compromising multifunction printers
play

Compromising Multifunction Printers A Case Study of Epson MFP - PowerPoint PPT Presentation

Jun 05, 2023 •152 likes •375 views

Compromising Multifunction Printers A Case Study of Epson MFP Security Yves-Noel Weweler y.weweler@fh-muenster.de Multifunction Printers MFP (Multi Function Product/ Printer/ Peripheral), multifunctional, all-in- one (AIO) ...

  1. Compromising Multifunction Printers A Case Study of Epson MFP Security Yves-Noel Weweler y.weweler@fh-muenster.de

  2. Multifunction Printers „MFP (Multi Function Product/ Printer/ Peripheral), multifunctional, all-in- one (AIO) ...“ https://en.wikipedia.org/wiki/Multi-function_printer Typically combine: • Printer • Scanner • Photocopier • Fax Today they are small sized computers capable of running fully blown operating systems Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 2

  3. Interrogation How secure are MFP‘s and how can an attacker communicate unnoticed with a device? Motivation: • Germany (2014): ~ 81 million citizens • Ink-jet printer: 22.71 million (~ 28%) • Multifunction printer: 21.68 million (~ 26.7%) https://multifunktionsdruckertest-24.de/entwicklung-des-anteils-von-druckern-und-scannern-in-deutschen-haushalten/ • Highly sensible documents • Connected to access control systems Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 3

  4. Epson WF-2540 Hardware: • ARM926EJ-Sid Processor • 64 MB RAM • 12 MB EEPROM • FAX / DATA Modem • LAN / WLAN / USB Software: • GNU/Linux Kernel 2.6.18 • BusyBox 1.7.2 • uClibc 0.9.29 • Proprietary binaries Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 4

  5. How to Compromise? Locally: • USB • Hardware access (EEPROM) Remote: • Network services • Self-built HTTP Server • Firmware updates Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 5

  6. Firmware Structure Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 6

  7. IPL-Header • Describe firmware structure with records • Records refer to data sections • Checksums do not cover headers Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 7

  8. Dumping the Memory • Readout EEPROM‘s • Unveil hidden contents • Understand bootcode & checksums Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 8

  12. Update Process Mechanics • 1:1 copy of firmware into flash • Hidden JFFS2 filesystem • Bootloader not updated by firmware Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 12

  13. Firmware • Taken apart the firmware format • Decoded checksum algorithm • Capable of repacking custom firmware • Capable of compiling own software Problems: • No signing • No encryption • Poor checksums Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 13

  14. Firmware Update Mechanism • USB • HTTP (LAN / Wi-Fi) • ~40 – 45 seconds Two level process: 1. Enter update mode 2. Upload firmware binary Problems: • No authentication • No CSRF prevention Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 14

  15. Remote Exploitation Upgrade • Victim visits a website and executes a malicious script • Victim is tricked into updating the printer using CSRF, acting as the attacker Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 15

  16. Hidden Communication Unnoticed communication with a device? • Utilize integrated modem • Use FAX connection as a proxy • Access networks without IP-connectivity Modem: • Softmodem • Hook communication between modem and applications • Implemented using a kernelmodule Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 16

  17. Hooking the Modem Original Compromised Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 17

  18. Hooking the Modem • Man-in-the-Middle-Attack on data channel • Controlling incoming and outgoing connections • Reading and writing data Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 18

  19. Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: • ~15% market share in 2014 • ~4.9 million printers sold in 2014 • ~343 printer models http://www.epson.com/cgi-bin/Store/BuyInkList.jsp Vulnerable devices: • ~62 printers in the "WorkForce" series • ~5946 vulnerable devices in the IPv4 range (03/2016) • "Stylus" series (~211 models) probably also vulnerable Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 19

  20. How to protect? Epson started shipping new firmware at the beginning of 2016 • Update your printers firmware • Restrict device access • Block HTTP on port 80 for non administrative users Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 20

  21. Summary How secure are MFP‘s and how can an attacker communicate unnoticed with a device? • Successful penetration of printers • All devices with network access are vulnerable • Control over integrated modem • Modem can be used to transfer data without IP-Connectivity Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 21

  22. Questions? Thank you for your attention Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 22

Recommend

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS DURING PENETRATION TESTING Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

750 views • 64 slides
Responsible Purchasing Guide for Office Electronics Imaging Equipment: Copiers Copiers, Fax

