Maybe I'm thick...
... but why would I connect my printer to the Internet?
We don't want to alarm you, but PostScript makes your printer an attack vector
Take your printers off the Internet: a bunch of researchers from a German university have found a cross-site printing bug in the ancient PostScript language. If PostScript is the printer driver, the printer is vulnerable to what they call Cross-Site Printing attacks, documented in detail at Hacking Printers here. The bugs …
-
-
Tuesday 31st January 2017 08:52 GMT Paul Crawford
Re: Maybe I'm thick...
Because you used Google' cloud print service instead of any sane choice like printing directly from the device?
It is most of the whole IoT shit-storm really. Printers and any other not-secure and not-updated devices ought to be on a separate sub-net that has firewall rules that (a) have no ability to go out the the internet, and (b) can't initiate connections to your main PCs. OK it makes discovery at little harder, etc, but one machines are known it greatly reduces the impact of something stupid like this happening.
-
Tuesday 31st January 2017 11:14 GMT Anonymous Coward
Re: Maybe I'm thick...
It is most of the whole IoT shit-storm really. Printers and any other not-secure and not-updated devices ought to be on a separate sub-net that has firewall rules that (a) have no ability to go out the the internet, and (b) can't initiate connections to your main PCs. OK it makes discovery at little harder, etc, but one machines are known it greatly reduces the impact of something stupid like this happening.
One dedicated print spooler fixes that - we need to retain print jobs anyway for compliance reasons :).
I just don't get this fashion to have everything accessible from the outside, but that's maybe because it's old hat for me. I was a very early Internet user so I've had my fun with a static IP address and a dedicated firewall many, many years ago when a public interface didn't get hit by a probe at least once a second. I've been running some tests of late and I was shocked to see just how often someone tries if the door is locked.
-
Wednesday 1st February 2017 04:02 GMT Anonymous Coward
Re: Maybe I'm thick...
'One dedicated print spooler fixes that - we need to retain print jobs anyway for compliance reasons :).'
Aye, maybe so, but when said print spooler starts falling over and dying, you've no IT support in sight and hordes of irate paper-pusher wallahs demanding printouts, then it's very expedient to say 'sod compliance' and bypass said print spooler...
Not that I'd ever do such a thing, you understand.
'..I just don't get this fashion to have everything accessible from the outside,'
I once had to prove that a network of over 2000 internet visible machines did not need to be so by surreptitiously plonking a transparent bridging firewall betwixt them and the outside and blocking inbound connections initiated from outside, left it in that state for a couple of months without anyone complaining before telling anyone about its existence, and gave them the logs of all the dodgy shit that the firewall had blocked as well.
They required 12 internet visible addresses in total, the rest could have been on a NAT or two.
'..I've been running some tests of late and I was shocked to see just how often someone tries if the door is locked.'
Heh, they're persistent buggers, to say the least (hello Shodan and all you fine folks lurking out there on hinet.net..my biggest 'group' offenders) . At the time of this message (4:00amish) I've had notification of 83 port scans so far today, January's total was 16,027.
And that's just my boring old home broadband connection..
-
-
-
Tuesday 31st January 2017 10:21 GMT Blitheringeejit
@Pompous Git - Maybe I'm thick too, but ...
...it looks to me from the diagram in the article as though the printer is only connected to the LAN, presumably behind a firewall and NAT. The attack works by a client PC in the LAN hitting an infected website and executing a malicious JS payload locally. That payload exploits the vulnerability in the printer and posts the results back to the attacker.
At least I think that's what the diagram indicates.
-
Tuesday 31st January 2017 12:28 GMT Roland6
Re: @Pompous Git - Maybe I'm thick too, but ...
>...it looks to me from the diagram in the article as though the printer is only connected to the LAN...
One of the attack vectors is to use the victims browser. Given the convergence of PS and PDF, I wonder if a PDF document can be used as a carrier.
-
Tuesday 31st January 2017 13:48 GMT Hans 1
Re: @Pompous Git - Maybe I'm thick too, but ...
