Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Attack of the Trojan Printers

samzenpus posted more than 3 years ago | from the it's-crowded-in-there dept.

Security 144

snydeq writes "Security professionals are tapping Trojan horse access points cloaked in printers and other office equipment to infiltrate clients who want their defenses tested, InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive. Once the device is connected to the network, the penetration testers have a platform behind any perimeter defenses from which to attack. 'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?' one security researcher says of the method. A variant of the attack, presented by Errata Security at the Defcon hacking convention, uses an attack-tool-laden iPhone mailed to a target company to get inside the firm's network defenses."

cancel ×

144 comments

Sorry! There are no comments related to the filter you selected.

tried that with a Flip cam (2)

lpaul55 (137990) | more than 3 years ago | (#34408156)

an attractive USB device could host something undesirable. Smart clients won't touch them.

Re:tried that with a Flip cam (1)

bl4nk (607569) | more than 3 years ago | (#34408192)

I think that would more appropriately be worded as "paranoid clients won't touch them". Everyone else will. C'mon, this is the real world, not a classroom or security conference.

Re:tried that with a Flip cam (1, Troll)

Anon-Admin (443764) | more than 3 years ago | (#34408362)

Wow where did you find "Smart Clients"?

The average person will pick up a USB pen drive from the parking lot and plug it into there PC or Laptop. Heck, I bed 99% would run a program on it called "Owner_Information.exe" To see who to return it to.
I bet good 50% would run a program called "Run_Me.exe" lol

In all honesty most Technical people over think most hacks. It is like watching a person try to pick the lock on a door when the window next to the door is open.

Re:tried that with a Flip cam (2)

Crudely_Indecent (739699) | more than 3 years ago | (#34409326)

The average person will pick up a USB pen drive from the parking lot and plug it into there PC or Laptop.

I did that last month.

I run Linux though, so I'm not really worried about the things most people worry about. All that was on it was an exceptionally boring PowerPoint file which I deleted before giving the stick to my wife (who uses a Macbook)

Re:tried that with a Flip cam (3, Funny)

oldspewey (1303305) | more than 3 years ago | (#34409712)

before giving the stick to my wife

Pics or it didn't happen.

Re:tried that with a Flip cam (1)

Anonymous Coward | more than 3 years ago | (#34409416)

The average person will pick up a USB pen drive from the parking lot and plug it into there PC or Laptop.

I certainly would. And why not? What harm can there be if autorun isn't enabled?

Re:tried that with a Flip cam (1)

dotgain (630123) | more than 3 years ago | (#34410540)

Depends on what kind of explosive the drive is full of.

Hey, come on. You didn't come into this thread not expecting pedantry.

Re:tried that with a Flip cam (1)

neumayr (819083) | more than 3 years ago | (#34409994)

Wow, you think 99% would make an effort to figure out the owner of a device, instead of just going with "Yay, free gadget!"? Cool.

Re:tried that with a Flip cam (1)

tophermeyer (1573841) | more than 3 years ago | (#34410106)

Actually, that's exactly how I would try to find out who the owner of the device was. I would expect to find myself an office document or other files that would let me get a name.

Re:tried that with a Flip cam (2, Funny)

Anonymous Coward | more than 3 years ago | (#34408380)

Good luck trying to mail someone a printer right now :-)

Re:tried that with a Flip cam (-1)

Anonymous Coward | more than 3 years ago | (#34408428)

I pooped. It smells like chili. Really hot and spicy chili. Where's smell-o-vision when ya need it?

Re:tried that with a Flip cam (-1, Offtopic)

kimvette (919543) | more than 3 years ago | (#34408858)

Well, I guess we now know what Uranus smells like!

Re:tried that with a Flip cam (4, Insightful)

arivanov (12034) | more than 3 years ago | (#34409128)

Printer is indeed a better choice.

Some printers can have a full attack kit loaded and have WiFi. While most printers are yet to be hacked, the possibility is there. The bigger ones have a fully blown OS of some description doing the management functionality. Some of it is also hopelessly out of date securitywise. I have seen stuff like Win2000 being used on the print centers by one well known big company. Rooting that is trivial.

The ones that cannot be routed can still have a MIM put in between their built-in network functionality and the customer network. If done properly it will _NOT_ have any "cables sticking out" either. A microcontroller with two Ethernets which bridges between the printer original Ether and a fake one sticking out can be put in something the size of an match box nowdays. With most IT depts putting indiscriminately power over ethernet nobody will notice if it is powered from the net. And so on. There are lots of variations on this theme and having "more than one cable sticking out" actually means a very lame job on the side of whoever did it.

Re:tried that with a Flip cam (1)

operagost (62405) | more than 3 years ago | (#34409408)

Some of it is also hopelessly out of date securitywise. I have seen stuff like Win2000 being used on the print centers by one well known big company. Rooting that is trivial.

Support for Windows 2000 Server ended in July of this year. I wouldn't consider that hopelessly out of date, but I agree that those systems should have been eliminated by then. 2000 does have features that would let one lock them down pretty well; as to whether this is feasible with a print server, I don't want to know.

Re:tried that with a Flip cam (1)

Amouth (879122) | more than 3 years ago | (#34410428)

2000 does have features that would let one lock them down pretty well; as to whether this is feasible with a print server, I don't want to know.

ask Oce - they use win2k server on dell power edge towers as the controller in the printers that we have..

the Tech's have zero maintenance schedule for them and don't have access to configure or change them.. i block access to them except for the single VM that's allowed to talk to it.

