compromising multifunction printers
play

Compromising Multifunction Printers A Case Study of Epson MFP - PowerPoint PPT Presentation

Jun 05, 2023 •152 likes •375 views

Compromising Multifunction Printers A Case Study of Epson MFP Security Yves-Noel Weweler y.weweler@fh-muenster.de Multifunction Printers MFP (Multi Function Product/ Printer/ Peripheral), multifunctional, all-in- one (AIO) ...

  1. Compromising Multifunction Printers A Case Study of Epson MFP Security Yves-Noel Weweler y.weweler@fh-muenster.de

  2. Multifunction Printers „MFP (Multi Function Product/ Printer/ Peripheral), multifunctional, all-in- one (AIO) ...“ https://en.wikipedia.org/wiki/Multi-function_printer Typically combine: • Printer • Scanner • Photocopier • Fax Today they are small sized computers capable of running fully blown operating systems Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 2

  3. Interrogation How secure are MFP‘s and how can an attacker communicate unnoticed with a device? Motivation: • Germany (2014): ~ 81 million citizens • Ink-jet printer: 22.71 million (~ 28%) • Multifunction printer: 21.68 million (~ 26.7%) https://multifunktionsdruckertest-24.de/entwicklung-des-anteils-von-druckern-und-scannern-in-deutschen-haushalten/ • Highly sensible documents • Connected to access control systems Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 3

  4. Epson WF-2540 Hardware: • ARM926EJ-Sid Processor • 64 MB RAM • 12 MB EEPROM • FAX / DATA Modem • LAN / WLAN / USB Software: • GNU/Linux Kernel 2.6.18 • BusyBox 1.7.2 • uClibc 0.9.29 • Proprietary binaries Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 4

  5. How to Compromise? Locally: • USB • Hardware access (EEPROM) Remote: • Network services • Self-built HTTP Server • Firmware updates Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 5

  6. Firmware Structure Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 6

  7. IPL-Header • Describe firmware structure with records • Records refer to data sections • Checksums do not cover headers Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 7

  8. Dumping the Memory • Readout EEPROM‘s • Unveil hidden contents • Understand bootcode & checksums Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 8

  12. Update Process Mechanics • 1:1 copy of firmware into flash • Hidden JFFS2 filesystem • Bootloader not updated by firmware Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 12

  13. Firmware • Taken apart the firmware format • Decoded checksum algorithm • Capable of repacking custom firmware • Capable of compiling own software Problems: • No signing • No encryption • Poor checksums Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 13

  14. Firmware Update Mechanism • USB • HTTP (LAN / Wi-Fi) • ~40 – 45 seconds Two level process: 1. Enter update mode 2. Upload firmware binary Problems: • No authentication • No CSRF prevention Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 14

  15. Remote Exploitation Upgrade • Victim visits a website and executes a malicious script • Victim is tricked into updating the printer using CSRF, acting as the attacker Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 15

  16. Hidden Communication Unnoticed communication with a device? • Utilize integrated modem • Use FAX connection as a proxy • Access networks without IP-connectivity Modem: • Softmodem • Hook communication between modem and applications • Implemented using a kernelmodule Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 16

  17. Hooking the Modem Original Compromised Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 17

  18. Hooking the Modem • Man-in-the-Middle-Attack on data channel • Controlling incoming and outgoing connections • Reading and writing data Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 18

  19. Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: • ~15% market share in 2014 • ~4.9 million printers sold in 2014 • ~343 printer models http://www.epson.com/cgi-bin/Store/BuyInkList.jsp Vulnerable devices: • ~62 printers in the "WorkForce" series • ~5946 vulnerable devices in the IPv4 range (03/2016) • "Stylus" series (~211 models) probably also vulnerable Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 19

  20. How to protect? Epson started shipping new firmware at the beginning of 2016 • Update your printers firmware • Restrict device access • Block HTTP on port 80 for non administrative users Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 20

  21. Summary How secure are MFP‘s and how can an attacker communicate unnoticed with a device? • Successful penetration of printers • All devices with network access are vulnerable • Control over integrated modem • Modem can be used to transfer data without IP-Connectivity Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 21

  22. Questions? Thank you for your attention Yves-Noel Weweler GUUG-Frühjahrsfachgespräch 2017 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS

Plunder Pillage & Print THE ART OF LEVERAGING MULTIFUNCTION PRINTERS DURING PENETRATION TESTING Deral Heiland Pete Arzamendi deral_heiland@rapid7.com peter_arzamendi@rapid7.com @Percent_x @TheBokojan

750 views • 64 slides
Responsible Purchasing Guide for Office Electronics Imaging Equipment: Copiers Copiers, Fax