>Given the convergence of PS and PDF, I wonder if a PDF document can be used as a carrier.
The "convergence" (whatever you mean by that in this context) has nothing to do with it.
From the article:
CORS is the mechanism that lets Web pages request data from third-parties (font services, images, and of course advertisements), and it's supposed to be restricted by the same origin policy. “CORS spoofing” demonstrated by the University Alliance Ruhr group breaks those rules and gives an attacker access to a networked printer.
From the web:
-
Tuesday 31st January 2017 14:56 GMT Brewster's Angle Grinder
Re: @Pompous Git - Maybe I'm thick too, but ...
The "convergence" (whatever you mean by that in this context) has nothing to do with it.
But if you read the article more closely, you'll see they use postscript (a Turing-complete programming language) to write a dummy web server that defeats the browser's built in CORS protection. The question is does the subset of postscript commands available in PDF also allow that?
I think PDF lacks the
showpageoperator. And its restricted nature means it's probably a challenge. But I'm not a PDF expert.-
Wednesday 1st February 2017 17:13 GMT Roland6
Re: @Pompous Git - Maybe I'm thick too, but ...
The question is does the subset of postscript commands available in PDF also allow that?
This is the important point - not being any expert on PS or PDF other than knowing that PDF 1.5 and Postscript 3 converged to be more consistent so that a printer that supported PS 3 could very simply be enhanced to support native printing of PDF files. Thus like you I don't know the extent to which CUPS/Airprint printers that support the application/PDF MIME type might be vulnerable to this exploit. Unless informed otherwise, I assume CUPS printers that support the application/postscript MIME type are vulnerable.
-
-
-
-
This post has been deleted by its author
-
This post has been deleted by its author
-
-
Tuesday 31st January 2017 19:27 GMT David 132
Re: @Pompous Git - Maybe I'm thick too, but ...
Blitheringeejit At least I think that's what the diagram indicates.
Really? All I ascertained from the diagram was that if I have a Citizen Swift dot-matrix printer hooked up to an Escom 486 with 12" CRT monitor, my print-jobs are at risk from headless quadruple-amputee sheep.
JEEEZ that's bad clip-art.
-
-
Tuesday 31st January 2017 20:12 GMT Oh Homer
"Our approach is to abuse WebRTC"
From the wiki, apparently your printer doesn't actually need to be connected directly to the Internet, it only needs to be discoverable on the host's subnet. WebRTC, Java and VBScript can all be used to "leak the local IP address" - the usual suspects.
Yet another reason to take WebRTC (and Java and VBScript) outside to be shot.
Worse still, apparently there is no way to disable WebRTC completely in Chrom(e|ium), as various attempts to do so with extensions can be bypassed, e.g. with an iframe.
Remind me again, what exactly do we need WebRTC for? Because from where I'm sitting it just looks like malware.
N.B. WebRTC was the final straw that forced me to abandon Chrom(e|ium) and go back to Firefox. The second last straw was Google removing the ability to install extensions they hadn't "approved", mostly for the purpose of blocking privacy extensions that conflicted with its spamming operations.
-
Tuesday 31st January 2017 20:39 GMT Jonathan 27
Re: Maybe I'm thick...
Google Cloud Print is pretty much the only option to print from Android devices, or at least the only one my printer supports. I freely admit I have my printer hooked up to the Internet. I mitigate the risk my turning the printer off when I'm not using it, but I guess I must think the convenience is worth the risk.
-
Tuesday 31st January 2017 22:26 GMT Orv
Re: Maybe I'm thick...
Technically you don't have to have your printer exposed to the Internet to use Cloud Print, *if* you export it from a PC on your LAN. The downside is the PC has to be on and you have to be logged in before you can print. This is how I print to my non-Internet-enabled printer from my Chromebook, via my desktop.
-
-
Wednesday 1st February 2017 00:35 GMT AJ MacLeod
Re: Maybe I'm thick... @Chemical Bob
Maybe they are finally getting the message:
https://chromeunboxed.com/chromebooks-getting-local-printing-options/
There is also an extension that's been around for a while which allows you to do local printing to many network printers (I forget what it's called, sadly didn't work with my Brother AIO though I believe it works with its replacement model.)
