Printers gone wild!

While researching into how secure printers are, Ben Smith discovered some new malicious abuses as well as some fun new uses for old attacks.

This talk will cover how to send SNMP commands to HP printers and get back responses even if SNMP is disabled on the device.

As well as discus some of the other fun that can be had with PJL and its lack of security like printer information gathering, control panel lockout, disk lockout, file uploads, file downloads and mass LCD changing.

While researching into how secure printers are, Ben Smith discovered some new malicious abuses as well as some fun new uses for old attacks.

This talk will cover how to send SNMP commands to HP printers and get back responses even if SNMP is disabled on the device.

As well as discus some of the other fun that can be had with PJL and its lack of security like printer information gathering, control panel lockout, disk lockout, file uploads, file downloads and mass LCD changing.

Printer

Printer

Hacking

Hacking

Source

About the speaker

Security architect / Researcher. Author of several security tools, and one book. In my free time I work on various security projects. Some are RF/Wireless related, others, are not.

Specialties: Wireless, Member of Aircrack-ng team. Networking. Creative Problem Solving.

About the speaker

Security architect / Researcher. Author of several security tools, and one book. In my free time I work on various security projects. Some are RF/Wireless related, others, are not.

Specialties: Wireless, Member of Aircrack-ng team. Networking. Creative Problem Solving.

Resources

During the 28th Chaos Communication Congress Ang Cui and Jonathan Voris present several generic firmware modification attacks against HP printers.

The attacks they present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability.

Download the presentation slides.

Update anyone’s printer with a Trojan image which spies on the documents being printed

The hacking possibilities go far beyond enabling choppy, early ’90s gaming: “We can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network” Jordon wrote. Read more

When firmware modifications attack: A case study of embedded exploitation

We present a case study of the HP-RFU (Remote Firmware Update) LaserJet printer firmware modification vulnerability, which allows arbitrary injection of malware into the printer’s firmware via standard printed documents. Read more

Utterly crazy hack uses long-distance lasers to send malware commands via all-in-one printers

Researchers found that if a multifunction printer is attached to an air-gapped computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open. Read more

Resources

During the 28th Chaos Communication Congress Ang Cui and Jonathan Voris present several generic firmware modification attacks against HP printers.

The attacks they present exploit a functional vulnerability common to all HP printers, and do not depend on any specific code vulnerability.

Download the presentation slides.

Update anyone’s printer with a Trojan image which spies on the documents being printed

The hacking possibilities go far beyond enabling choppy, early ’90s gaming: “We can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network” Jordon wrote. Read more

When firmware modifications attack: A case study of embedded exploitation

We present a case study of the HP-RFU (Remote Firmware Update) LaserJet printer firmware modification vulnerability, which allows arbitrary injection of malware into the printer’s firmware via standard printed documents. Read more

Utterly crazy hack uses long-distance lasers to send malware commands via all-in-one printers

Researchers found that if a multifunction printer is attached to an air-gapped computer, attackers could issue commands to a malicious program running on it by flashing visible or infrared light at the scanner lid when open. Read more

Articles

Presentations

Tutorials

Related videos

BruCON 2010: Embedded system hacking and my plot to take over the world 1/4

BruCON 2010: Embedded system hacking and my plot to take over the world 1/4

This presentation analyzes common vulnerabilities in popular embedded systems that carry sensitive data every day.

OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

This talk will discuss the past methods used for XSS defence that were only partially effective. Learning from these lessons, will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer.

Printers gone wild!

Printers gone wild!

Ben Smith presents new malicious abuses of printers as well as some fun new uses for old attacks.

Secure code reviews magic or art? A simplified approach to secure code reviews

Secure code reviews magic or art? A simplified approach to secure code reviews

This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review

DEF CON 17: Hijacking web 2.0 sites with SSLstrip

DEF CON 17: Hijacking web 2.0 sites with SSLstrip

Many websites mix secure and insecure content on the same page this makes it possible to steal all the data entered on such a page easily, using Moxie Marlinspike’s new SSLstrip tool. I will give a brief explanation and demonstration of the technique.

