Printers on fire

Wendy Grossman highlights the threat of unprotected consumer hardware to attack.

Image: CC BY-NC-SA 2.0 Flickr: chaz6.com

It used to be that if you thought things were spying on you, you were mentally disturbed. But you're not paranoid if they're really out to get you, and new research at Columbia University, with funding from DARPA's Crash program, exposes how vulnerable today's devices are. Routers, printers, scanners – anything with an embedded system and an IP address.

Usually what's dangerous is monoculture: Windows is a huge target. So, argue Columbia computer science professor Ang Cui, device manufacturers rely on security by diversity: every device has its own specific firmware. Cui estimates, for example, that there are 300,000 different firmware images for Cisco routers, varying by feature set, model, operating system version, hardware, and so on. Sure, what's the payback? Especially compared to that nice, juicy Windows server over there?

"In every LAN there are enormous numbers of embedded systems in every machine that can be penetrated for various purposes," says Cui.

The payback is access to that nice, juicy server and, indeed, in the whole network, few update – or even check – firmware. So once inside, an attacker can lurk unnoticed until the device is replaced.

Cui started by asking: "Are embedded systems difficult to hack? Or are they just not low-hanging fruit?" There isn't, notes Stolfo, an industry providing protection for routers, printers, the smart electrical meters rolling out across the UK, or the control interfaces that manage conference rooms.

If there is, after seeing their demonstrations, I want it.

Their work is two-pronged: first demonstrate the need, then propose a solution.

Cui began by developing a rootkit for Cisco routers. Despite the diversity of firmware and each image's memory layout, routers are a monoculture in that they all perform the same functions. Cui used this insight to find the invariant elements and fingerprint them, making them identifiable in the memory space. From that, he can determine which image is in place and deduce its layout.

"It takes a millisecond."

Once in, Cui sets up a control channel over ping packets (ICMP) to load microcode, reroute traffic, and modify the router's behaviour. "And there's no host-based defense, so you can't tell it's been compromised." The amount of data sent over the control channel is too small to notice – perhaps a packet per second.

"You can stay stealthy if you want to."

You could even kill the router entirely by modifying the EEPROM on the motherboard. How much fun to be the army or a major ISP and physically connect to 10,000 dead routers to restore their firmware from backup?

They presented this at WOOT (Quicktime), and then felt they needed something more dramatic: printers.

"We turned off the motor and turned up the fuser to maximum." Result: browned paper and…smoke.

How? By embedding a firmware update in an apparently innocuous print job. This approach is familiar: embedding programs where they're not expected is a vector for viruses in Word and PDFs.

"We can actually modify the firmware of the printer as part of a legitimate document. It renders correctly, and at the end of the job there's a firmware update." It hasn't been done before now, Cui thinks, because there isn't a direct financial pay-off and it requires reverse-engineering proprietary firmware. But think of the possibilities.

"In a super-secure environment where there's a firewall and no access – the government, Wall Street – you could send a resume to print out." There's no password. The injected firmware connects to a listening outbound IP address, which responds by asking for the printer's IP address to punch a hole inside the firewall.

"Everyone always whitelists printers," Cui says – so the attacker can access any computer. From there, monitor the network, watch traffic, check for regular expressions like names, bank account numbers, and social security numbers, sending them back out as part of ping messages.

"The purpose is not to compromise the printer but to gain a foothold in the network, and it can stay for years – and then go after PCs and servers behind the firewall." Or propagate the first printer worm.

Stolfo's and Cui's call their answer a "symbiote" after biological symbiosis, in which two biological organisms attach to each other to mutual benefit.

The goal is code that works on an arbitrarily chosen executable about which you have very little knowledge. Emulating a biological symbiote, which finds places to attach to the host and extract resources, Cui's symbiote first calculates a secure checksum across all the static regions of the code, then finds random places where its code can be injected.

"We choose a large number of these interception points – and each time we choose different ones, so it's not vulnerable to a signature attack and it's very diverse." At each device access, the symbiote steals a little bit of the CPU cycle (like an RFID chip being read) and automatically verifies the checksum.

"We’re not exploiting a vulnerability in the code," says Cui, "but a logical fallacy in the way a printer works." Adds Stolfo, "Every application inherently has malware. You just have to know how to use it."

Never mind all that. I'm still back at that printer smoking. I'll give up my bank account number and SSN if you just won't burn my house down.

Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series.

<p>It used to be that if you thought things were spying on you,
you were mentally disturbed. But you're not paranoid if they're really
out to get you, and new research at <a href="http://ids.cs.columbia.edu/
users/sal.html">Columbia University</a>, with funding from <a
href="http://www.darpa.mil/Our_Work/I2O/Programs/Clean-
slate_design_of_Resilient_Adaptive_Secure_Hosts_%28CRASH%29.aspx">DA
RPA's Crash program</a>, exposes how vulnerable today's devices are. Routers,
printers, scanners – anything with an embedded system and an IP address. </p>

<p>Usually what's dangerous is monoculture: Windows is a huge
target. So, argue Columbia computer science professor <a href="http:/
/www.cs.columbia.edu/~sal/">Sal Stolfo</a> and PhD student <a
href="http://www.cs.columbia.edu/mice/persons/showPerson.php?
personID=2900&base=%2Fmice%2Fpersons%2F&">Ang Cui</a>, device
manufacturers rely on security by diversity: every device has its own specific
firmware. Cui estimates, for example, that there are 300,000 different firmware
images for Cisco routers, varying by feature set, model, operating system version,
hardware, and so on. Sure, what's the payback? Especially compared to that nice,
juicy Windows server over there?</p>