Responsible Purchasing Guide for Office Electronics Imaging Equipment: Copiers Copiers, Fax

Responsible Purchasing Guide for Office Electronics Imaging Equipment: Copiers Copiers, Fax Machines, , Fax Machines, Imaging Equipment: Printers, Multifunction Multifunction Devices Devices Printers, Presented by the Responsible

577 views • 19 slides
AIT Product Portfolio ANZ January 2016 ZEBRA CONFIDENTIAL Agenda Industrial Printers

AIT Product Portfolio ANZ January 2016 ZEBRA CONFIDENTIAL Agenda Industrial Printers

AIT Product Portfolio ANZ January 2016 ZEBRA CONFIDENTIAL Agenda Industrial Printers Print Engines Desktop Printers Mobile Printers Barcode Printers Software Card Printers Barcode & Card Printers Supplies

619 views • 45 slides
Contents Selecting of Multifunction 1 1 Microorganism: Nematophagous-Antifungi-PR Protein

Contents Selecting of Multifunction 1 1 Microorganism: Nematophagous-Antifungi-PR Protein

20/09/2011 Young Scientist for Argricultural Development in Vietnam Multifunction Microorganisms in Environmental friendly Agriculture at Highland Centre of Vietnam Dr. Nguyen Van Nam Tay Nguyen University Sep-2011 , Nong Lam University

528 views • 27 slides
Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which

Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which

Chapter 5 Printers and Scanners Page 1 We Shall be Covering ... Usage of devices which facilitate the transfer of information to and from paper: printers scanners Page 2 Printers and Scanners Printer output device transfer

659 views • 14 slides
HP Drucker DECUS Symposium 2003 Warren A. Viertel Consultant Hewlett Packard GmbH Agenda

HP Drucker DECUS Symposium 2003 Warren A. Viertel Consultant Hewlett Packard GmbH Agenda

HP Drucker DECUS Symposium 2003 Warren A. Viertel Consultant Hewlett Packard GmbH Agenda Marketing Information HP Printer Products Inkjet Printers Monochrome Laser Printers Color Laser Printers Multi-function Printers

509 views • 21 slides
Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory

Security limits for compromising emanations Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/ mgk25/ CHES 2005, Edinburgh Compromising emanations 1914: German army valve amplifiers for eavesdropping ground return signals of

732 views • 29 slides
Closed-Loop Control of 3D Printers via Webservices Felix Baumann and Dieter Roller Wintersemester

Closed-Loop Control of 3D Printers via Webservices Felix Baumann and Dieter Roller Wintersemester

01 / 19 2017-02-13 Baumann and Roller Closed-Loop Control of 3D Printers via Webservices Motivation and Goals Benefits and Drawbacks Future Work ZEUS 2017 - Lugano, Switzerland 2017-02-13 Closed-Loop Control of 3D Printers via Webservices

409 views • 19 slides
COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX

COMPROMISING ELECTROMAGNETIC EMANATIONS OF WIRED AND WIRELESS KEYBOARDS EPFL/LASEC/USENIX SECURITY09 Martin VUAGNOUX and Sylvain PASINI MODERN KEYBOARDS RADIATE COMPROMISING ELECTROMAGNETIC EMANATIONS THESE EMISSIONS LED TO A FULL OR A

861 views • 75 slides
Controlling 3D Printers with Artificial Neural Networks Frank Chiarulli Jr. Advisor: John

Controlling 3D Printers with Artificial Neural Networks Frank Chiarulli Jr. Advisor: John

Controlling 3D Printers with Artificial Neural Networks Frank Chiarulli Jr. Advisor: John Rieffel Linear Instructions (G-Code) EvoFab 0.3 System Input layer Hidden Layer(s) Output Layer Pipe Dream EvoFab 0.3 System Alas, 3D printers are

366 views • 22 slides
Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by:

Pedagogy in Virtual Classrooms Without Compromising the Quality of the Scientific and Scholarly Curriculum Presented by: Jayems Dhingra SIM University, Singapore Pedagogy in Virtual Classrooms Without Compromising the Quality of the

593 views • 15 slides
Makers, 3D printers and co-design- a view from Ireland Ala lan T. R n T. Rya yan n Ga

Makers, 3D printers and co-design- a view from Ireland Ala lan T. R n T. Rya yan n Ga

Makers, 3D printers and co-design- a view from Ireland Ala lan T. R n T. Rya yan n Ga Gabrie briela la A Avra vram Inte Intera raction D tion Design C sign Centre ntre Unive niversity of Lim rsity of Limeric rick, , Ire