That old saying applies (5, Funny)

Megahard (1053072) | more than 3 years ago | (#34408200)

Beware of geeks bearing gifts.

Re:That old saying applies (1)

dgatwood (11270) | more than 3 years ago | (#34408962)

Here's what I don't get. An extra power cable? If you're inside the printer anyway, why not just tap its power supply. It's not like the printer is right at the edge of what its power supply can put out, and if it is, you could always build a bigger power supply. Likewise, tap the printer's Ethernet connection---slice the traces to the printer guts itself, and embed a small passive Ethernet hub that provides a connection to both to the sliced traces on the board and to your sniffer. Done, and done. Unless your network admins are very clever, it's undetectable.

Re:That old saying applies (0)

Anonymous Coward | more than 3 years ago | (#34409226)

That's all true, but I don't know what good having this inside the network is supposed to really enable. The clients all have firewalls and don't have ports open (except for ICMP Ping because our DHCP admins insisted they need to be able to ping machines to reclaim addresses). In fact, the hack machine won't even get a very usable DHCP address itself because it doesn't have the right class ID (per the standard, they get an address, but no DNS info without our company's class ID info). Smart Card authentication is required to actually do anything on the network. Traffic is switched, so they can't even snoop on other people's traffic. So what is the point?

Re:That old saying applies (3, Insightful)

Schadrach (1042952) | more than 3 years ago | (#34409438)

The point is that your situation is unlike most, especially small businesses who will generally run on a "How much will i cost to do it right? OK, you get half that," budget.

Re:That old saying applies (1)

by (1706743) (1706744) | more than 3 years ago | (#34409822)

Well, if you wanted to get snazzy, in addition to piggybacking off the power cable you could rewire the malicious box's first ethernet jack to the printer's ethernet jack (setting the MAC address to that of the printer of course), and then port forward to the printer (assumes two NICs on the malicious box). That way, you've got an IP and are privy to, at the very least, all print data. One could simply email the print jobs offsite from the malicious box. Who knows, maybe some juicy/confidential material will be printed out at some point.

Re:That old saying applies (1)

bored (40072) | more than 3 years ago | (#34410180)

port forward to the printer

You don't need to even do that. Generally you can wire multiple devices to the same switch port and it actually works. I got a personal shock about 15 years ago when I saw it temporarly done to work around an out of switch ports situation. Since then, I try it once in a while to see if it still works, its like the crossover cable trick, doesn't work 100% of the time, but doesn't need to. The carrier sense and collision detection functions still work even at 1Gbit, so the two adapters will stay out of each others ways. Matching mac's or leaving one in a listen only promiscuous mode allows you to monitor the traffic with very little hardware effort.

Re:That old saying applies (1)

dotgain (630123) | more than 3 years ago | (#34410756)

I'm really interested in what you mean by crossover cable "trick" or why it sometimes doesn't work for you.

I've never had a situation where a crossover cable didn't work as expected when connecting like ports. Then again the first thing I do with any managed port is disable any form of autonegotiation. You know in a Cat6 crossover you cross BOTH pairs, and not just the green and orange, right?

Re:That old saying applies (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#34410612)

You can skip the hardware effort, in a fair number of cases. Your modern workgroup network printer is running a pretty beefy board(400+mhz ARM/MIPS, 128+MB of RAM, and an embedded OS that often hasn't been looked over with especially impressive care. It should, with a fair few models; be possible to be running the attack/surveillance code directly on the otherwise bone-stock printer control board. When somebody screwdrivers it open to clear a jam, they won't notice that...

Re:That old saying applies (1)

mlts (1038732) | more than 3 years ago | (#34409936)

You work for a firm that is run by people with a clue.

A lot of PHBs at SMBs just say "security has no ROI" and only worry about an edge firewall and antivirus products on the PCs as the main security bastions. Because one can romp freely through their internal network without setting off an IDS or getting the brains splattered by an IPS, these are the gold mines for blackhats, as usually the SMBs have a good sum of unprotected salable data, and a large pipe to use for DDoS abilities.

Re:That old saying applies (1)

jimicus (737525) | more than 3 years ago | (#34410070)

Switching traffic doesn't necessarily do you much good. Tools like hunt allow you to hijack active TCP streams relatively easily, and it's quite hard to do much about it.

Crunchy on the Outside, Chewy on the Inside (4, Interesting)

dougmc (70836) | more than 3 years ago | (#34410214)

Most corporate firewalls (at least the part that most users are working behind) stop stuff from coming in, but permit most traffic going out. And even if they do block most traffic going out, they almost always permit 80/tcp out, and while they might have some sort of nanny filter there, something that just goes out to a random address at port 80 and then sends encrypted data will likely get through.

Once this machine is on the network, it can connect to a server somewhere on the Internet, and then the bad guys can come back in through this connection and do whatever they want from the printer. The important intranet sites may indeed require Smart Cards (rare, but some may do this) but all the machines that people work on are often poorly maintained, and the intranet systems that require Smart Cards often have all sorts of vulnerabilities -- the machines they reside on aren't secured, the applications have the whole spectrum of website vulnerabilities, etc. Yes, the company could secure all this stuff, but it would take time and money, and they think "it's inside the firewall, it's safe" (and yes, they're wrong.)

