WarFlying: UAVs and Wi-Fi Hacking

31 03 2012

by Michael Timko

Drone Proliferation and the DIYer

RC helicopters and planes have been a DIY hobby for years.  But this area has gained much momentum lately with research being done at major universities in smarming quadcopters and small autonomous planes. [1][2] Unmanned Aerial Vehicles are no longer just the purview of the military and are becoming very common.  As the proliferation of drones in the US grows and with the approval of recent FAA legislation to open up the National Air Space (NAS), there will be continued growth in both the hobby area as well as private sector. [3] The potential for aerial hacking will only increase as parts become less expensive and easy to obtain and thereby enabling another method of hacking.  The area of small UAVs has grown from a simple DIY hobby to actual companies offering sophisticated devices capable of carrying payloads and flying for relatively long periods of time.  While many will use these devices for simple recreation or even as an aerial photographer for realtors, others will no doubt use them to invade your privacy with their on-board cameras. [4] There is very active discussion about public and civilian UAVs using cameras and violating the average citizens privacy which in itself is a lengthy discussion.  My concern goes one step further…WarFlying.

A Little Bit of History

Many are familiar with the term “war-driving”, which is a derivation of the term war-dialing coined from the movie War Games. [5]  This is the activity of driving around searching for Wi-Fi networks that are unsecured and open for attack.  Hackers will do anything ranging from simply using your Internet connection for their benefit to stealing personal information.  The Internet is rife with how-to websites that give you step-by-step instructions on how to access personal networks and where to obtain the parts. [6] Originally designed to detect and intercept unsecured or WEP protected networks, this form of attack is now being used on WPA/WPA2 as well. [7]  No longer relegated to just the ground anymore, hacking has taken to the skies with war-flying.  At least as far back as 2002, in Australia, a hobbyist was able to fly at an altitude of 1,500 feet and capture emails and IRC communication. [5] These systems were either open or WEP secured, but what proved to be more of an issue, was the availability of picking up signals above the buildings at such a distance since there were no obstacles.

To the Forefront – the Good and the Bad

Recently, two men working on a hobby project of their own used a surplus military drone and easily obtainable parts to outfit their own aerial snooper.  Dubbed the WASP for Wireless Aerial Surveillance Platform, this UAV can intercept cell phone calls by spoofing a cell tower. [8] The duo spent around $6,000 to outfit the UAV with interchangeable parts that allowed for various types of spying.  They were also able to offload much of the intensive processing to ground based PCs using 3G Internet connection to speed up the hacking. [9] The WASP falls under the regulations that require it to fly under 400 feet and be in the line of sight, but with legislation changes – this limit will be changing. [10]

One part of the duo is a security consultant to Wall Street and the intelligence community.  Their goal was more a proof of concept but it is easy to see how this can be something that the malicious DIYer can exploit.  The hobby area of RC aircraft has blossomed as evidenced by the activity on just one website RCGROUPS.COM.  There are sections devoted to UAVs and to autonomous behavior, as well as obtaining inexpensive parts.   While this is an area that could provide a public service in the case of an emergency by relaying communication, it unfortunately opens up a much more nefarious opportunity for those wanting to do wrong.

Not only are people at risk of having their personal information intercepted, but corporations are at risk to a new form of Intellectual Property theft.  Companies do risk assessment to make sure they are protecting all of their assets, but by flying overhead and intercepting cell phone calls or network traffic, the very heart of what makes the organization a success can be in jeopardy.  Securing the airspace over a facility rarely enters the decision planning for risk assessment, but this is another area to consider.

It’s a Bird, It’s a Plane…Could be Both

No longer do we keep a look out for that suspicious vehicle driving around our neighborhood or place of work, but now the skies are open season for hackers too.  What could appear to be a small bird or harmless RC helicopter could be the next invasion to our electronic security. While we can do much to safeguard our networks, it is important to be aware of these threats and work to mitigate the vulnerabilities.

