There were two security incidents over the past week that drew a lot of attention. The first was the ransomware attack against Medstar, a health system based out of Columbia, MD.
The second, which received less publicity, was the Neo-Nazi propaganda sent out by infamous Internet troll Weev to publicly accessible printers across the Internet.
Out of the two attacks, the much more dangerous one was Weev’s attack. This article will discuss why this is the case, and how organizations can protect themselves from similar attacks in the future. What Weev did was not a direct attack, but shows how one misstep can expose an organization and potentially put them at serious risk.
Printers are very sophisticated devices with operating systems and powerful processors. The current consumer printers available offer Dropbox support, Google Cloud Print, scan to email, and saving to USB flash drives or memory cards.
Corporate devices will additionally support saving to network file shares or even SharePoint sites using saved credentials, meaning that the printer is a full participant on the network. Many of them, in addition to running proprietary firmware such as HP FutureSmart, run embedded Linux as firmware.
This is a problem if port 9100 is open to the Internet, able to receive raw PostScript files and prints them out. Let’s walk through how.
Firstly, PostScript is an interpreted programming language. This means that this programming language is subject to the same vulnerabilities as others such as C, and a malformed PS or PDF file can be used to execute arbitrary code through an interpreter (source: https://www.cvedetails.com/vulnerability-list/vendor_id-7640/Ghostscript.html).
One of the major ways to cut costs is to use Open Source or Gnu Public License (GPL) libraries. Even though some of these printer manufacturers have not disclosed it, Ghostscript or a derivative of it may be at the heart of the print engine for many of these devices, opening it and the printer up to potential compromise.
Secondly, in many organizations, printer support is contracted out to a third-party company, and is not under the purview of IT. This means that there is little control over these devices, and that there are outsourced staffs that work on them, and often have exclusive administrative access to the devices. These devices often are checked only when there is a problem preventing printing, not when there is a published security issue.
This leads to the devices themselves. Many of them, in addition to running Linux, may be running an older kernel or firmware version that is susceptible to vulnerabilities. As many of them are considered ancillary devices, they may not be getting the kernel or firmware updates they should be getting. Coupled with the third-party support situation, this leads to a number of printers being on networks that may not be as protected as the desktops or laptops that print to them.
Another complicating factor with these printers is that many of them have to remain at a certain firmware level. There are accounting, auditing, and chargeback software packages such as FollowMe from Ringdale Software, PaperCut, or numerous others that require hooks into the firmware, or in the case of FollowMe, custom printer firmware.
This means that even if there are firmware updates available, updating the printers may affect other line of business applications, and in the case of law firms that use FollowMe, billable items. For companies that use printers for printing reports or other critical business information, there may be issues when changing the firmware that affect how they display the final product.
Multi-function printers also now can store credentials of users and fully interact with directory services such as Active Directory for purposes of authenticating users, looking up mail recipients, and looking up phone/fax numbers. They also store credentials for scanning to file shares, SharePoint, FTP sites, and email.
This means that these devices are fully participating members of the network. Some of the less careful administrators, to save time, may have given a service account with more access than needed. This means that there is an account out there on these printers with access to the network, and in some cases, it may have access to a lot more than it needs.
This leads to the big question. If a device like this is open on port 9100 to the outside world, what else is open? What can we do to protect ourselves? There are potentially serious consequences, especially if these printers are used to print any regulated (FERPA, HIPAA, PCI) information. If one of these printers were to be compromised with a corrupt print job, which is a likely occurrence, how would you even know what was printed to the printer and potentially breached? We’re going to talk about some solutions.
First things first, if you have any printers or other devices that have inbound Internet access other than an updated version of Secure Shell, turn them off immediately. There is no reason in 2016, especially with the number of free Virtual Private Network or OpenSSH configurations out there, to not offer encrypted and protected access to network resources.
Second, you need to do a risk assessment of your printing devices. You need to be asking the following questions:
- Can you create printer VLANs? If you have the ability to do so, segment the printers off on their own network segment with only access to the resources they need, such as directory services, print servers, and file shares, but nothing else.
- Are you using print servers or print management software? Print servers or management software allow you to log and audit print jobs, scanner jobs, and other actions taken on the device.
- What is the firmware update process for printers?
- Who is responsible?
- Who will be performing the updates?
- How often will the updating take place?
- Is there a testing process for testing software and/or firmware updates with applications?
- Does the manufacturer encrypt the information on the printer hard drives?
- In case of an emergency, can the systems administrators and InfoSec staff get administrative access to the devices?
- Have the passwords to the devices been changed from factory defaults?
- Do the service accounts have access to only what they need, and nothing else?
- How will you enforce this?
- If there is a third-party service contract, what are the terms and conditions under which the vendor will service and support the device?
- Do security updates count as a service call or are they included?
- Will they even support the updates?
- Does your vulnerability scanning software support printers?
- Who do you report security issues to at the manufacturer or vendor?
- What is their security response process?
Third, you need to continually revisit, at least yearly, your risk assessment if not more often. We need to make sure that everyone is on board and working to protect networks and information. This is critical, as these devices present significant residual risk. They’re not just printers. When a $100 printer can connect over WiFi upload to Dropbox or Google Drive, and accept printouts from Google Cloud Print, they’re full-fledged computers that also print and scan.
Printing anti-Semitic material to printers at universities across North America is a horrible way to get attention. When an event like this happens, there are two questions that we have to ask, and have hopefully answered today, which is why it happened in the first place, and what we can do to mitigate this in the future.
What Weev did could have been a lot worse, and could have resulted in serious damage to customers, networks, and data. The purpose of writing this was to show the risks, and to show what we can to do prevent something like this from happening in the future.