Black Hat USA 2010: Jackpotting automated teller machines redux 1/5

Black Hat USA 2010: Jackpotting automated teller machines redux 1/5

I will demonstrate both local and remote attacks on ATMs, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

OWASP AppSecUSA 2011:How NOT to implement cryptography for the OWASP Top 10 (Reloaded)

OWASP AppSecUSA 2011:How NOT to implement cryptography for the OWASP Top 10 (Reloaded)

The talk uses fresh examples of application cryptography successes and failures, and also incorporates the new OWASP ESAPI.

29C3 GSM: Cell phone network review

29C3 GSM: Cell phone network review

We will describe the process of setting up the test network we operate at 29C3, what legal and technical challenges we have faced, and we will describe the actual installation at the CCH.

Embed trojan into a JPG Format

Embed trojan into a JPG Format

DEF CON 19: Defeating wired 802.1x with a transparent bridge using Linux

DEF CON 19: Defeating wired 802.1x with a transparent bridge using Linux

Using Linux and a device with 2 network cards, I will demonstrate how to configure an undetectable transparent bridge to inject a rogue device onto a wired network that is secured via 802.1x using an existing authorized connection.

22C3: Attacking the IPv6 protocol suite

22C3: Attacking the IPv6 protocol suite

After a short introduction on the differences of IPv4 to IPv6, the weaknesses in IPv6 will be shown. Highlight of the talk is the presentation of the THC-IPV6 Attack Toolkit.

DeepSec 2010: Android reverse engineering and forensics

DeepSec 2010: Android reverse engineering and forensics

The details of reversing software running on Android is a scarce. This talk will explore the filesystem, memory, and reverse engineering techniques in-depth.

DeepSec 2007: Browser hijacking

DeepSec 2007: Browser hijacking

This talk introduces Trabbler, the first highly versatile “cross site scripting Trojan”. In the talk, we will discuss Trabbler ́s architecture and code and give practical examples of its application.

24C3: Cybercrime 2.0

24C3: Cybercrime 2.0

The first part of the talk provides a brief history of Storm Worm focusing on the actual propagation phase. Afterwards we describe the network communication of the bot in detail and show how we can learn more about the botnet.

DEF CON 17: Abusing Firefox Addons

DEF CON 17: Abusing Firefox Addons

This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.

Pyrit demonstration (GPU cracking)

Pyrit demonstration (GPU cracking)

Short demo using the passthrough option of Pyrit which eliminates the need for giant tables taking up all your hard drive space.

DEF CON 13: Google hacking for penetration testers

DEF CON 13: Google hacking for penetration testers

Johnny Long reveals basic and advanced search techniques, basic and advanced hacking techniques, multi-engine attack query morphing, and zero-packet target foot printing and recon techniques.

29C3: We are all lawmakers!

29C3: We are all lawmakers!

In the Free City of Hamburg a coalition of hackers, activists and other players of civil society have drafted the most revolutionary Freedom of information law in the world.

How NOT to Store Passwords!

How NOT to Store Passwords!

Tom Scott explains the insecure ways in which some websites deal with passwords.

DEF CON 17: MetaPhish

DEF CON 17: MetaPhish

This talk will focus on building a phishing framework on top of Metasploit that pentesters can use to automate phishing and increase their overall capabilities.

Asymmetric Digital Warfare

Asymmetric Digital Warfare

This talk will is intended to understand where and how the digital conflicts are conducted today but we will dig deeply into the future.

OHM2013: SIM card exploitation

OHM2013: SIM card exploitation

This talk ends the myth of unbreakable SIM cards and illustrates that the SIM cards are plagued by implementation and configuration bugs.

Related videos

Videos from the same category or videos related to the subject.

You will find something new to watch and expand your knowledge.

24C3: Cybercrime 2.0

24C3: Cybercrime 2.0

The first part of the talk provides a brief history of Storm Worm focusing on the actual propagation phase. Afterwards we describe the network communication of the bot in detail and show how we can learn more about the botnet.

Embed trojan into a JPG Format

Embed trojan into a JPG Format

DeepSec 2007: Browser hijacking

DeepSec 2007: Browser hijacking

This talk introduces Trabbler, the first highly versatile “cross site scripting Trojan”. In the talk, we will discuss Trabbler ́s architecture and code and give practical examples of its application.

Printers gone wild!

Printers gone wild!