523 views • 20 slides
1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

1 What Is Substance Dependence? Physical dependence Body has adjusted to substance and

Health Psychology, 6 th edition Shelley E. Taylor Chapter Five: Health-Compromising Behaviors Characteristics of Health-Compromising Behavior Many of these behaviors share a window of vulnerability in adolescence Drinking to excess

419 views • 15 slides
14.2 3D Printing Hao Li http://cs599.hao-li.com 1 Why 3D Printers Become Popular? Prices

14.2 3D Printing Hao Li http://cs599.hao-li.com 1 Why 3D Printers Become Popular? Prices

Spring 2014 CSCI 599: Digital Geometry Processing 14.2 3D Printing Hao Li http://cs599.hao-li.com 1 Why 3D Printers Become Popular? Prices are dropping Thousands of dollars to hundreds of dollars Smaller Sizes Industry oriented

880 views • 36 slides
Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh

Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh

Over 1,000,000 hydraulic fracturing stimulations within the USA without compromising fresh groundwater: True or False? Terry Engelder Department of Geosciences The Pennsylvania State University University Park, PA 16802 The answer is true in

992 views • 66 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
Being Your Own Boss need. Ill cover how to find work and how to work a project in a way that

Being Your Own Boss need. Ill cover how to find work and how to work a project in a way that

- Lisa 96 Notes - BEING YOUR OWN BOSS - Behind the myths and fears of consultingBeing Your Own Boss - Lisa 96 BEING YOUR OWN BOSS - Behind the myths and fears of consulting Im here to give you an understanding of what its like to be

275 views • 11 slides
Dimensions of e-Learning Education in Turkey Assoc. Prof. Dr. Gaye KIZILSU Istanbul Technical

Dimensions of e-Learning Education in Turkey Assoc. Prof. Dr. Gaye KIZILSU Istanbul Technical

Dimensions of e-Learning Education in Turkey Assoc. Prof. Dr. Gaye KIZILSU Istanbul Technical University - Turkey Today developments of communication technology are going on pretty quick and also supplying the share of information importantly.

486 views • 26 slides
Chapter 7 Industry by by David G. Messerschmitt David G. Messerschmitt Components Examples

Chapter 7 Industry by by David G. Messerschmitt David G. Messerschmitt Components Examples

Understanding Networked Applications: Understanding Networked Applications: A First Course A First Course Chapter 7 Industry by by David G. Messerschmitt David G. Messerschmitt Components Examples of components Component: A subsystem

444 views • 6 slides
D ATA C OMPRESSION May. 12, 2016 Acknowledgement: The course slides are adapted from the

D ATA C OMPRESSION May. 12, 2016 Acknowledgement: The course slides are adapted from the

BBM 202 - ALGORITHMS D EPT . OF C OMPUTER E NGINEERING D ATA C OMPRESSION May. 12, 2016 Acknowledgement: The course slides are adapted from the slides prepared by R. Sedgewick and K. Wayne of Princeton University. D ATA C OMPRESSION

1.06k views • 53 slides
ToLHnet: A Low-Complexity Protocol for Mixed Wired and Wireless Low-Rate Control Networks Giorgio

ToLHnet: A Low-Complexity Protocol for Mixed Wired and Wireless Low-Rate Control Networks Giorgio

Introduction Protocol definition Implementation on a TM4C123GH6PMI Experimental evaluation Conclusions ToLHnet: A Low-Complexity Protocol for Mixed Wired and Wireless Low-Rate Control Networks Giorgio Biagetti, Paolo Crippa, Alessandro Curzi,

278 views • 26 slides
IT Projects Update Forum Wednesday, August 19 1:00 2:00 pm Agenda 1) Welcome and Structure

IT Projects Update Forum Wednesday, August 19 1:00 2:00 pm Agenda 1) Welcome and Structure

IT Projects Update Forum Wednesday, August 19 1:00 2:00 pm Agenda 1) Welcome and Structure 1) We will take a few questions after each update- post additional questions in Chat and we may need to post Q&A later if run short on time 2)

534 views • 26 slides
23 March

23 March

23 March 2018 Ofcom, Riverside House, London NICC Standards Limited 23/03/2018 Welcome NICC Standards Limited Standards and Best Practice

1.07k views • 67 slides
Convergence of communication services Lecture slides for S-38.192 7.4.2005 Mika Ilvesmki

Convergence of communication services Lecture slides for S-38.192 7.4.2005 Mika Ilvesmki

HELSINKI UNIVERSITY OF TECHNOLOGY Convergence of communication services Lecture slides for S-38.192 7.4.2005 Mika Ilvesmki Networking laboratory HELSINKI UNIVERSITY OF TECHNOLOGY Mika Ilvesmki, Lic.Sc. (Tech.) Contents Services and

407 views • 12 slides

More recommend