________________

[1] “Flying Robot Swarms the Future of Search and Rescue (4:05)”, https://www.grasp.upenn.edu/

[2] “Robust Real-Time SFM for SMAV”, http://www.cs.cmu.edu/~msuav/research.html

[3] “U.S. House and Senate Pass FAA Bill, Setting Requirements for UAS to Fly in the National Airspace
The bill awaits President Obama’s signature “, http://www.auvsi.org/auvsi/news

[4] “Warning from the LAPD–do not use UAVs commercially!”,  http://www.diydrones.com/profiles/blogs/warning-from-the-lapd-do-not-use-uavs-for-commercial-use

[5] “War flying: Wireless LAN sniffing goes airborne”, http://www.computerworld.com/s/article/73901/War_flying_Wireless_LAN_sniffing_goes_airborne

[6] “Become a War Driving Pro – Hack WEP and Wifi”, http://hacknmod.com/hack/become-a-war-driving-pro-hack-wep-and-wifi/

[7] “Cracking WPA in 10 Hours or Less”, http://www.devttys0.com/2011/12/cracking-wpa-in-10-hours-or-less/

[8] “DIY Spy Drone Sniffs Wi-Fi, Intercepts Phone Calls”, http://www.wired.com/threatlevel/2011/08/blackhat-drone/

[9] “War-flying with a Wi-Fi-sniffing drone”, http://blogs.computerworld.com/16767/war_flying_with_a_wi_fi_sniffing_drone

[10] “5 things you need to know about Drones”,  http://www.pbs.org/wnet/need-to-know/five-things/drones/12659/

Advertisements




Information Security in Application Development Projects

7 03 2012

At my organization, Information Security has historically been disregarded.  For a company with 15,000 employees in a highly regulated industry, this is hard to imagine.  Fortunately, executive management now appears to see the importance of this function as they have finally hired a Manager of Information Security.  Since this new manager came onboard roughly two years ago, many significant positive changes have taken place and the organization is definitely more secure than in the past.  However, it takes time to become highly efficient and successful in this area, as technology is constantly evolving and it is necessary to stay one step ahead of the game.  To this end, I believe that the lack of security in application development and project management processes is still a major weakness in my organization and a considerable amount of effort will be needed in order to reduce the likelihood of security issues in this critical area.

Apparently, I’m not the only one that is worried about information security being minimized when planning application development projects.  It appears to be a weakness that many organizations struggle with.  Robert J. Ellison of the Software Engineering Institute at Carnegie Mellon University states, “An organization can either incorporate security guidance into its general project management processes or react to security failures. It is increasingly difficult to respond to new threats by simply adding new security controls. Security control is no longer centralized at the perimeter. Meeting security requirements now depends on the coordinated actions of multiple security devices, applications and supporting infrastructure, end users, and system operations. Reengineering a system to incorporate security is a time consuming and expensive alternative. [1]”  I agree with Ellison in that it is by far cheaper and easier to build quality into the product upfront than to fix it once it has been developed.

Why does security get overlooked so often when running an application development project?  While I’m sure that there are many reasons, Ellison seemed to hit the nail on the head when he said, “Software errors can be introduced by disconnects and miscommunications during the planning, development, testing, and maintenance of the components. Although an application development team may be expert in the required business functionality, that team usually has limited or no applicable security expertise. [1]”  Brian Koerner, a chief security engineer for a Fortune 500 computer services firm, seems to have a similar opinion.  He states that, “If an organization is serious about developing secure applications, it is essential for it to bring in the security professional early in the development process. The security professional should understand the purpose of the application and how it will be used, as well as have an understanding of the business and security requirements that apply to the solution. [2]”

John Steer, a Senior Security Consultant with Microsoft ACE Services, summarizes the importance of information security in application development projects by saying that, “Too much software is developed without security as a feature.  It is interesting how many companies rely on the sale of software intellectual property as a source of revenue yet do little to protect that property. Working in application security, I often notice how many companies have elaborate security policies for protecting physical and information infrastructure, but who never extend that effort to the application development process.  Many companies overlook the use of security policies when protecting their software application layer and related intellectual property. When an application is developed without regard to security, that application can become a threat to the environment in which it is deployed. Obviously, this process puts both the development organization and the end user organization in a security deficit.  To make security part of the application architecture, designers need to understand the requirements of the security policy so that they can properly build these things in as feature requirements. [3]”

In summary, I believe many organizations are struggling with similar security concerns in the project management and application development space.  It is unfortunate that this is the case, but internal expertise and the inability to find suitable professional resources for these roles have compounded the problem.  Regardless of these challenges, it is imperative that my organization begins to work towards integrating security into the lifecycle of an application development project.