-
Wednesday 1st February 2017 16:59 GMT Roland6
Re: Maybe I'm thick... @Chemical Bob
>Maybe they are finally getting the message...
At least that is (slightly) better than MS, who don't provide out-of-the-box CUPS print capabilities on their Win10 tablets etc., Which is a little surprising given Airprint/CUPS (using MIME types application/PDF, image/JPEG and image/URF) has been on iPads since iOS 4.2 (2010) and is now widely supported by printer manufacturers (although it seems that many cheaper printers only support image/JPEG).
-
-
-
Wednesday 1st February 2017 15:40 GMT Oh Homer
Re: "pretty much the only option"
Actually there are quite a few more options beyond Google's Cloud Print, including the HP Print Service Plugin and PrintBot.
-
-
Tuesday 31st January 2017 22:33 GMT Orv
Re: Maybe I'm thick...
"... but why would I connect my printer to the Internet?"
This is a big problem on college campuses, where the ethernet network is generally open to the Internet. Most new networked printers have firewalls (if someone has bothered to configure them), but old ones generally don't. There was a scramble to lock printers down at one institution I've worked at when they started spewing anti-Semitic propaganda sent from IP addresses in eastern Europe...
An additional issue is networked copier/printers that are leased or on maintenance contracts. The companies that handle them tend to get testy if their access is cut off.
-
-
-
-
Tuesday 31st January 2017 16:47 GMT Wensleydale Cheese
Re: What about wireless printers?
"If it does postscript it's probably a fair game."
Should be easy enough to work that out, because their wireless Ids looked like a model number.
The idea of a Postscript webserver is not new. First hit from a search gave me this post from 2002
-
-
-
Tuesday 31st January 2017 08:37 GMT Anonymous Coward
Ohh hp printers they are fun... some of the older models you had to do special key presses to actually turn the wifi off... using the software control panel would only set it to hidden and thus allow you to connect and change all sort of nice things...
As for postscript, thank god for years ive defaulted to pclX unless a specific request/requirement has been made for ps, thankfully i think there is maybe a couple of rips on larger mfc devices that i know that are still using ps... thankfully they are going away soon :)
Adobe... Bringing you all the good 0 day exploit vectors for many years to come.
-
Tuesday 31st January 2017 09:23 GMT Colin Bull 1
what could go wrong
I went to see a financial advisor to discuss a pension last week and took a printed summary of my finances. He replied by email declining his services with a PDF attachment of my summary with the words " I am returning your paperwork".
Most people do not understand the basics of physics. Not only has he still got a copy, so has his printer/scanner, his ISP, my ISP, GCHQ and anyone who wants to infiltrate this morons probably defenceless IT system.
Exasperated of Cornwall
-
Tuesday 31st January 2017 10:36 GMT Dwarf
00 BORED
Printer programming - nothing new there. Its kind of what its there for - programming a page layout etc. Agree with the other posters that taking a printer off the network, when the diagram shows the connection is via the PC and PC's need to be connected to printers to print to them isn't logical. Most companies would not pass the "business value" test of moving printers to a different subnet even though larger companies are mainly using print servers. Surely most attacks these days would focus on the e-mail enabled scanning features that they all have built in. Amazing where badly trained users will send documents at the press of a button.
The story made me laugh though as I got a date via a printer once. Back in the old Laserjet 4 days, I changed the 00 READY message to 00 BORED and got a support ticket in, it took a long time to fix as the PA was both interested and hot ! Amazing what you can do with PCL command codes :-), I recall that she was definitely 00 READY !
-
-
Wednesday 1st February 2017 04:22 GMT Anonymous Coward
Re: 00 BORED
'Insert Coin to Operate'
Ah, my 3 year old great nephew must have worked there in a previous incarnation, yesterday evening I had to remove a 20p piece from the front SD card slot of our Brother MFC-440CN, the thing was making all sorts of weird beeping noises and flashing obscure error messages on its display when I spotted the shiny object where no shiny object should have been.
