Over the last month, there have been two attacks against unsecured, Internet accessible printers. Both attacks were organised by the supporters of a YouTube star. The attack caused the printers to push out a message asking people to support one YouTube star over another in a battle over ratings.
To most people, this is just an inconvenience and irritation. However, it has resulted in a waste of consumables such as printer paper and ink. But there are a number of more serious messages here that cyber security teams need to focus on.
What is this all about?
At the heart of this latest security issue for enterprises is a battle for dominance on YouTube. The long-time owner of the most subscribed to channel, PewDiePie, is at risk of losing their crown to T-Series. There is a lot of money to be had from the advertising on YouTube channels. As a result, where you rank is important. It has led to fan sponsored advertising campaigns around the world for both channels.
The latest round of this advertising campaign has taken advantage of a printer hack that has been known about for some time. At Black Hat USA 2017, Jens Müller, Vladislav Mladenov, Juraj Somorovsky and Jörg Schwenk presented a paper on Exploiting Network Printers. It showed how a tool called Printer Exploitation Toolkit (PRET) could find and remotely access printers. Once identified, hackers can then use the tool to send work jobs to the printer.
This is not the first time that printers have been targeted. There have been sporadic attacks against Internet connected printers in the past. Many of those, however, have gone after home and small business users.
Enterprise printer attacks get hackers inside the business
While many will see this as an inconvenience and even amusing, there is a more serious message. In early 2017, printer giant HP Inc released an advertising campaign called the Wolf. It sees Mr Robot star Christian Slater, warn enterprises of the risk of not securing their enterprise computers.
The advertising campaign runs to three seasons and shows how an attack can be created and how effective it can be. They demonstrate how access to print jobs can provide a hacker with the data required to compromise users security.
This is not just about print jobs. Many organisations store template forms such as invoices in printers. When the data is sent to the printer it picks up the template, prints the form and then sends it for posting. A hacker could alter those templates too, for example, add a new set of banking credentials. This would lead customers to send payments to the wrong account.
Hard disks inside many large enterprise printers also store print jobs. An attacker could access sensitive corporate data. This, in fact, was one of the scenarios that HP Inc covered.
Warning people is not the end of the problem. In August 2018, HP Inc was forced to issue a security fix for a known printer hacking flaw. It was a significant embarrassment for HP Inc although it was focused on consumer devices. However, with the number of employees, especially senior employees working from home, this is not just about a consumer risk.
Raising the stakes to destroy hardware
The latest printer attack has raised the stakes. The hacker involved who uses the Twitter name @TheHackerGiraffe, told the BBC that the attack can even destroy the firmware inside printers. This is done by continually writing data to the chips inside the printers.
The BBC reports that he told them: “These chips have a limited lifetime of ‘writes’. If you keep the loop on enough, the chip will fry and the printer will no longer function.”
What do industry experts say?
Enterprise Times has received comment from several security vendors around these attacks.
Myles Bray, VP EMEA at ForeScout, said: “Hacking printers to distribute messages in support of your favourite YouTuber might sound like an innocent prank but, in reality, it lays bare just how porous network and device security is these days – and how easily these vulnerabilities can be exploited for nefarious purposes.
“A rogue printout might be a funny discovery for employees to make, but poor network and device security is no laughing matter. Affected organisations should see this as a wakeup call to re-evaluate their cyber security practices today, to avoid falling victim to more serious and costly attacks in the future.”
Alex Bazhaniuk, co-Founder and CTO, Eclypsium said: “In this incident, the attacker indicates that they could wear out one of the parts to cause permanent damage. We’ve seen this sort of thing in our research with flash storage, where an attacker can damaging persistent storage media (like Flash memory chips) by sending many write and/or erase cycles.
“Attacks that permanently damage a system are not specific to printers. We know of many similar attacks that can target laptops, servers, network devices, and all sorts of IoT devices. In general, firmware exploits are often able to brick (or physically damage) the compromised device because firmware is essential for hardware to operate or even boot. Our recent video demonstrates such an attack on a server motherboard, for example.”
Enterprise Times: What does this mean
Any Internet connected device is a target. Printers, like a lot of other IoT devices are often sitting below the radar of the IT Security teams. This is a major mistake and one that needs addressing quickly by organisations. If they don’t, they will quickly find that the hackers are embedded inside their systems and they have no idea how it happened.
The risk of permanent damage to a device may not be of huge interest to many hackers. They want the data that has been cached on the printer. However, hacktivists will see this as a real opportunity to disrupt those organisations that they disagree with.
Closing this door will not be easy. Devices increasingly come with “call home” options. These ensure that they can call an engineer when there is a fault. For higher value devices, manufacturers use that usage data to understand device longevity. The solution, therefore, is as much on the device manufacturer as on the user. This is something that HP Inc discovered to its embarrassment in August.