___________________

[1]  https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/project/38-BSI.html

[2]  http://www.certmag.com/read.php?in=3401

[3]  http://technet.microsoft.com/en-us/library/cc512576.aspx





Antivirus and its Discontents

4 03 2012

By Nchimunya Munjita

Sitting in on one of the computer security classes, I paid particular attention to the instructor’s explanation of the different types of malicious code. He listed and explained the different types of malicious code such as bacteria, logic bomb, trapdoor, Trojan horse, virus, worm, zombie, bot networks, and spyware. The instructor explained what characterizes different malicious code and mentioned the role of anti-virus (AV) program as a countermeasure. I was taken aback when he mentioned that although anti-virus does a good job at protecting our computers, it nevertheless suffers from some basic limitations which have given rise to the following criticisms: (1) it consumes inordinate amount of computer resources which slows down computer performance, and (2) it always misses some viruses. All along, I had not paid much attention to the second discontent, I followed along with the popular misconception that antivirus is the panacea for all malware.

As you may know, malicious software, or malware, which generally refers to “unanticipated or undesired effects in programs or program parts, caused by an agent intent on damage”[1] is one of the biggest security challenges facing the computer industry. One common type of malware is a virus, which is a program that can replicate itself and pass on malicious code from one computer to another across network connections, often with human intervention. It is also possible that virus code can be activated even without human intervention, such as when execution is been set to trigger on a particular date or time. Viruses use popular means of communication to propagate from one system to another through infected files (documents, pictures, music, videos,) from websites, peer-to-peer connections, email and instant messages. Often the presence of a virus on a computer is difficult to notice and the virus may not be easily destroyed or deactivated.

In the current issue of its bi-annual Internet Security Threat Report [2], Symantec Corporation revealed that it encountered more than 286 million unique variants of malware in 2010. AV-Test [3] estimates that in 2010 malware production continued at a record-setting rate of over 50,000 unique samples per day, although the number could be higher than that because the reported figure excludes malware variants which may have mutated into multiple strains. Although it is true that a number of researchers have different figures for the growth of malware, it is also true that most of them agree that the problem is on the upswing. The malware writer is no longer being driven only by power and ego-oriented motives but by profit motives also, and surely shows no sign of letting up. On the other hand, the anti-malware industry is working hard to keep pace with the pervasive stealthy malware which is being perpetrated by innovative writers.

It is getting increasingly harder to prevent, detect and remove modern-day malware by using traditional signature-based scanners. (A virus signature is a telltale pattern that uniquely identifies a virus or a group of viruses with similar characteristics.) A virus scanner can heuristically or generically detect viruses based on known patterns of data. However, this technique is less effective against completely new viruses. As more and more viruses are being discovered by the industry, new signatures are made available to be downloaded and added to the signature library of virus scanners. You would expect that the number of signatures would closely match the number of unique malware strains, however that is not the case. On average, a scanner can have signatures in excess of 3,000,000 [3].  As the signature library grows larger the scanner becomes less efficient at matching against the signatures. Often, the antivirus company will make a tradeoff between performance of the program and the need for effective coverage of viruses. Consequently, the signature library will only be populated with signatures of the most recent and prevalent malware. Think about it: What would prevent a motivated adversary, who is equipped with this knowledge, to compare the latest signature update with a comprehensive list of all known viruses and then exploit any vulnerability?

Signature-based scanners suffer from yet another drawback – the potential to slow down the computers on which they run by consuming much of the PC memory and resources. It is not only the large signature file that is responsible for slowing down a computer, but there are other reasons which have been identified by [4]: (1) virus scanners support an emulation functionality which is essential to safely analyze obfuscated polymorphic malware by unpacking and running the malicious executable file within a virtual environment. The process is often slow and expensive, (2) large scanning latencies may arise when scanners perform deep level file operations on certain file systems such as the Microsoft’s New Technology File System (NTFS), and (3) some security products scan data proportional to the number and size of scanned files. Since there have been progressive “changes in file size, file type, and storage capacity in modern operating systems” this could slow down virus scans.

In a nutshell, we have looked at the extent of the malware problem and examined some limitations of the anti-malware countermeasure. Given the complexity of malware-based threats, a number of AV vendors are now developing new approaches to addressing the problem. Rather than focusing solely on traditional signature-based approaches, some vendors are now developing behavioral-based technologies which are capable of real-time monitoring of program behavior for malicious actions. Gartner [5] provides an analysis of the emerging technologies which include default-deny application control (Whitelisting), browser or web protection modules, advanced forensics analysis of targeted threats, and cloud- or network-based delivery systems. Most of the vendors pioneering these technologies are emerging vendors and their contribution in effectively curbing malware by using alternative technologies remains yet to be seen and appreciated. Meantime, in this cat-and-mouse game between malware and anti-malware programmers the former seem to be a step ahead of their arch-nemesis.