The joys of babysitting I suppose...(to keep him away from feeding the printer any further loose change, I set up my old Korg MS-10, put it through a multi-FX pedal and an amp then let him loose, result: Forbidden Planet soundtrack with added drumbox, oh, how my neighbours must love me...).
-
Tuesday 31st January 2017 14:29 GMT SImon Hobson
Well the article mentions 32 years as the age of PostScript - and guess what, I recall back in the 80s that there were known "issues". One was that you can set an access code for admin/config changes - but it's rarely done.
So if you send some PS to a printer that sets the access code - you're screwed !
But personally I like PostScript - it makes sense !
PCL is a mess - you can't take a "PCL" file made for one device and send it to any other PCL device and expect what comes out to be the same (or in some cases, even similar) - device resolution specific stuff comes to mind. You can with PS - with usually the biggest issue being missing fonts that come out as Courier.
I've hand crafted PS - including doing one of the things the article mentions, redefining the showpage operator to put a header on printed faxes with information like date/time/sender. Trivial in PS, "non trivial" with PCL.
-
-
-
Tuesday 31st January 2017 19:44 GMT the spectacularly refined chap
Re: Mac display
Still trying to figure out why you mention the display?
NeXT from which MacOS is derived used Display PostScript under the window system so that would have been vulnerable. I'm no expert on Macs but I believe that got reworked and switched to PDF for a superficially similar role in OS X. No, that wouldn't be vulnerable - PDF doesn't have the same generality as PostScript, and lacks decision making and flow control constructs, you just get the basic drawing operators.
-
-
-
Tuesday 31st January 2017 16:41 GMT John Smith 19
So a compromised PC sends stuff to a compromised printer that can then send it anywhere?
OK it sounds a bit involved but I imagine could sidestep some types of security on the PC.
Obvious question is why would you let your printer call out to the net, but I'm guessing it's because people don't realize it can?
-
Tuesday 31st January 2017 19:18 GMT Ken Hagan
Re: So a compromised PC sends stuff to a compromised printer that can then send it anywhere?
"Obvious question is why would you let your printer call out to the net, but I'm guessing it's because people don't realize it can?"
Sadly, I think there are just as many people who would let their printer call out to the net "because it can" as would do so "because they don't realize that it can".
-
-
Tuesday 31st January 2017 17:27 GMT Herby
Makes me long for...
The nice chain printer of old. Those 1403's could really put out the pages, all 132 columns of it, and writing notes on blue bar (I never did like green bar) was the way to go.
Try hacking a printer like that!
Yes, I do own a nice line printer, a 300 LPM band printer. Upper AND lower case!
-
Tuesday 31st January 2017 18:26 GMT Stoneshop
Re: Makes me long for...
Chain, belt and drum printers have particular character sequences that cause all the hammers to fire at once printing such a line. A few pages of those will probably blow a fuse if not the entire power supply or, in case of a chain printer, break the chain. How's that for bricking?
-
Tuesday 31st January 2017 22:37 GMT Orv
Re: Makes me long for...
An old-timer I knew once told stories of sending row after row of hyphens, with carriage returns but no line feeds, to a chain printer in a computer lab. After a while it would weaken the paper and a form feed command would tear it, letting the end of the roll drop out of the printer and taking it offline.
-
-
Wednesday 1st February 2017 19:22 GMT BJS
Re: Makes me long for...
If your 1403 had a carriage control tape (like this https://upload.wikimedia.org/wikipedia/commons/thumb/6/63/IBM_1403_carriage_control_tape.agr.jpg/1280px-IBM_1403_carriage_control_tape.agr.jpg), you could adjust it so it wouldn't make proper contact even when there were holes in the tape. As a result, the next form-feed command will empty a box of wide fan-fold paper in a matter of minutes, ejecting it in a dazzling shower of paper powered by the 1403's hydraulics.
-
Biting the hand that feeds IT