Perhaps some companies are different, but I'd say most are like this. Some companies separate everything internally with firewalls, but most don't, or if they do, there's lots of stuff behind each of these internal firewalls, and anything behind the same firewall as the trojan horse would be vulnerable (and really, stuff on the other side of the firewall might be too, depending on how draconian it is.)

This may not work on the NSA (assuming they follow all their policies!) but I would guess that getting a printer set up like this installed on most company's networks, coupled with skilled crackers working through it (not just script kiddies, though they might have some success too), would be able to get at all sorts of stuff they weren't supposed to get to. If it's a software company, they could get the source for their work, perhaps add their own code (back doors!), etc.

Re:That old saying applies (1)

dgatwood (11270) | more than 3 years ago | (#34410404)

First, as others have pointed out, that's an unusually secure network. Second, in the worst case, you can sniff everything that gets sent to the printer, write it to flash, firmware-timebomb the printer so that it fails after a couple of weeks, then recover the sniffer itself when they call you to come repair the printer. This assumes, of course, that you work for a company providing printers to the business. It's much harder to do that otherwise, but then again, it's much harder to get the printer in there in the first place otherwise.

Re:That old saying applies (1)

drinkypoo (153816) | more than 3 years ago | (#34409474)

We're talking about networked printers, they are connected directly to mains, not to an external power supply. You just tap the mains power from inside the printer. If you can't do this and make it look factory you're probably not even interested in doing it.

Re:That old saying applies (1)

dgatwood (11270) | more than 3 years ago | (#34410362)

Way too hard. Tap the +12V or +5V output of the power supply and DC-DC it to whatever voltages you need. Then you don't have to find room for another full size power supply inside the machine.

Re:That old saying applies (1)

drinkypoo (153816) | more than 3 years ago | (#34410520)

You don't need a full-size power supply anyway, you use a tiny switching supply. They cost more but not dramatically so. This gets you out of situations where you might overload some part of the power supply and cause a failure, thus bringing attention to the device.

Re:That old saying applies (2)

Mr. Freeman (933986) | more than 3 years ago | (#34410622)

Better yet, there's a lot of printers nowadays that have wireless networking capability built-in.

Some custom firmware and all of a sudden you've turned this printer into an access point as well. No glued shut trays, no mysterious power cables, etc.

Is There A (0)

Anonymous Coward | more than 3 years ago | (#34408208)

Wikileaks [wikileaks.org] option?

Yours In Minsk,
Kilgore T.

Old News (0)

b4upoo (166390) | more than 3 years ago | (#34408222)

Apparently our government made use of printers to destroy targets way back when Desert Storm kicked off. Somehow on high end printers, circuits were hidden that would direct smart missiles right into a window. The assumption was that high end printers usually sold to governmental entities or to infrastructure agencies. Apparently it worked well.
          We also saw a brand of cell phones sold only by the DEA that were wired to deliver all phone calls to law enforcement as well as the intended conversant. The phones were so superior in quality, and pricey, that drug dealers were almost exclusively buying them. The Miami area lost a lot of drug dealers from that planting.

Re: Old News (1)

lpaul55 (137990) | more than 3 years ago | (#34408276)

Miami's loss was Minneapolis' gain.

Re: Old News (5, Informative)

wjousts (1529427) | more than 3 years ago | (#34408288)

Urban myth, read the first two paragraphs of TFA

Way back in 1991, InfoWorld reported on an advanced threat hitchhiking inside printers shipped to Iraq. The virus, known as AF/91 and implanted by the U.S. government, reportedly shut down Iraqi radar installations before escaping to spread among Windows computers.

The article, published on April 1, was a spoof. But it spawned an urban myth that has been reported as fact in many circles.

Physical access == pwnage (3, Insightful)

mlts (1038732) | more than 3 years ago | (#34408234)

Nothing really new here, other than perhaps people realizing that printers are a network entity (which they have been at least since the HP LaserJet cards). As for housing a blackhat-usable machine, that has been done for ages, as it isn't hard to just plug in a laptop or network powered biscuit PC and start firing up nmap.

How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.

Re:Physical access == pwnage (4, Interesting)

hawguy (1600213) | more than 3 years ago | (#34408618)

How to protect about this? Cisco's core routers have plenty of tools to deal with rogue devices (MAC address locking per port, healthchecking, etc.) Wireless networks take some more doing, but can be just as well locked down.

Agreed -- we use 802.1x authentication on all of our switch pots, only domain computers are allowed on the network. We do MAC address bypass on specific ports for known network printers, etc, but they go on a limited access VLAN. No one outside of IT can receive a printer in the mail and just plug it in and have it on our network.

I thought all midsized and larger businesses used some sort of port control to control network access?

Small business are usually so lax in computer security that there are so many holes in their network making it unnecessary to send them a Trojan Printer to hack in. I've done work for a number of small businesses that use 40 bit WEP to "protect" their Wifi network -- and no amount of persuading from me will make them change it.

Re:Physical access == pwnage (1)

bored (40072) | more than 3 years ago | (#34410048)

Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet. This means that plugging joe random promiscuous mode adapter into a switch won't give you visibility to the whole network.