______________

[1] Pfleeger, C. P., and Pfleeger, S. L. (2006). “Security in Computing,” Fourth Edition, Prentice-Hall.

[2] “Symantec Internet Security Threat Report Trends for 2010,” Volume 16, Published April 2011.  https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdf

[3] Morgenstern, M., and Pilz, H. (2010). “Useful and useless statistics about viruses and anti-virus programs.” AV-Test GmbH, Magdeburg, Germany. Presented at CARO 2010 Helsinki. http://www.av-test.org/fileadmin/pdf/publications/caro_2010_avtest_paper_useful_and_useless_statistics_about_viruses_and_anti-virus_programs.pdf

[4] Yan, W., and Ansari, N. (2009). “Why Anti-virus Products Slow Down Your Machine?” Computer Communications and Networks, 2009. Proceedings of 18th International Conference on Computer Communications and Networks (ICCCN 2009).

[5] McMillan, R., and Firstbrook, P. (2010). “Emerging Vendors in Malware Control, 2010.” Gartner, Inc.





Tokenization – a panacea for credit card number security?

3 03 2012

by Pragati Mathur

The concept of tokenization has been around for a few years. However, acceptance in security realm has not been that good. Lately though, with major security incidents occurring at companies such as Sony PlayStation, this concept has taken prominence. Moreover, a lot of new vendors have come into the market with offerings in this space. Payment Card Industry (PCI) Security Standards Council has finally come up with guidelines on how to implement tokenization.

They recently (August 2011) published a document PCI DSS Tokenization Guidelines Information Supplement. The guide outlines how to stay PCI compliant while using a tokenization system in a cardholder data environment (CDE).

What is Tokenization?

Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a – token [1]. Instead of storing sensitive cardholder data (CD), we store tokens. Tokens are random strings and are not sensitive or easy to decipher.

Rather than use encryption to secure the card data, replacement of PAN with tokens will eliminate the threat of a data breach. This will enable merchants who accept credit cards not to have sophisticated security mechanisms in place to do business transactions with credit cards. Merchants do not need to store PANs in their CDE or processing systems. Tokens will now be stored and tokens will be used to complete transactions with the payment processing service providers.

By implementing tokenization, PCI DSS requirements will get potentially reduced. PCI was clear in its guidelines with respect to tokenization. The key principles are [1]:

  • Tokenization solution does not eliminate the need to maintain and validate PCI DSS compliance.
  • Regular verification of the effectiveness of a tokenization implementation is necessary.
  • Tokenization systems and processes must be protected with strong security controls and monitoring.
  • Thorough evaluation and risk analysis to identify and document the unique characteristics of particular implementation, including all interactions with payment card data and the particular tokenization systems and processes should be done prior to implementing Tokenization solution.

How does tokenization work?

There are several ways of implementing tokenization. PCI DSS Tokenization Guidelines Information Supplement describes the tokenization and de-tokenization process as follows:

Tokenization Process (Source: PCI DSS Tokenization Guidelines Information Supplement)

  1. A requesting application passes a PAN along with authentication information to tokenization system.
  2. The tokenization system verifies the authentication information. If verification succeeds, it progresses to next step, else tokenization process stops and information is logged.
  3. The tokenization system generates a token associated to the PAN and both the token and the PAN are recorded in the card data vault.
  4. Generated token is returned to the requesting application.

De-tokenization is basically a reverse process.

De-Tokenization Process (Source: PCI DSS Tokenization Guidelines Information Supplement)

  1. The requesting application passes a token and authentication information to tokenization system.
  2. The tokenization system verifies the authentication information. If verification succeeds, it progresses to next step else the de-tokenization process fails, and information is logged.
  3. The tokenization system queries the card data vault for a record associated with the token and retrieves the PAN.
  4. PAN value retrieved from the card data vault is returned to the requesting application.

Card data vault has strict PCI DSS requirements. The PAN numbers are encrypted and stored. Some implementations tokenize the PAN number into multiple tokens and store it in distributed vaults. This pretty much makes it impossible to decipher the PAN in the data vault.