Responsible Purchasing Guide for Office Electronics Imaging Equipment: Copiers Copiers, Fax

Responsible Purchasing Guide for Office Electronics Imaging Equipment: Copiers Copiers, Fax Machines, , Fax Machines, Imaging Equipment: Printers, Multifunction Multifunction Devices Devices Printers, Presented by the Responsible

577 views • 19 slides
AIT Product Portfolio ANZ January 2016 ZEBRA CONFIDENTIAL Agenda Industrial Printers

AIT Product Portfolio ANZ January 2016 ZEBRA CONFIDENTIAL Agenda Industrial Printers

AIT Product Portfolio ANZ January 2016 ZEBRA CONFIDENTIAL Agenda Industrial Printers Print Engines Desktop Printers Mobile Printers Barcode Printers Software Card Printers Barcode & Card Printers Supplies

619 views • 45 slides
Contents Selecting of Multifunction 1 1 Microorganism: Nematophagous-Antifungi-PR Protein

Contents Selecting of Multifunction 1 1 Microorganism: Nematophagous-Antifungi-PR Protein

20/09/2011 Young Scientist for Argricultural Development in Vietnam Multifunction Microorganisms in Environmental friendly Agriculture at Highland Centre of Vietnam Dr. Nguyen Van Nam Tay Nguyen University Sep-2011 , Nong Lam University

528 views • 27 slides
Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which

Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which

Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which facilitate the transfer of information to and from paper: printers scanners Page 2 Printers and Scanners Printer output device transfer

659 views • 14 slides
HP Drucker DECUS Symposium 2003 Warren A. Viertel Consultant Hewlett Packard GmbH Agenda

HP Drucker DECUS Symposium 2003 Warren A. Viertel Consultant Hewlett Packard GmbH Agenda

HP Drucker DECUS Symposium 2003 Warren A. Viertel Consultant Hewlett Packard GmbH Agenda Marketing Information HP Printer Products Inkjet Printers Monochrome Laser Printers Color Laser Printers Multi-function Printers

509 views • 21 slides
Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/ mgk25/ CHES 2005, Edinburgh Compromising emanations 1914: German army valve amplifiers for eavesdropping ground return signals of

732 views • 29 slides
Closed-Loop Control of 3D Printers via Webservices Felix Baumann and Dieter Roller Wintersemester

Closed-Loop Control of 3D Printers via Webservices Felix Baumann and Dieter Roller Wintersemester

01 / 19 2017-02-13 Baumann and Roller Closed-Loop Control of 3D Printers via Webservices Motivation and Goals Benefits and Drawbacks Future Work ZEUS 2017 - Lugano, Switzerland 2017-02-13 Closed-Loop Control of 3D Printers via Webservices

409 views • 19 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
Controlling 3D Printers with Artificial Neural Networks Frank Chiarulli Jr. Advisor: John

Controlling 3D Printers with Artificial Neural Networks Frank Chiarulli Jr. Advisor: John

Controlling 3D Printers with Artificial Neural Networks Frank Chiarulli Jr. Advisor: John Rieffel Linear Instructions (G-Code) EvoFab 0.3 System Input layer Hidden Layer(s) Output Layer Pipe Dream EvoFab 0.3 System Alas, 3D printers are

366 views • 22 slides
Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Pedagogy in Virtual Classrooms Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by: Jayems Dhingra SIM University, Singapore Pedagogy in Virtual Classrooms Without Compromising the Quality of the

593 views • 15 slides
Makers, 3D printers and co-design- a view from Ireland Ala lan T. R n T. Rya yan n Ga

Makers, 3D printers and co-design- a view from Ireland Ala lan T. R n T. Rya yan n Ga

Makers, 3D printers and co-design- a view from Ireland Ala lan T. R n T. Rya yan n Ga Gabrie briela la A Avra vram Inte Intera raction D tion Design C sign Centre ntre Unive niversity of Lim rsity of Limeric rick, , Ire

523 views • 20 slides
1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

Health Psychology, 6 th edition Shelley E. Taylor Chapter Five: Health-Compromising Behaviors Characteristics of Health-Compromising Behavior Many of these behaviors share a window of vulnerability in adolescence Drinking to excess