That said, unless the designer of the trojan is stupid there will only be a single mac address exported to the network by the printer. Sure, no one is going to just plug a random printer in, but one of the printers on the vlan could be compromised and you would never know. If the trojan were routing the information out over a hidden wireless interface you might never be able to detect that either, if it buffered everything up and burst it for a few seconds every couple days. Frankly, I'm not sure what extra security you might be gaining putting the printers on their own vlan instead of on the regular network. As long as you control the mac addresses, the amount of data any single port can see is going to be limited even if someone shows up and transparently monitors a given port. I guess an evil device could start responding to arp requests and routing traffic through itself, but if you don't notice that you have other problems. For that matter, a truly evil device could probably preempt your switch management traffic. At that point the vlans aren't going to protect you. Again this will probably be pretty obvious to anyone paying attention. This is the problem with vlans, they tend to provide a false sense of security. There is a reason a lot of the really high end gear won't allow (or strongly suggests) the management ports to be on the same physical network as the rest of the switch.

Re:Physical access == pwnage (0)

Anonymous Coward | more than 3 years ago | (#34410466)

Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet.

Even more people fail to realize that the majority of those ethernet switches can be duped/overwhelmed into behaving just like hubs.

Re:Physical access == pwnage (1)

bored (40072) | more than 3 years ago | (#34410784)

Yah, the ones with dedicated "monitor" modes tend to be more robust. Course those generally are layer3, which also by itself tends to be more robust.

Re:Physical access == pwnage (2)

Score Whore (32328) | more than 3 years ago | (#34410482)

Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet.

That's the definition of a switch. So I would hope that the majority of them do that.

Re:Physical access == pwnage (1)

afidel (530433) | more than 3 years ago | (#34410722)

On the hidden wireless interface our Cisco WLAN controllers would detect it as a rogue AP.

Re:Physical access == pwnage (1)

bored (40072) | more than 3 years ago | (#34410894)

Really, even when its a proprietary, or edge/wimax/etc type adapter? If it does then it must be getting enough false positives to cause you heartache... If someone is putting a wireless interface in a device for back-channel communications I would assume there are much better choices than a normal 802 wireless interface.

Re:Physical access == pwnage (1)

hawguy (1600213) | more than 3 years ago | (#34410820)

Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet. This means that plugging joe random promiscuous mode adapter into a switch won't give you visibility to the whole network.

I'm not worried about someone snooping packets (well, I am, but that's not why I use 802.1x). I'm more worried about someone plugging into the corporate VLAN and having unfettered access to try to hack into all of my endpoints. While we do have antivirus and a pretty decent patching policy, I'm not really ready to declare that all of my hosts are immune to attack. Network access control is just one layer in my security and keeping non 802.1x authenticated devices off of my main corporate network is trivial to implement and prevents someone from spoofing my printer's MAC address to give him full network access.

You said but one of the printers on the vlan could be compromised and you would never know then you said I'm not sure what extra security you might be gaining putting the printers on their own vlan instead of on the regular network Didn't you answer your own question? By putting my printers on their own VLAN than can't reach any other hosts on the network (except for the DMZ mail server to send out problem notifications), then there's not a whole lot a compromised printer can do to my network.

Using your logic, I guess I can get rid of my internet firewall and don't even need a router since the very nature of ethernet switches won't let any outsiders snoop my traffic? I mean really, what possible harm could someone do if all they can do is send/receive traffic to any port on any of my internal hosts?

Re:Physical access == pwnage (1)

swb (14022) | more than 3 years ago | (#34408994)

I thought this was pretty old news, too. I've stashed laptops, access points and even SFF desktops in desks, cabinets and above ceiling tiles, enabling all manner of access long after I had physical access to the facility.

It was generally legitimate (ie, I was network manager) subterfuge to do troubleshooting at remote facilities, but there was one place that was a "sister company" that I was required to support but wouldn't give me any remote access. Those people got the old laptop above the ceiling tile.

It'd be more impressive if they had managed to hack an HP Jetdirect interface to *host* their remote system while still supporting printing features. From what I've seen, most modern JetDirect cards can support a web site, which is probably quite a few KB of space to start with.

As long as the functionality of the card wasn't audited, it would seem that you could probably fit a fair amount of functionality into firmware while still leaving basic LPR printing enabled.

You could probably do even more if the card could be physically hacked to support a larger amount of flash memory.

If you could reverse-engineer the JetDirectPrinter interface and replace the JetDirect card with a complete single board PC (way better CPU, more memory, etc) you could probably fool even people familiar with JetDirect cards essentially forever, especially if you could accept and fake JetDirect firmware flashes.

Re:Physical access == pwnage (1)

drinkypoo (153816) | more than 3 years ago | (#34409494)

Indeed the JetDirect stuff delivers several signed Java Applets so there's plenty of room to hide a trojan in there. But in most printers of any size there's more than enough room for a micro-hub and some kind of teeny embedded system (like a dockstar stripped out of the case.)

Re:Physical access == pwnage (0)

Anonymous Coward | more than 3 years ago | (#34409040)

You forget most companies hire network folks who "know subnetting".

They are not *real* network guys, but rather a sysadmin who picked up Cisco and knows a few commands. They always push real networking work off to the vendors who come in and very poorly architect a solution. Then they blame their lack of skill on the equipment/vendor when it fails since no one smarter is around to debunk it.