Merchant Realm

Once tokenization is implemented by a merchant, the process for the merchant will be:

  • Merchant accepts credit and debit cards in the usual manner.
  • Cardholder data is securely transmitted to PCI DSS compliant storage facility.
  • A token is created by the storage facility and returned to merchant.
  • The token is now stored at the merchant in place of cardholder data.
  • Future payment transactions for the same customer are transmitted by the merchant using the token in place of cardholder data.

Tokenization simplifies merchant systems

The PCI DSS Tokenization Guidelines recommend tokenization to be used in partnership with PCI DSS and not to be viewed as a replacement or alternative. While tokenization limits PCI scope, there are still PCI security requirements, as the council outlines. If the merchants access the PAN even after tokenization, for any reason, full PCI DSS requirements will apply.

Since we do not store PAN/Credit Card Information in merchant systems, PCI DSS restrictions are eliminated. All the strict processes and procedures can now be relaxed. This will reduce system configurations, network restrictions and will reduce overheads. So implementing tokenization would simply merchant systems. PCI compliance becomes much easier to achieve.

Current Technologies and Products

Tokenization technology vendors are very limited as of now. Protegrity, Wirecard AG., Shift4’s 4Go SafeSwipe, EPX’s BuyerWall and Merchant Link’s TransactionVault are the major products. There are several payment processing services who offer software as a service offering of tokenization solution as well.

Why tokenization is not widely adopted

According to Randy Carr, Vice President of Shift4 [2], tokenization will minimize the use of firewalls, intrusion detection systems and encryption. This is causing detraction in the industry. Moreover credit card companies generate revenue via security fees to merchants. By making the credit card info secure via tokenization would put that revenue in jeopardy.

Conclusion

Tokenization reduces the scope of cardholder data environment (CDE) of a merchant by offloading the storage of card number to a payment processing facility. This in turn relaxes PCI DSS restrictions and simplifies merchant systems and to achieve PCI compliance. This also helps new businesses to accept and process credit cards. Tokenization makes the card numbers secure in the payment center facilities as well thus minimizing leaks and hacker proof.

If implemented correctly, tokenization will act as panacea to the business. But before they adopt this technology, they should do a thorough evaluation and risk analysis.

______________

1.  Information Supplement: PCI DSS Tokenization Guidelines – Scoping SIG, Tokenization Taskforce PCI Security Standards Council (http://pcisecuritystandards.org)
2.  ‘Tokenization’ touted to increase credit card data security – Jay MacDonald (http://www.creditcards.com/credit-card-news/tokenization-to-fight-credit-card-id-theft-1282.php#ixzz1nXdDDclV)





MDM and Mobile Security

2 03 2012
by Israel Bryski

BYOD is an oft repeated phrase, a close second after Cloud Computing and consumerization of IT. Over the past 12-18 months there has been a rush by executives and staff to bring their own devices into the corporate enterprise. They want to connect their Android and iOS devices and get rid of the aging Blackberry. When the CEO receives a new iPad for Hanukah or Christmas, they are likely to approach their CIO and ask them to deliver their corporate email, contacts and calendar to their personal devices. Another driving factor for BYOD is the cost savings involved. In a January 2012 article in the Financial Times1, Paul Taylor states, “…these so-called buy (or bring) your own device projects can result in significant savings, improved flexibility and greater employee satisfaction.” The problem is, IT does not have enough time to plan or create a strategy for allowing personally owned devices on the network.

Mobile Device Management (MDM) providers, offer products and services that allow corporate IT to manage the influx of personal devices. MDM products may include remote wipe, remote lock and mobile application management. Managing your mobile devices does not equate to security. While some MDM products include security features, they typically focus on making it easier for IT to manage different mobile platforms. The same holds true for the iOS and Android platforms which offer a set of tools for a basic level of device management. This can include setting password length and complexity, remote wiping using ActiveSync and preventing browsing to blocked categories. This is not a mobile security solution.

In a post on the MaaS360 Blog2, Clint Adams explains the advantage of using MDM is largely around configuration management. When it comes to policy management, OS upgrades and compliance reporting, MDM vendors still have work to do. I believe as time goes on and more enterprises opt to allow employees to bring their own devices, the MDM market segment will further mature. With that maturity, more robust security features allowing companies to prevent data leakage from personal devices will be integrated into a MDM product.