Ben Smith presents new malicious abuses of printers as well as some fun new uses for old attacks.

22C3: Attacking the IPv6 protocol suite

22C3: Attacking the IPv6 protocol suite

After a short introduction on the differences of IPv4 to IPv6, the weaknesses in IPv6 will be shown. Highlight of the talk is the presentation of the THC-IPV6 Attack Toolkit.

Pyrit demonstration (GPU cracking)

Pyrit demonstration (GPU cracking)

Short demo using the passthrough option of Pyrit which eliminates the need for giant tables taking up all your hard drive space.

DEF CON 17: MetaPhish

DEF CON 17: MetaPhish

This talk will focus on building a phishing framework on top of Metasploit that pentesters can use to automate phishing and increase their overall capabilities.

DeepSec 2010: Android reverse engineering and forensics

DeepSec 2010: Android reverse engineering and forensics

The details of reversing software running on Android is a scarce. This talk will explore the filesystem, memory, and reverse engineering techniques in-depth.

Black Hat USA 2010: Jackpotting automated teller machines redux 1/5

Black Hat USA 2010: Jackpotting automated teller machines redux 1/5

I will demonstrate both local and remote attacks on ATMs, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.

BruCON 2010: Embedded system hacking and my plot to take over the world 1/4

BruCON 2010: Embedded system hacking and my plot to take over the world 1/4

This presentation analyzes common vulnerabilities in popular embedded systems that carry sensitive data every day.

29C3: We are all lawmakers!

29C3: We are all lawmakers!

In the Free City of Hamburg a coalition of hackers, activists and other players of civil society have drafted the most revolutionary Freedom of information law in the world.

DEF CON 17: Hijacking web 2.0 sites with SSLstrip

DEF CON 17: Hijacking web 2.0 sites with SSLstrip

Many websites mix secure and insecure content on the same page this makes it possible to steal all the data entered on such a page easily, using Moxie Marlinspike’s new SSLstrip tool. I will give a brief explanation and demonstration of the technique.

OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

OWASP AppSecUSA 2011: Ghosts of XSS past, present and future

This talk will discuss the past methods used for XSS defence that were only partially effective. Learning from these lessons, will also discuss present day defensive methodologies that are effective, but place an undue burden on the developer.

DEF CON 17: Abusing Firefox Addons

DEF CON 17: Abusing Firefox Addons

This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.

DEF CON 19: Defeating wired 802.1x with a transparent bridge using Linux

DEF CON 19: Defeating wired 802.1x with a transparent bridge using Linux

Using Linux and a device with 2 network cards, I will demonstrate how to configure an undetectable transparent bridge to inject a rogue device onto a wired network that is secured via 802.1x using an existing authorized connection.

Secure code reviews magic or art? A simplified approach to secure code reviews

Secure code reviews magic or art? A simplified approach to secure code reviews

This presentation will delve into the science and process behind secure code review and will continue to discuss a simplified approach to secure code review

Asymmetric Digital Warfare

Asymmetric Digital Warfare

This talk will is intended to understand where and how the digital conflicts are conducted today but we will dig deeply into the future.

OHM2013: SIM card exploitation

OHM2013: SIM card exploitation

This talk ends the myth of unbreakable SIM cards and illustrates that the SIM cards are plagued by implementation and configuration bugs.

How NOT to Store Passwords!

How NOT to Store Passwords!

Tom Scott explains the insecure ways in which some websites deal with passwords.

OWASP AppSecUSA 2011:How NOT to implement cryptography for the OWASP Top 10 (Reloaded)

OWASP AppSecUSA 2011:How NOT to implement cryptography for the OWASP Top 10 (Reloaded)

The talk uses fresh examples of application cryptography successes and failures, and also incorporates the new OWASP ESAPI.

DEF CON 13: Google hacking for penetration testers

DEF CON 13: Google hacking for penetration testers

Johnny Long reveals basic and advanced search techniques, basic and advanced hacking techniques, multi-engine attack query morphing, and zero-packet target foot printing and recon techniques.

29C3 GSM: Cell phone network review

29C3 GSM: Cell phone network review

We will describe the process of setting up the test network we operate at 29C3, what legal and technical challenges we have faced, and we will describe the actual installation at the CCH.

Share This