Posted by Robert Vamosi on February 21, 2017
On February 4, 2017, a Saturday night, a high-school student in the U.K. realized he wasn’t going to university to study computer science so he wrote a short program in C, and within a few hours had 150,000 internet-connected printers across the world spitting out ASCII art and messages. All this was harmless although the messages did say the compromise was the result of a botnet (there was no botnet). That said, what if such a botnet had been a real threat? How many organizations today include printers – or any aspect of the Internet of Things (IoT)– in their current threat models?
Known only by the nickname “Stackoverflowin,” the youth responsible agreed to an an interview with Motherboard. The student explained that he had been programming 14 hours a day and as a consequence had trashed his grades. Now, at least within the U.K., he will not be able to attend the computer science university programs he’d wanted. His script, however, was successful, finding a number of restaurant POS systems, with images of ASCII-drawn robots pouring out onto counter tops world-wide.
Which raises a valid question–should organizations be worried about internet-connected printers?
A few years ago, Columbia University student Ang Cui and his PhD advisor, Salvatore Stolfo, began testing printers. They found, in general, that printers were not very secure devices. After all, why should they be? Perhaps before printers were connected to the internet, back when you still needed a thick serial cable, that was true; to compromise a printer, you’d have to physically compromise it. With internet connectivity, however, that began to change. Anyone, anywhere in the world, could now gain access. Why?
Cui first came onto national media as a graduate student when he reported that he could make a laser printer burst into flames – or at least that’s what the popular media reported. At that time printer manufacturers didn’t always authenticate or otherwise sign their updates so Cui, using a freely available update schema from a major printer manufacture, designed and installed a malicious printer update that would disable the thermal sensor on a fuser in an inexpensive laser printer. This would in turn cause the printer to overheat and perhaps be hot enough to burn the paper inside.
Cui also found that Voice over IP (VoIP) phones in corporate offices could also be compromised. Doing so required what’s known as an “evil maid” scenario which, in security, is when a maid cleaning a hotel room inserts a USB onto your laptop to compromise your machine. In this case a janitor, after hours, would plug a USB into one of the phones and, once the malware was installed, the phone would then leverage a vulnerability that allowed the microphone used for hands-free operation to turn on even when the handset or the phone itself was not in use. In other words, the desktop phone could eavesdrop on live conversations at or around the desk.
Researcher H.D. Moore also found that video conference room equipment could be attacked remotely. Not only could an attacker join a sensitive conference call (say within a legal firm), the attacker could also turn the camera and zoom in a desktop outside the conference room, perhaps reading sensitive information or even a post-it note with a password. Last year, researcher Jamieson O’Reilly found a video conference system used by US Army, NASA, and CERN contained a similar vulnerability.
In the last few months, thousands of surveillance cameras worldwide were found to have the credentials hard coded, meaning once someone knew the password they could gain administrative control of the devices. Someone did and managed to construct the one of the largest IoT-based botnets known as Mirai.
In October, after the source code for Mirai was exposed on the internet, an attacker turned the Mirai botnet on a DNS resolver service, Dyn. The resulting distributed denial of service (DDoS) attack managed to throttle access to such popular sites as Netflix and AirBNB in North America. The sites themselves weren’t affected only the resolution service but the effect was the same to any end user trying to reach those sites.
Some in the security community remain dismissive of the potential for IoT to disrupt real-world enterprises. There’s some history to suggest they might be right. Mobile phones, once predicted to fall victim of the scourge of computer viruses that once consumed desktop PCs in the late 1990s, have so far avoided that fate. Strong security in both iOS and Android have contributed to that.
The difference is that IoT devices are, deep down, embedded systems running a variety of different Real time Operating Systems (RTOS) – some of which are secure, some not. These devices have been around for years meaning there are legacy devices out in the fields of large power generation plants that cannot be updated. Newer consumer devices invading our homes and offices are no better — some inexpensive devices are built with vulnerable open source components and were designed for obsolescence rather than updates.
It is important to consider any internet connected device in your threat model. The risks poised by these devices today may not seem large, but as we have seen with common devices (printers, video conferencing systems, and surveillance cameras) researchers and bad actors alike have nonetheless found viable compromises. And, as we have seen already, composing a few surveillance cameras can result in bigger consequences.
Trust, but verify, each internet-connected device you add to the network. Testing the firmware of any device brought inside the organization to learn its software composition should be part of any modern security policy. And if you can’t effectively define security controls to mitigate the risks posed by a given IoT device in your organization, then consider purchasing another device.