Re:Physical access == pwnage (1)

afidel (530433) | more than 3 years ago | (#34410672)

If you fire up nmap on my network you're caught in minutes (we physically located the pen testers inside of 15 minutes last time they came onsite for an unannounced test). Also the idea behind this is that you give the device to someone in IT to demo, that means it will likely get its MAC added to the switch. In security paranoid places all outbound traffic has to go through a proxy and there's little chance a printer would be allowed through that =)

Iraq (0)

vxice (1690200) | more than 3 years ago | (#34408242)

this has been talked about since at least the first Gulf war. There was an urban legend of Iraqi air defenses being taken out by a covertly U.S. supplied printer.

Re:Iraq (1)

XiY47 (1815860) | more than 3 years ago | (#34408556)

First line in TFA:

Way back in 1991, InfoWorld reported on an advanced threat hitchhiking inside printers shipped to Iraq. The virus, known as AF/91 and implanted by the U.S. government, reportedly shut down Iraqi radar installations before escaping to spread among Windows computers.

Obvious trojans? (1, Insightful)

countSudoku() (1047544) | more than 3 years ago | (#34408264)

Dumb people being tricked?! News at 11.

Technically, if you've got extra wires hanging out of your Trojan Printer, you just might be the biggest idiot in fuckheadland. Integrate your spyshit to the motherboard and feed off the built-in network connection and power system! Sorry, I don't click on *world.com articles due to high ad noise and shitty page layout, but I get the drift, Ned. Not even close. NEXT?!

Re:Obvious trojans? (-1, Redundant)

TempestRose (1187397) | more than 3 years ago | (#34409096)

"biggest idiot in fuckheadland" Godfuckingdamnit, and I just used up all my mod points this AM. Thank you for the new phrase!

If you are smart about it... (0)

Anonymous Coward | more than 3 years ago | (#34408332)

...there only needs to be ONE visible power cable coming out of the back.
A little splicing here, a new fuse, bham, one power cable.

Something like FitPC, Gumstix, Arduino, or even something as simple as a hackable router / modem. (probably much easier to use that actually)
A wall-wart could be a fantastic tool inside a printer for hacking in to a companies network. Just remove it from the casing, wire it up to the printer power, throw some tools on there, "printer breaks", you come pick it up with the number you placed on the printer previously, enjoy your secrets.

This happens occasionally on educational grounds, whether it is a rather smart kid in school or someone in University.
In fact, i remember someone done it in a local University so they could access the network externally and use it as a server for files and such.
They used Hamachi to access it. Got around thousands of £s in security systems.

Re:If you are smart about it... (0)

Anonymous Coward | more than 3 years ago | (#34408554)

Yeah that's a good tip, however I don't think that you OMG YOU SAID ARDUINO!

Give him mod points! He mentioned Arduino!

Seriously though, you're right about that. To go to all that trouble and not even hook your device into the internal power of the device itself? Hiding in the tray and then glue it shut? This is 2010, you can fit the hardware you need in the empty space available of most devices.

This reminds me of a printer prank I've read about. The guy basically modded a printer which was the same brand and model as the one in the office then swapped it after business hours.

The next morning, the secretary sent something to the printer, so it started its own custom routine: send a pre-printed business-like page up to the built-in shredder. Seeing the mess, the secretary started to panick, tried to shut down the printer with no success (the power switch was disabled), she tried to remove power by disconnecting from the wall socket with no success (there was a built-in UPS), tried to at least save the paper with no success (tray was bolted down).

Old trick, upgraded (2)

MrEricSir (398214) | more than 3 years ago | (#34408340)

This sounds like a modern version of when the CIA planted a camera inside the Xerox machine in the Soviet embassy.

Re:Old trick, upgraded (3, Funny)

Kittenman (971447) | more than 3 years ago | (#34408558)

Was that when the CIA just got multiple close-up photos of Russian butts from the Soviet embassy party?

Re:Old trick, upgraded (2)

Dthief (1700318) | more than 3 years ago | (#34408652)

Ya, I think I saw those ass-shots on wikileaks

Re:Old trick, upgraded (0)

Anonymous Coward | more than 3 years ago | (#34408768)

That's what they got for mixing the vodka, horse laxative and chili bhajis :)

802.1X (0)

Anonymous Coward | more than 3 years ago | (#34408342)

802.1X [wikipedia.org] , if you don't want rogue devices on your network (and you still believe in "hard shell soft center" security, that is.)

Cool (2)

mr100percent (57156) | more than 3 years ago | (#34408348)

These are pretty cool tactics, but are they warranted? Is the world of corporate espionage so devious and sophisticated that these would be legitimate vectors of attack in the wild?

Re:Cool (1)

Yvan256 (722131) | more than 3 years ago | (#34408572)

Nah, they don't use legitimate vectors of attack in the wild yet. They still use bitmaps.

Re:Cool (1)

robot256 (1635039) | more than 3 years ago | (#34409268)

They still use spear-phishing, spam, and "lost" flash drives since they work just as well and are easier.

Re:Cool (0)

Anonymous Coward | more than 3 years ago | (#34409470)

No, they're not warranted. Not when ten large in my bank account would get them easier and less traceable access.

Seriously. Fortune 500 retailer's entire business plan for the next five years. Yours for the bargain basement price of $10,000. Make it $50k and I'll cc you the databases, mag-fry the backups and set the fucking building on fire.

