Pwning printers: Backdoor in Samsung printers via hard-coded admin account

Do you have antivirus or malware protection for your printer? Is your printer behind the firewall? Did you change the printer’s default administrative password? Your network is only as secure as its weakest link and most “new” printers have a hard drive, a web interface, email capabilities and are connected to the Internet which makes any device much more exploitable by a remote attacker. A hacker could potentially transmit fake print jobs or faxes, change a printer’s settings, gain access to sensitive documents sent to the printer for espionage or identity theft, eavesdrop on network traffic to spy on you, or even launch a denial of service attack to make it inaccessible and damage the hardware.

Although ReadWrite suggested a tech nightmare would be when “your 3D printer starts making copies of itself; which start making copies of themselves,” not everyone is fortunate enough to own a 3D printer. Most businesses and homes do have a regular printer, but do not remember to patch it. Hacking a person via the printer is often viewed as a geeky urban legend, a prank or a hoax, yet experts claim the threat is real regarding laser printers and digital photocopiers, so much so that pwning a printer might be considered a “pot of gold.”

Samsung printers vulerable to hacking via hard-coded admin account

The latest printer backdoor vulnerability could allow an attacker to take control of a Samsung printer, as well as some Dell printers manufactured by Samsung, that were released before October 31, 2012. These printers have a hardcoded Simple Network Management Protocol (SNMP) account programmed into the firmware that has “full read-write community string that remains active even when SNMP is disabled in the printer management utility.” SNMP allows administrators to manage connected devices like routers, servers, switches, workstations, and printers. According to US Computer Emergency Response Team (US-CERT):

A remote, unauthenticated attacker could access an affected device with administrative privileges. Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information (e.g., device and network information, credentials, and information passed to the printer), and the ability to leverage further attacks through arbitrary code execution.”

Although Samsung plans to release a patch tool before the end of 2012, how many admins or home users will actually patch the hole?

A year ago, researchers at Columbia University discovered security flaws in some Hewlett-Packard LaserJet printers, leaving “millions of businesses, consumers, and even government agencies” open to “a devastating hack attack” via their printers. The news was full of headlines about how a hacker on the other side of the globe could remotely take control of an HP printer and set it on fire. Not only could printers be destroyed, but an attacker might exploit it to propagate malware inside the firewall. “Print me if you dare” was presented at the Chaos Computing Congress (28c3) hacker conference.

HP was named in class action lawsuit, then responded by releasing 56 firmware updates. Yet this summer, the same researchers said that only 1 - 2% of HP laser jet printers had been patched, meaning one in four HP printers were still open to attack. That might be due to lax security or due to faulty firmware update functions. Columbia University professor Salvatore Stolfo told the Guardian that some of the vulnerabilities are in the Linux operating system used by some printers.

These include more than 100 known vulnerabilities in versions of the OpenSSL encryption protocols that – for example – could be used to turn them into "reconnaissance devices that operate behind corporate firewalls, spread malware to internal systems, and even exfiltrate printed documents outside of a protected site".

Drupal has a module that allows for generating printer-friendly versions of email, PDFs and webpages, but it is exploitable. Just last week, the National Cyber-Alert System released a US-CERT vulnerability summary about “Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO.”

pwning the network via printers

A recent question submitted to Seclists asked if the security vulnerabilities in Oki CUPS printer drivers were “fixed” by the files being removed from the FTP server. This summer, Symantec reported that if a printer starts spitting out pages that are “garbage” and printed with gobbly-gook, then that printer might be infected with a new worm called W32.Printlove. Microsoft released a security update and discussed the attack scenario to help “you assess the risk of this ‘sort of wormable’ issue in your environment.” Then HP jumped into the ring to protect printers in the healthcare environment.

Codenomicon, the same security testing company that fuzzed to find vulnerabilities that an attacker could use to hack smart TVs, also fuzzed six network printers [PDF]. “All tested printers failed.” This indicated “that the test devices contain several potentially exploitable vulnerabilities. These vulnerabilities could provide attackers with a backdoor into the organization network, enabling data theft and further attacks from inside the network.”

Printer vulnerabilities exist, even if they do not make headlines. As "printer security, hidden hard disks and other terrifying tales" pointed out, the smarter a printer gets, the more vulnerable it is. You might be thinking, yes but who really hacks a printer? If you doubt that it happens, then you really need to read about “extra fun” pwning the printer on Security StackExchange, such as “attack an office printer” and how “you can have some serious fun playing with printers, photocopiers and other such devices - even UPSes.”

How should you protect yourself? Update firmware. Change the default password and the default SNMP if you can to add authentication and encryption. Windows Networking adds, "To prevent network eavesdropping of print jobs, use a printer or print server that encrypts connections to and from the PCs. You may find a proprietary solution or those that support the IEEE Standard 2600.” You can also have your network scanned for vulnerabilities.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.