Networked printers and other seemingly banal home and office equipment are now treasure troves of sensitive information to be mined by the bad guys.
I recently came upon this video, aired last year by CBS, showing how discarded office copiers are a gold mine for private information, trivially harvested from disk drives within the machines. From copiers randomly selected from a used copier warehouse, investigators recovered lists of wanted sex offenders, drug raid targets, architectural design plans, personal identification information (name, address, SSN), and medical records – including blood test results and a cancer diagnosis.
When asked whether this could be prevented, a copier company said that customers could purchase a $500 option that will erase copied images from the hard drive after use. Seriously. Give the guy that wrote those couple lines of code a bonus.
Another obvious solution: full disk encryption (FDE).
Now think about other home/office equipment that could record sensitive information:
- Fax machines
- Phone message recording systems
- Digital signage
- Video conferencing systems
- Security camera systems
- Smartphones and tablets
A key point is not that this hard drive problem is hard to fix, but that most people are simply unaware of the risks associated with increasingly sophisticated embedded computers.
Besides sensitive information stored in plaintext, what other kinds of vulnerabilities may be lurking? Let's take a look at printers.
A quick look at one of my favorite web sites – the vulnerability search engine of the US-CERT National Vulnerability Database – type in “printer” – and up comes 119 software vulnerabilities. Many of these are related to printing apps and drivers on the desktop operating system requesting print services. But not all.
- CVE-2010-4107 (a couple months ago): default configuration allows remote attackers, via print job commands, to read arbitrary files on the printer's file system.
- CVE-2009-3842: vulnerability in multifunction and laser printers allows remote attackers to obtain access to data via unknown attack vectors.
These were just on the first page of results; I didn't look further.
IT personnel need to think of all information processing devices as security risks and treat them accordingly. If you can't determine exactly what kind of software and hardware is running within, consult the manufacturer, pry it open, do whatever you need to do. This is especially critical if the device is connected to your network. And be extremely careful about disposal or in-service replacements.
Also important is attending to known vulnerabilities. It is unlikely that your printer is going to get an automated Patch Tuesday over the web. So even older vulnerabilities like this one, discovered back in 2002, that allows a remote attacker to steal the printer administrative password over an SNMP connection may be present on your network.
To get a feel for the myriad ways that networked printers can be attacked, check out this great web site by Adrian Crenshaw and this excellent BlackHat presentation, Vulnerabilities in Not-So Embedded Systems. In the latter, Brendan O'Connor demonstrates how to exploit vulnerabilities in the printer's web interface as well as the widespread ambient authority weaknesses in the printer's Linux OS to completely commandeer the system (running arbitrary code at root privilege): record all print jobs, tamper with billing data, etc. And with the printer pwned, it is used as a launching point for other attacks across the network.
Yes, IT security administrators should take note. But the Embedded Security Blog is aimed at embedded systems professionals – the folks building these devices. What can you do to ensure that your or your company's name do not end up in bold print across the security trade rags or on CNN?
Sadly, many of you are thinking along these lines:
- I'm going to use a “hardened” version of Linux or Windows, where I've removed unneeded applications and disabled unneeded services
- I'm going to do a scan and make sure there are no IP ports that are unaccounted for, including the one used for debugging
- I'm going to make sure I have the latest security patches for my OS
- I'm going to ensure that SSL is used for all remote administrative connections
In other words, exactly what the developers of the printers whose vulnerabilities are splashed all over the National Vulnerability Database, Secunia, Symantec Security Response, Black Hat, and Defcon were thinking.
If you're really serious about security, a different approach is needed, an approach that yields provable security, not the fail-first, patch-later muck in which so much of the electronics world is mired. Serious security means committing to what I call PHASE – Principles of High Assurance Systems/Software Engineering. The details of PHASE can't be learned in a book (although that would help, but I haven't finished writing it yet); successful application of PHASE to embedded systems requires a combination of expert guidance and training, the right tools and building blocks, and ultimately, experience. And PHASE can be used without rewriting your software (e.g. Linux can be safely incorporated if you understand that security must not be entrusted to it).
Dave Kleidermacher is CTO of Green Hills Software. He writes about security issues, sharing his insights on techniques to improve the security of software for highly critical embedded systems.