Hint to employers: the correct answer to your sysadmin's request to be paid first percentile for the job he's doing is NOT "Why should I?"

Re:Cool (1)

garyebickford (222422) | more than 3 years ago | (#34410936)

About 10 years ago I was at a security conference, where the Navy's cyber warfare officer (I think at the time he was the only one - he was working hard at the time to set up the first "cyber warfare battalion", and was also trying to get more cooperation between gov and industry, with the gov providing useful hints on security, and a voluntary security network among industry sysadmins) pointed out that in red team tests, the average cost of rolling over a data center employee to get physical access to a data center and do what you want was just $7000. So, with inflation, your numbers are probably right on.

Re:Cool (1)

iluvcapra (782887) | more than 3 years ago | (#34409568)

These tactics are plausible, even childishly simple, and were effective. I don't know, from the perspective of a black hat, what "legitimate" means here.

Why make it complicated? (5, Interesting)

war4peace (1628283) | more than 3 years ago | (#34408352)

It is a lot simpler than that. Last month I turned on my laptop's WiFi while replicating some troubleshooting steps and it popped saying it found 3 Wifi networks, not the usual 2 company-provided, password-protected ones. Turned out someone brought a router inside, plugged it in and used it for God-knows-what, then left it there, turned ON. Free WiFi for everyone!
This was a HUGE security breach, process breach, you-name-it breach. The guy was canned afterwards, but that's not the issue. What's funny is that pretty much all companies' buildings in that area have at least one unprotected WiFi network, freely accessible from any device. No username or password required.
You want to browse through most of the Top50 companies' "secured" networks? You got it. Sometimes I wonder where are all the damn hackers...

Re:Why make it complicated? (2)

Yvan256 (722131) | more than 3 years ago | (#34408588)

Sometimes I wonder where are all the damn hackers...

Trying to hack Blizzard's servers to get some l33t gear they can't bother questing for?

Re:Why make it complicated? (1)

war4peace (1628283) | more than 3 years ago | (#34408986)

I would definitely mod you informative, dear sir.

Re:Why make it complicated? (1)

don_carnage (145494) | more than 3 years ago | (#34409054)

Periodically scanning for rouge WIFI access points on your company's campus would prevent this sort of thing from happening. Now, imagine if instead of dumping a WIFI access point, they dumped a 3G aircard? 802.1x is the best defense against unauthorized network access.

Re:Why make it complicated? (2)

Minwee (522556) | more than 3 years ago | (#34409352)

Periodically scanning for rouge WIFI access points on your company's campus would prevent this sort of thing from happening.

But would that help you find magenta and teal access points as well?

Re:Why make it complicated? (1)

don_carnage (145494) | more than 3 years ago | (#34409446)

Curse you Perry the Platypus!

Re:Why make it complicated? (1)

afidel (530433) | more than 3 years ago | (#34410846)

Oh, you are evil. I had the ethernet and wifi attacks foiled but a passive tap on the ethernet and 3G upload would be all but impossible to detect.

Re:Why make it complicated? (1)

Sulphur (1548251) | more than 3 years ago | (#34409766)

You got it. Sometimes I wonder where are all the damn hackers...

Chasing your WiFi?

Re:Why make it complicated? (3, Informative)

FooAtWFU (699187) | more than 3 years ago | (#34409804)

This is why serious wireless vendors like Cisco and Aruba and the like have "rogue access point detection" which can not only triangulate the location of an unknown device given its wireless signal strength in relation to legitimate APs, they can also determine if it's hooked up to your network (if there's appropriate hardware in the packet path) and spoof packets to cause a denial of service and disconnect any clients.

Of course, these capabilities will cost you.

Re:Why make it complicated? (0)

Anonymous Coward | more than 3 years ago | (#34409974)

I recently audited a major new york medical facility. They talked a great game, authentication this authentication that no wireless anything etc etc etc. I found more than a dozen wireless AP's within the first hour most of them with unencrypted defaults. Doctors generally feel entitled and an office supply store was a block over. There tech support was adding the AP's MAC addresses to there static allows. Anybody could attach to these AP's and dig in deeper from there there were clear text passwords etc floating around everywhere. My personal favorite was there "SSO" solution it was more of a single credentials sign on all over the place via telnet and http of course. I see this sort of thing all the time upgrading networks to be PCI compliant CTO's come down with the it's to expensive to do this right lets no do it and the end users will find a way to provide what they want/need. Wireless is no longer an option people expect there toys to work and your better of getting into the free ISP business within your own walls (and segmented form your own network) than trying to forget about and and hope it will go away.

Re:Why make it complicated? (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34410288)

Funny Similar story - one day we found one of our buildings was getting bad IP addresses. 192.168's, so thats even more odd, that whole building is on 172.21.0.whatever. We couldn't figure it out at first, nothing wrong with our servers. Tracing it back from one of the computers with a Bad IP, we determined, there was a rogue router plugged into our network, DHCP was still enabled and this little Linksys thing was causing a world of trouble - luckily it was set to the default username and password otherwise we might have had difficulty grabbing the MAC Address of it.

There was no way to determine where exactly in the building it was, didn't even have the WiFi turned on - so we had to go into the logs of all our switches looking for this MAC Address so we could follow it through the patch panel to whatever port it was in. Meanwhile we're scanning around the building as fast as we can looking for this thing - to no avail.