While there are many vendors in the MDM space, very few offer solutions with security in mind. There are a few vendors with products that can be labeled as “disruptive innovation.” Two examples are Mobile Active Defense and AirPatrol. They are taking their technologies on a road show to the RSA Conference3. By integrating their products they are offering a unique solution that enforces security policy based on your device’s location.

When implementing a BYOD strategy, a company needs time to prepare. Key stakeholders should be brought in during the early planning stages. There should be representatives from IT, Security, Legal and Compliance. When a strategy is agreed upon, work to find the right MDM product begins. Are you looking for simple device management, or are you a regulated industry that needs security controls and features? What kind of security features do you need? In a Gartner research note4 released in July 2011, Monica Basso and Phillip Redman review a selection of enterprise MDM providers. After defining your needs and implementing a strategy, you should review Gartner, or another technology research company, before settling on a particular product.

________________________

1 “Bring-your-own-device Projects Cut Costs,” Financial Times, Paul Taylor, January 4th, 2012: http://www.ft.com/intl/cms/s/0/fd92894c-3658-11e1-a3fa-00144feabdc0.html#axzz1mxdTl1sC : (Account Required)

2M”The Intersection of Mobile Device Management and Security on Smartphones,” MaaS 360 Blog, Clint Adams, December 1, 2012: http://blog.maas360.com/archives/endpointmanagement/the-intersection-of-mobile-device-management-and-security-on-smartphones/

3 “MDM Is Not Security: ‘Disruption’ at the Mobile Security Pavilion and Theater – RSA 2012,” PR Newswire, February 14, 2012: http://www.prnewswire.com/news-releases/mdm-is-not-security-disruption-at-the-mobile-security-pavilion-and-theater—rsa-2012-139279773.html

4“ Critical Capabilities for Mobile Device Management,” Gartner, Monica Basso and Phillip Redman, July 29, 2011: http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg





Multi Function Printers – A Security Risk

1 03 2012

Today’s market place is flooded with solutions geared to ensure security for servers, desktop, laptop and other portable devices. However limited availability of printer security solutions suggests that customers are either unaware or underestimate the risk associated with such devices.

Despite the advancements in printer technology and the advent of Multi Function Printers (MFP), the general perception seems to be that the printer is a dummy device. Contrary to the popular belief, printers are smart machines that run windows or Linux-based operating system kernels[1] capable of running network services. These printers are equipped with internal hard drives[2] and store a digital copy[3] of the jobs executed. In some circumstances the MFP’s act as special purpose servers.

The flow and storage of sensitive corporate data through MFP makes it an object of interest for potential hackers. My blog is an attempt to highlight how the corporate data can inadvertently get compromised through MFPs.

Following are some of the ways in which the corporate date is vulnerable to exposure through MFPs:

a.  Hard drive (HD): With physical access to the HD, attacker could read and potentially exploit the content. Manufactures are starting to either encrypt the data or wipe the data after use.  However, these are half-baked solution which can be circumvented using off-the-shelf commercial decryption software. I learned that last year, CBS along with Sacramento based company Digital Copier Security[4] demonstrated such capability to their viewers. Following are examples[5] of the sensitive data they were able to extract from recently refurbished MFP available for sale:

  • from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.
  • from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders
  • from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.
  • from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

b.  Spyware: IF the attacker is able to gain physical access to the MFP, then he may be able to bug the equipment by either modifying the firmware or installing a sniffer[6] device. This way the attacker is able to tap the data flowing through the MFP. If done correctly such breach is difficult to detect. Once access is gained the attacker has to be careful to not trigger alarms by downloading large amounts of data. For example recently a news piece detailing security breach at Nortel[7] came to light. In this instance, the data hack continued for 10 years without being noticed. The hacker was careful not to alert the system by downloading excess data. In one instance he even discontinued his activity for few months forcing the authorities to go cold on his chase.

c.  Laptop:  If an attacker is able to access the printer then he can intercept print jobs, launch attacks on other devices which are configured to trust the compromised printer.

d.  Web based administration: Vendors advertise that users can remotely administer printers using a web browser. Enabling remote administration involves implementing a scaled down version of popular embedded web server (EWS). Long lead times result in a product with known vulnerabilities to be released in the market. This results in data security issues that remain unaddressed because the users may be unaware.