419 views • 15 slides
14.2 3D Printing Hao Li http://cs599.hao-li.com 1 Why 3D Printers Become Popular? Prices

14.2 3D Printing Hao Li http://cs599.hao-li.com 1 Why 3D Printers Become Popular? Prices

Spring 2014 CSCI 599: Digital Geometry Processing 14.2 3D Printing Hao Li http://cs599.hao-li.com 1 Why 3D Printers Become Popular? Prices are dropping Thousands of dollars to hundreds of dollars Smaller Sizes Industry oriented

880 views • 36 slides
Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh

Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh

Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh groundwater: True or False? Terry Engelder Department of Geosciences The Pennsylvania State University University Park, PA 16802 The answer is true in

992 views • 66 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
GO GREEN, GO E-TERRA 0 BACKGROUND INFORMATION Technology devices like computers, printers,

GO GREEN, GO E-TERRA 0 BACKGROUND INFORMATION Technology devices like computers, printers,

Reduce|Reuse|Recycle THE ECO-FRIENDLY ELECTRONIC WASTE MANAGEMENT COMPANY GO GREEN, GO E-TERRA 0 BACKGROUND INFORMATION Technology devices like computers, printers, mobile phones and more have significantly transformed the World, our life

508 views • 19 slides
UV LED INKS FOR PLASTIC CARD PRINTERS WHAT IS UV LED CURING? UV LED curing is based of select

UV LED INKS FOR PLASTIC CARD PRINTERS WHAT IS UV LED CURING? UV LED curing is based of select

UV LED INKS FOR PLASTIC CARD PRINTERS WHAT IS UV LED CURING? UV LED curing is based of select wavelengths usually 385nm- 395nm for offset presses. These lamps generally produce more power in a narrow wavelength than a conventional mercury

109 views • 6 slides
Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya

Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites Takuya Watanabe, Eitaro Shioji, Mitsuaki Akiyama, Tatsuya Mori NTT Secure Platform Laboratories, Waseda University, NICT, RIKEN API NDSS Symposium 24 th

768 views • 46 slides
ADVANCED SMT Partial Equipment List Description Ekra X4 (2) Precision stencil printers w/ 2.5D

ADVANCED SMT Partial Equipment List Description Ekra X4 (2) Precision stencil printers w/ 2.5D

ADVANCED SMT Partial Equipment List Description Ekra X4 (2) Precision stencil printers w/ 2.5D paste inspection ASSEMBLY CAPABILITIES Samsung SM421 (2) SMT placement machine, capable of placing 01005 passives and 55mm body size, 0.4mm pitch

319 views • 4 slides
Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT

Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT

Compromising Security of Economic Dispatch in Power System Operations DevendraShelar, MIT Dependable Systems and Networks, June 29 th , 2017 Joint work with Saurabh Amin, MIT Pengfei Sun and Saman Zonouz, Rutgers 1 Focus of the talk Economic

470 views • 32 slides
substitute medicinal zinc? Without compromising piglet health and growth performance (pilot

substitute medicinal zinc? Without compromising piglet health and growth performance (pilot

Can feeding of prefermented rape seed and seaweed to weaners substitute medicinal zinc? Without compromising piglet health and growth performance (pilot study) Mette Olaf Nielsen, Gizaw Dabessa Satessa, & Rajan Dhakal Department of

217 views • 17 slides
Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase

Anonymous Credentials: How to show credentials without compromising privacy Melissa Chase Microsoft Research Credentials: Motivation ID cards Sometimes used for other uses E.g. prove youre over 21, or verify your address

659 views • 48 slides
REQUEST FOR PROPOSAL 20-008 IT HARDWARE DESKTOPS, LAPTOPS, TABLETS, MONITORS, PRINTERS,

REQUEST FOR PROPOSAL 20-008 IT HARDWARE DESKTOPS, LAPTOPS, TABLETS, MONITORS, PRINTERS,

REQUEST FOR PROPOSAL 20-008 IT HARDWARE DESKTOPS, LAPTOPS, TABLETS, MONITORS, PRINTERS, PERIPHERALS AND RELATED SERVICES INDIANA DEPARTMENT OF ADMINISTRATION ON BEHALF OF THE STATE OF INDIANA BY AND THROUGH THE INDIANA OFFICE OF TECHNOLOGY

1.15k views • 40 slides

More recommend