<p>"In every LAN there are enormous numbers of embedded systems in
every machine that can be penetrated for various purposes," says Cui. </p>

<p>The payback is access to that nice, juicy server and, indeed, the whole
network Few update – or even check – firmware. So once inside, an attacker can
lurk unnoticed until the device is replaced.</p>

Grossman-Document11-10/21/11 10:12:54-

<p>Cui started by asking: "Are embedded systems difficult to hack? Or are
they just not low-hanging fruit?" There isn't, notes Stolfo, an industry providing
protection for routers, printers, the smart electrical meters rolling out across the
UK, or the control interfaces that manage conference rooms.</p>

<p>If there is, after seeing their demonstrations, I want it. </p>

<p>Their work is two-pronged: first demonstrate the need, then propose a
solution.</p>

<p>Cui began by developing a rootkit for Cisco routers.
Despite the diversity of firmware and each image's memory layout,
routers are a monoculture in that they all perform the same functions. Cui used
this insight to find the invariant elements and fingerprint them, making them
identifiable in the memory space. From that, he can determine which image is in
place and deduce its layout.</p>

<p>"It takes a millisecond."</p>

<p>Once in, Cui sets up a control channel over ping packets (ICMP) to
load microcode, reroute traffic, and modify the router's behaviour. "And there's
no host-based defense, so you can't tell it's been compromised." The amount of
data sent over the control channel is too small to notice – perhaps a packet per
second.</p>

<p>"You can stay stealthy if you want to."</p>

<p>You could even kill the router entirely by modifying the EEPROM on
the motherboard. How much fun to be the army or a major ISP and physically
connect to 10,000 dead routers to restore their firmware from backup?</p>

<p>They presented this at <a href="http://www.usenix.org/events/woot11/
stream/cui/index.html">WOOT (Quicktime)</a>, and then felt they needed
something more dramatic: printers. </p>

<p>"We turned off the motor and turned up the fuser to maximum." Result:
browned paper and…smoke.</p>

<p>How? By embedding a firmware update in an apparently innocuous
print job. This approach is familiar: embedding programs where they're not
expected is a vector for viruses in Word and PDFs. </p>

<p>"We can actually modify the firmware of the printer as part of a
legitimate document. It renders correctly, and at the end of the job there's a
firmware update." It hasn't been done before now, Cui thinks, because there isn't a
direct financial pay-off and it requires reverse-engineering proprietary firmware.
But think of the possibilities.</p>

<p>"In a super-secure environment where there's a firewall and no access

Grossman-Document11-10/21/11 10:12:54-

– the government, Wall Street – you could send a resume to print out." There's
no password. The injected firmware connects to a listening outbound IP address,
which responds by asking for the printer's IP address to punch a hole inside the
firewall.</p>

<p>"Everyone always whitelists printers," Cui says – so the attacker can
access any computer. From there, monitor the network, watch traffic, check
for regular expressions like names, bank account numbers, and social security
numbers, sending them back out as part of ping messages. </p>

<p>"The purpose is not to compromise the printer but to gain a foothold in
the network, and it can stay for years – and then go after PCs and servers behind
the firewall." Or propagate the first printer worm. </p>

<p>Stolfo's and Cui's call their answer a "symbiote" after biological
symbiosis, in which two biological organisms attach to each other to mutual
benefit.</p>

<p>The goal is code that works on an arbitrarily chosen executable about
which you have very little knowledge. Emulating a biological symbiote, which
finds places to attach to the host and extract resources, Cui's symbiote first
calculates a secure checksum across all the static regions of the code, then finds
random places where its code can be injected. </p>

<p>"We choose a large number of these interception points – and each time
we choose different ones, so it's not vulnerable to a signature attack and it's very
diverse." At each device access, the symbiote steals a little bit of the CPU cycle
(like an RFID chip being read) and automatically verifies the checksum.</p>

<p>"We’re not exploiting a vulnerability in the code," says Cui, "but a
logical fallacy in the way a printer works." Adds Stolfo, "Every application
inherently has malware. You just have to know how to use it."</p>

<p>Never mind all that. I'm still back at that printer smoking. I'll give up my
bank account number and SSN if you just won't burn my house down.</p>

<p><i>Wendy M. Grossman’s <a href="http://
www.pelicancrossing.net">Web site</a> has an extensive archive of her
books, articles, and music, and an <a href="http://www.pelicancrossing.net/
nwcols.htm"> archive of all the earlier columns in this series</a>. </i></p>

Share this article

Google+ Delicious Digg Facebook Google LinkedIn StumbleUpon Twitter Reddit Newsvine E-mail

Comments

Comments (0)

This thread has been closed from taking new comments.

By Wendy M Grossman on Oct 22, 2011

Featured Article

Schmidt Happens

Wendy M. Grossman responds to "loopy" statements made by Google Executive Chairman Eric Schmidt in regards to censorship and encryption.

ORGZine: the Digital Rights magazine written for and by Open Rights Group supporters and engaged experts expressing their personal views

People who have written us are: campaigners, inventors, legal professionals , artists, writers, curators and publishers, technology experts, volunteers, think tanks, MPs, journalists and ORG supporters.

ORG Events