e.  Telnet[8]: Some MFP devices do not set a password for telnet access when the administrator password is chosen. “As a result, the telnet port will be left exposed to unrestricted remote access. Remote users with malicious intent will be able to access the device to cause a denial of service, or potentially monitor printer activity to gather information that may be used to compromise systems. Additionally, this problem is compounded by the fact that the admin password is reset when the device is rebooted”.[9]

f.  Printer Job Language (PJL): PJL is an extension of printer command language (PCL) and has ability to control printer configuration and file system. It supports simple password implementation which “can be broken in less than 6 hours by brute force[10]. The power of PJL is well demonstrated in the article “Hacking” Printers – PJL Basics [11]where an attacker could easily modify printer configurations including IP address, browse file on the hard drive, extract admin password etc.

g.  Simple Network Management Protocol (SNMP): SNMP’s simplicity makes it a popular choice for the network management. Before we explore SNMP’s vulnerabilities following is a quick synopsis of how does SNMP work:

“SNMP employs only three general types of SNMP operations. Get requests retrieve management data from the device, set requests modify the remote device’s configuration, and trap messages let a device send asynchronous notification and signal condition changes.”[1]

SNMP vulnerabilities revolve around trap handling (VU#107186[1]) and request handling (VU#854306[2]). Since UDP (primary communication protocol in SNMP) source address can be easily spoofed[3], attacker can send messages from authorized network management station (NMS) and shutdown printers. Thus these vulnerabilities could lead to denial of service attacks, format string vulnerability, and buffer overflows[4].

h.  Backdoors: Vendors build backdoor access to service printers and make it obscure for the users. However, such backdoors don’t remain obscure for too long and attackers exploit such vulnerabilities. Backdoor access is typically designed to help administrator with configurations and unauthorized access could result in serious security breach. To further compound the problem, once such backdoors are exposed it is cost prohibitive for vendors to fix such breaches as they have to redesign and deploy the patch.

As demonstrated above, a simple network device like MFP can be source of major data security breach. Understanding the threat is the first step to addressing the issue that so often goes unnoticed.

In my next blog, I plan to discuss mitigation strategies and best practices.


[1] News Reports Can Help Inform Your Printer Security Strategy, 6 December 2011, Gardner Research  http://www.gartner.com/id=1867919

[2] Digital Photocopiers Loaded With Secrets; By Armen Keteyian April 20, 2010 9:35 PM http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml

[6] Printer Insecurity: Is it Really an Issue? SANS Institute InfoSec Reading Room; Vernon T. Vail May 28, 2003 http://www.sans.org/reading_room/whitepapers/threats/printer-insecurity-issue_1149

[7] 8 Lessons From Nortel’s 10-Year Security Breach – By Mathew J. Schwartz   InformationWeek February 17, 2012 12:12 PM  http://www.informationweek.com/news/security/attacks/232601092

[8] Printer Insecurity: Is it Really an Issue? SANS Institute InfoSec Reading Room; Vernon T. Vail May 28, 2003 http://www.sans.org/reading_room/whitepapers/threats/printer-insecurity-issue_1149

[9] HP JetDirect JetAdmin Password Vulnerability – http://www.securityfocus.com/bid/3132/discuss

[10] Printer Insecurity: Is it Really an Issue? SANS Institute InfoSec Reading Room; Vernon T. Vail May 28, 2003 http://www.sans.org/reading_room/whitepapers/threats/printer-insecurity-issue_1149

[11] “Hacking” Printers – PJL Basics Thursday, December 1, 2011  – http://hackonadime.blogspot.com/2011/12/hacking-printers-pjl-basics.html

[12] US-CERT (United States Computer Emergency Readiness Team) Vulnerability Note VU#107186 – http://www.kb.cert.org/vuls/id/107186

[13] US-CERT (United States Computer Emergency Readiness Team) Vulnerability Note VU#854306 http://www.kb.cert.org/vuls/id/854306

[14] Multiple Vulnerabilities in SNMP – Guofei Jiang, Institute for Security Technology Studies (ISTS), Dartmouth College http://www.ists.dartmouth.edu/library/9.pdf

[15] Multiple Vulnerabilities in SNMP – Guofei Jiang, Institute for Security Technology Studies (ISTS), Dartmouth College http://www.ists.dartmouth.edu/library/9.pdf

[16] Multiple Vulnerabilities in SNMP – Guofei Jiang, Institute for Security Technology Studies (ISTS), Dartmouth College http://www.ists.dartmouth.edu/library/9.pdf