (Internet of Things) as devices that used to just print ink on paper connected to LPT and COM ports (oh yeah, I’m that old) are now becoming increasingly connected. We can’t simply just hook them up to the corporate user VLAN and throw them all into the same subnet as everything else. Just like we segment/isolate servers into separate VLANs (or you should be;)) — we want to do the same with printers. Architecture and design vulnerabilities that have lead to the successful compromise of servers from other lower security zones (such as the DMZ and corporate user VLANs) was because the printers were not isolated into a printer VLAN with filtering in place to only permit the ports needed for workstations to print to them. The administrative interface (HTTP, HTTPS, Telnet (hopefully not), FTP (hopefully not), etc) should be filtered to only accept connections from an administrative VLAN where the IT, server, and network administrators are. If your maturity level of your network just isn’t there yet, that’s fine, use other filtering methods, either VACLs, filtering on the printer itself, or on core firewalls to allow traffic to those administrative ports only from the IT staff.
If I can offer any advice at all, it’s this, even if you are scratching it out on a napkin or whiteboard instead of Visio or LucidChart, please draw out and design where all of your multi-function/networked printers are placed. Design that quintessential perfect micro-segmented network where printers are all by their lonesome in their own segregated VLAN protected behind VACLs or firewall rules. Give thought to it rather than just throwing it into the corporate user VLAN. More and more APTs and malware are targeting not just the access privileges printers provide, but also the data they store that you may not be aware of.
Abraham Lincoln once said, “if I had 6 hours to cut down a tree, I’d spend the first 4 hours sharpening my axe.”
Every attacker worth their salt will prepare their war chest before launching the assault by performing reconnaissance and intelligence collection before moving to exploitation and post-exploitation pivoting. In order to launch any kind of attack against an attack surface, you have to know what it is you are attacking. Multifunction printers provide a lot of useful information, especially version banners when connecting to them. Harden printers the same way you would a server. Modify or turn off what version and other information is provided when connecting to the FTP, TELNET, or other ports of a printer. While I understand that you have very little administrative capabilities to actually change a lot of this stuff, change what you can. The level of access will surely differ between HP, RICOH, and other manufacturers.
But while printer manufacturers have been slow to understand this evolving attack surface, they’ve made significant progress through more advanced and comprehensive security settings pages that unfortunately though, by default are disabled or turned off. Printers ship with pretty much everything turned on and no user authentication requirements to access the web-based interface. Log in and take a look at what hardening steps you can take to lock that printer down. We’ve encountered numerous instances where the client didn’t even know a web server was even running on their printer for remote administration and that every document being printed and scanned was being stored to the printer and available through the web interface for later retrieval.
Input Validation Vulnerabilities
Yes, believe it or not, your printers can be vulnerable to input validation vulnerabilities, such as injection and cross-site scripting, even buffer overflows. Remember that your MFP is now no longer just this ink plotter on paper, it’s now pretty much a server, running an FTP daemon, TELNET daemon, and web server — sorry, even an SNMP server for remote monitoring. So the same vulnerabilities that apply to servers apply to MFPs. Make sure your printers are part of your vulnerability management program and understand that a great deal of issues lately have surfaced on MFPs causing extremely long and painful remediation efforts enterprise-wide of networked printer firmware updates in a rush to meet a compliance deadline.
Authentication and Authorization Vulnerabilities
This one pretty much goes without saying. I think I can count the number of times on one hand where I’ve connected to the web admin interface of an MFP and was prompted to authenticate. Guess how many hands I can count on where the username and password weren’t the default that shipped with the printer? Yep! You guessed it — ZERO.
Because many companies still don’t have a password database management system in their enterprise, IT will typically deploy a printer with default credentials allowing anyone who can reach port 443 of the device to any document that printer may be storing from scans and print jobs. In the past, I’ve exploited this in numerous engagements, especially in E&P companies where plotters are printing interesting data in the geology department where the printer was kind enough to store all of the scans and print jobs of exploration and seismic data.
Weak authentication and authorization as well as weak encryption is also what lead to the compromise of a Cannon printer allowing an attacker to install Doom (the game) on it. Although the firmware was encrypted, research revealed it was possible to crack this protection to reveal the source code. Reverse engineering the encryption system used by Canon also meant that if the attacker wrote her own firmware, the printer should accept it as authentic. Oh the possibilities when printers use weak encryption ciphers — because who cares right? It’s just a device that prints onto paper — a fancy typewriter!
This is where I see the brunt of most of the issues in investigations involving MFPs or penetration tests where the printer was used to pivot from. Probably the most critical misconfiguration vulnerability I’ve ever seen was when a company did not know that their printer was storing data from every print and scan job to the local printer and that all of the documents were accessible via the web interface where authentication was protected with default credentials. In one instance, there was no web interface and the printer was configured to allow sharing of its drive where all of the documents were being stored. Other misconfigurations including services that were simply turned on like FTP, TELNET, SNMP, and other services that simply just shouldn’t have been on and weren’t being used. When SNMP was turned on, the community strings were of course always set to the default public and private for read and write.
While brevity — as well as a very well tuned and dry sense of humor — is a writing style I’ve adopted in blogging to try and keep these short, there is clearly a great deal of detail we can dive into with hacking printers, because the Devil is in the.. okay, I’ll stop.. In any case, summary? Let’s do it!
Security architecture (segmentation and micro-segmentation) to isolate printers in your corporate network into a printer VLAN is a must. Moving them to their own VLAN is not enough. Put port filters in place that restricts traffic only to what users need for printing and restrict administrative services to the IT guys and gals.
Harden printers the same way you would harden servers. Stop letting IT deploy printers and make them immediately available to the corporate users. Ensure that IT Security is able to harden the printer or at least provide a hardening guide to IT in order to ensure printers are properly hardened before they are put into production. Since they oft-times store sensitive data, make sure they are secured with that in mind.
Turn off data storage for print and scan jobs. If it isn’t needed (most of the time it isn’t) then turn off this feature. There is no sense in having it on if no one is using it.
Turn off unneeded services. If you don’t need to telnet, ftp, or even monitor your printer via SNMP, turn all those services off. This will significantly decrease the attack surface.
Change default usernames and passwords. Do this with any device, but most importantly, your printers. Default credentials are published everywhere on the “interwebs” so it’s easy to find out what it is without owning one. Hah, I said “owning one” — hmm pwning one? Funny.
Keep printers updated. Update printers with the latest firmware just like you regularly patch (hah — that was funny) your servers, right?
Happy Printer Hacking!