Turns out - in the corner of this one area that IT -never- goes to, there it was, plugged into the network, and plugged into 3 machines. We work at a laboratory so its not uncommon to see instruments all strung together on their own subnet connected via a simple switch - which is exactly what was happening here.

Cleaning guy accidentally unplugged it last night while sweeping. When he plugged it back in he mixed up the lan and Wan cables.

Something so simple tied us all up all morning. We're much better prepared for that kinda stuff now.

Re:Why make it complicated? (2)

apparently (756613) | more than 3 years ago | (#34410754)

Linksys thing was causing a world of trouble - luckily it was set to the default username and password otherwise we might have had difficulty grabbing the MAC Address of it.

You need the username and password of the gateway in order to run: "arp -a" from a computer that's connected to it?

Glued shut with 3 cables? (1)

digitaldc (879047) | more than 3 years ago | (#34408382)

'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?'

I, for one, would certainly notice THAT. But who in the corporate world would notice or even care?
Also interesting is that the article links to an eWeek article that in turn links to a Slashdot article from 2007 about this same thing.

Re:Glued shut with 3 cables? (1)

ElectricTurtle (1171201) | more than 3 years ago | (#34408520)

If you really think that's abnormal, you probably haven't worked that many MFPs. A fair number are modular and the modules have to be powered. Usually it's done with a power cable that plugs into the core MFP, but sometimes the separately powered modules have wholly separate cables that go into the wall. Two power cables is completely normal for several MFPs.

Re:Glued shut with 3 cables? (1)

Locke2005 (849178) | more than 3 years ago | (#34408592)

Yes, that's a kludge, but I recall from working for Sharp that their printers really did have several separate computers inside, each for a different function. I thought it was a bad design, but I guess it made their design costs cheaper.

Re:Glued shut with 3 cables? (2)

war4peace (1628283) | more than 3 years ago | (#34409070)

Not a kludge; in fact, smart design. Those MFPs are modular. A module breaks down, plug it off, the rest works, albeit without that specific function (e.g. stapler).

Re:Glued shut with 3 cables? (1)

Qzukk (229616) | more than 3 years ago | (#34410302)

If I were really designing a modular MFP, all of the modules would be powered off an internal bus rather than each having their own power cord.

If I were really designing a printer with a wireless router hacked into it, I'd spend the extra 30 minutes attaching the router power to the printer's internal power supply rather than having two power cords, since I'm likely elbow deep in the printer guts to reroute the ethernet cable in the first place.

A pro would be more thorough (1)

Khopesh (112447) | more than 3 years ago | (#34409776)

'You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?'

I, for one, would certainly notice THAT. But who in the corporate world would notice or even care?

No you wouldn't. For an extra ~$20 or so, the attacker could put a power splitter and network switch inside the box, making it just one power cable and one network cable. Given how trivial that is, any real attacker (as in a person or group expecting a hefty profit on the operation) would go that extra step. Security groups are more budget-constrained (they also proved that you don't need that level of sophistication for most targets).

It should also be rather simple to use an embedded computer that controls the printer and is powered by the printer's PSU (this would let you save copies of every printed, faxed, and copied document and send them to an off-site haven whenever it is deemed most convenient/safe. This sort of system wouldn't really be suspect even if opened up; of course it has a controller board. The fact that it's aftermarket can be explained by its lower cost (which department paid for it again? It just seemed to show up one day...).

This isn't limited to printers; you can do this with any network-enabled appliance, be it a printer, file server, firewall, wifi system, etc. Just phone the company and say you're an authorized reseller of the product and that you'd like to offer them a free 90-day evaluation and then never show up to reclaim it (or actually sell it to them for a ridiculously low price claiming that you need the sale to hit your quarterly quota). Most of these appliances are full-featured x86 servers anyway, and it's quite unlikely that somebody would notice your rootkit or stealth processes.

This also isn't limited to the device itself; once you're in the network, you can seize a few Windows systems and use them instead. This lets you take the device back at the end of the free trial. With a netbook or other embedded system (e.g. a smartphone with an ethernet adapter), you could do this while in the office on a tour or while pretending to deliver a package or use the bathroom (assuming you're not chaperoned).

Why extra wires? (1)

larppaxyz (1333319) | more than 3 years ago | (#34408496)

I personally would hide some sort of bridged network device inside printer or any other networked device. Device then logs all network data going to printer. Some of those Linksys devices with Linux would be good for this purpose. Logged data would be sended to 'secret' server using mobile data (Linksys boxes have USB connector?). What else... oh, we need to add some microswitch that fries my SIM card and hacked Linksys box if printer case is ever opened. That would be perfect!

So... (1)

San-LC (1104027) | more than 3 years ago | (#34408958)

you could say the companies need better....protection?

Old Hat... (5, Insightful)

Lumpy (12016) | more than 3 years ago | (#34409030)

Did that years ago.

HPLJ4 -- two power cables? what are they hiring amateurs?

Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.

Printer + network scanner/document grabber completely hidden.

Today it's even easier... Shiva plug with a HP sticker on it and it will go unnoticed for months.

Re:Old Hat... (1)

iluvcapra (782887) | more than 3 years ago | (#34409650)

If a supplier offered me a LaserJet 4 in this day and age I probably would just test the roof with it.

Re:Old Hat... (1)

batquux (323697) | more than 3 years ago | (#34409698)

Or... just put custom firmware on the printer.

Re:Old Hat... (2)

nschubach (922175) | more than 3 years ago | (#34409900)

Shiva plug with a HP sticker on it and it will go unnoticed for months.

There's a ton of truth in that... I recently walked into an office and noticed an odd outlet sized box on the ceiling with no significant markings, some slots and two LEDs (one lit red.)

Nobody that I asked knew what it was, including building maintenance... and nobody bothered to look where the cable was going. It was joked that it was a spying device (owned by the company) to monitor workers.

(I think it was a sensor for the HVAC...)

Re:Old Hat... (2)

nuckfuts (690967) | more than 3 years ago | (#34410430)

Open printer, add PC-104 computer with ethernet and a linux on it along with a small switch. printer AND PC104 connect to the switch inside AND scab onto the power supply.

Printer + network scanner/document grabber completely hidden.

It's not even necessary to hide any physical equipment inside the printer. HP LaserJets can be hacked to steal documents, run port scans, host rogue FTP or HTTP servers, and more. FX from Phenoelit did some interesting work on this, but his website [phenoelit.de] is now censored due to legal issues. Some of his stuff can now be found here [phenoelit-us.org] .

What am I missing here... (1)

Notyourpapa (1943748) | more than 3 years ago | (#34409552)

"InfoWorld reports. Attackers dressed in IT supplier uniforms drop off printers to a company for a test-drive." Seriously...who is the facehat that let them in? I'd be far more concerned with that aspect (whether this is urban legend or not). It's called security controls and common sense...saves a lot of boolshit on the backend.

Re:What am I missing here... (1)

noidentity (188756) | more than 3 years ago | (#34409686)

It's called security controls and common sense...saves a lot of boolshit on the backend.

The true kind or the false kind?

Operation: espionage (1)

HTH NE1 (675604) | more than 3 years ago | (#34409682)

Man, back in the day you'd send in what looks like an ordinary audio cassette and, after recording a day's worth of audio to on-board memory, it would transform into a bird, shoot its way out, and return to the chest of Soundwave who'd play back what it heard for Megatron.

Was doing this years ago (1)

Anonymous Coward | more than 3 years ago | (#34409942)

I was doing this (white hat pen testing) over 5 years ago with APC UPSes, Run them with no battery, use the internal space for a rogue (non-broadcasting) WAP, network connects into a legit looking network port on the back. No one suspected them, and they worked like a charm. Took in more than one Fortune 100 company with this trick. Never revealed it to anyone until now - clients were just told that rogue wireless were interjected into their networks.

Re:Was doing this years ago (1)

Score Whore (32328) | more than 3 years ago | (#34410714)

What always impresses me is when third party pen testers are invited into our office, we are told they are coming and to cooperate with them, and then they tell us how easy it was for them to break into our systems. Well, of course, dumb ass we watched you do it. If we hadn't invited you -- escorted you -- in then you would have had a much harder time. When I step away from my computer to chat with the guy in the cubicle four feet away and I see you sit down but don't hassle your ass, it's not because you're invisible. It's because I am instructed to be helpful. If we didn't know who you were, we'd have grabbed you when we first saw you wandering the building. You didn't break in, we let you in so that you could do the job we've contracted you to do and investigate our internal controls. It's no great feat that you are able to put a device in the building, that's why you're here. If you didn't we'd be wondering why the fuck we were giving you money.

Re:Was doing this years ago (1)

networkzombie (921324) | more than 3 years ago | (#34410854)

No one noticed that their UPS was plugged into the network? I find that hard to believe. So you dealt with companies that have no network auditing, no auditing of UPS systems, and no one smart enough to notice that the UPS was plugged into a switch? Sounds like you should have just installed a WAP with a sticker on it saying DO NOT TOUCH and leave it at that.

I've been doing it the hard way... (1)

Angst Badger (8636) | more than 3 years ago | (#34410380)

Wow, I wish I'd thought of that sooner. Stuffing an Arduino with a battery pack and a wifi shield up my ass and asking to use the company john was really wearing on me.

Off the Shelf Trojans (1)

Doc Ruby (173196) | more than 3 years ago | (#34410662)

The trojan doesn't have to be so crudely delivered so late in the supply chain. The printer could have trojan SW installed in it, attacking a host PC (and then the rest of the network) over USB, or the network directly when connected over ethernet. The printer manufacturer, or many of its OEMs, could build them to attack anyone, or specific targets among the many installations they're sleeping in. Or a government could build them in, like if the US had succeeded in requiring a Clipper chip installed in all devices and had sourced the chips from a government-controlled manufacturer. Or similarly with either a Chinese competitor to DVD, or just Chinese manufactured chips of any kind that the Chinese government could force local manufacturers to include, possibly without knowing the trojan is inside. Or by any country, which can force manufacturers to include tech in their products and keep it secret.

In fact I'd be surprised to somehow learn that this manner of delivering trojans has never been done, and that all of everyone's machines are free of them.

You can get a mini pc with 2 network ports and put (1)

Joe The Dragon (967727) | more than 3 years ago | (#34410912)

You can get a mini pc with 2 network ports and put it on the printer that is in place and put a HP printer sicker on the box and make it look like its part on the printer.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>