logo

Why You Should Fear Your “mundane” Office Equipment

Conference:  Defcon 27

2019-08-01

Summary

The presentation discusses the vulnerabilities found in common office devices such as printers and emphasizes the need for manufacturers and organizations to invest in security measures.
  • The state of security in common office devices such as printers is still very immature
  • A large number of critical and high-risk issues were found in all the printers tested
  • Manufacturers should invest in security measures in all development phases of a product
  • Organizations should consider these devices as high-risk and protect sensitive information
  • Hackers can easily find vulnerabilities in embedded devices and should be cautious
  • The number of devices affected by these issues is huge
  • The presentation provides anecdotes and examples to illustrate the points made
The presentation provides an example of how an existing web portal image can be overwritten in the printer memory, allowing for control of all the information in the printer memory. This illustrates the vulnerability of common office devices and the need for manufacturers and organizations to invest in security measures.

Abstract

The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating system and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations. In order to assess the current state of mainstream enterprise printer product security and to challenge common assumptions made about the security of these devices, which sit on key parts of enterprise networks and process sensitive data, we set out on a vulnerability and exploitation research project of six known vendors. We were able to find remote vulnerabilities in all printers tested through various attack vectors, revealing a large number of 0-day vulnerabilities in the process. In this talk we walk through the entire research engagement, from initial phases such as threat modelling to understand printer attack surfaces to the development of attack methodologies and fuzzing tools used to target printer-specific protocols and functions. Besides of remarking important vulnerabilities found and their respective CVE’s, proof of concept exploits showing how it is possible to gain full control of printers and all of the data they manage will be presented. This will show how to use enterprise printers as a method of persistence on a network, perhaps to exfiltrate sensitive data or support C2 persistence on Red Team engagements. We also address a number of challenges that researchers can face when performing vulnerability research on devices such as printers and how we used different techniques to overcome these challenges, working with limited to no debugging and triage capabilities. We also present mitigations that printer manufacturers can implement in order to reduce printer attack surfaces and render exploitation more difficult.

Materials:

Tags: