Ang Cui is the CEO and chief scientist of Red Balloon Security, but from 2008 until 2015 he was a graduate student at Columbia University, where he spent more time thinking about laser printers than most of the people who used them. Cui wondered, in particular, whether he could hack into a corporate printer in order to steal sensitive business data, thinking if he could pull it off, someone with more than a merely academic interest in doing so could do the same.
After all, Cui noticed, printers were way behind the times. IT teams rarely change the admin passwords on printers as often as they should, and the software and the firmware used in printers—especially commercial printers for the home office—contain a lot of basic security flaws. The thing is, very few people see an office printer as vulnerable. They think they’re enjoying what’s sometimes called “security by obscurity”: If no one notices the flaw, then it isn’t there.
But many printers and copiers have one important thing in common—they often both contain hard drives. Unless that hard drive is encrypted (and many are not), it’s possible to find out later on what’s been printed. All this has been known for years. What Cui wondered was if he could essentially turn a company printer against its owners. Here’s what he discovered.
To make things more interesting, Cui wanted to attack the printer’s firmware code, the programming embedded inside a chip within the printer. Unlike traditional PCs and mobile devices, digital TVs and other “smart” electronics don’t have the power or the processing resources to run a full-blown operating system such as Android, Windows, and iOS.
Instead, they use what’s called “real-time operating systems” (RTOS), which are stored on individual chips inside the device (frequently known as “fireware”). These chips store only the commands needed to operate the system and not much else. And occasionally even these simple commands need to be updated by the manufacturer or vendor. Since that happens so rarely, many manufacturers simply don’t build in the proper security measures.
Cui wanted to see what would happen if he hacked the file format that Hewlett Packard (HP) used for its firmware updates, and he discovered that HP didn’t check the validity of each update. So he created printer firmware of his own—and the printer accepted it, just like that. There was no authentication on the printer’s side that the update came from HP. The printer only cared that the code was in the expected format. Cui was now free to explore.
In one widely reported experiment, Cui found that he could do more than gain access to sensitive company information. He could turn on the fuser bar, the part of the printer that heats the paper after the ink has been applied, and leave it on, which would cause the printer to actually catch fire.
The vendor—not HP—immediately responded by arguing that there was a thermo fail-safe within the fuser bar, meaning the printer could never overheat. However, that was Cui’s point: He’d managed to turn that fail-safe feature off so that the machine could burst into flames.
As a result of these experiments, Cui and his adviser, Salvatore Stolfo, argued that printers were weak links in any organization or home. For example, the HR department of a Fortune 500 company might receive a maliciously coded resume file over the internet. In the time it takes the hiring manager to print that document, the printer through which it travels could be fully compromised by the hacker’s resume installing a malicious version of the firmware.
There are solutions here. “Secure printing,” also known as “pull printing,” is a process that makes sure documents are only released upon a user’s authentication at the printer terminal itself, usually by using a PIN, smart card, or biometric fingerprint. Pull printing also eliminates unclaimed documents, preventing sensitive information from lying around for everyone to see. But companies grappling with cybersecurity concerns often find that when they plug one hole, two more pop up.
Building on his printer attacks, Cui found similar vulnerabilities in “Voice over Internet Protocol” (VoIP) telephones, typically used for conference calls. As with printers, these devices had major security vulnerabilities that were hidden in plain sight. Most VoIP phones have a hands-free option that lets you put someone on speakerphone. There’s also an “off the hook” switch, which tells the phone when someone has picked up the receiver and when it’s been put back with speakerphone till on. Cui realized that if he could compromise the “off the hook” switch, he could make the phone listen to conversations nearby via the speakerphone microphone—even when the receiver was on the hook!
Each time Cui has presented this research, using different VoIP phones, the vendor was notified in advance and ultimately produced a fix. But Cui has pointed out that just because a patch exists doesn’t mean it gets applied. Some of the unpatched phones might still be sitting in offices, hotels, and hospitals right now.
Previously, researchers at Stanford University and in Israel found that even having your mobile phone sitting next to your computer at work can allow a third party to eavesdrop. The trick requires malware to be inserted onto your mobile device. But with maliciously coded apps available for download from rogue app stores, that’s easy enough, right?
With the malware installed on your mobile phone, the gyroscope within the phone is now sensitive enough to pick up slight vibrations. The malware in this case, researchers say, can also pick up minute air vibrations, including those produced by human speech. Google’s Android operating system allows movements from the sensors to be read at 200 Hz, or 200 cycles per second. Most human voices range from 80 to 250 Hz. That means the sensor can pick up a significant portion of those voices. Researchers even built a custom speech-recognition program designed to interpret the 80–250 Hz signals further.
And sorry, but wireless keyboards are vulnerable, too. Security researcher Samy Kamkar developed something called KeySweeper, a disguised USB charger that wirelessly and passively looks for, decrypts, logs, and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.
So just because you avoid bogus hotspots at cafés and airports doesn’t mean you’re much safer in your office. Someone in your office may set up a wireless hotspot, and your device might automatically connect to it. IT departments typically scan for such devices, but sometimes they don’t. The point here is neither to strike fear into the hearts of modern office workers nor to castigate IT teams, which are often spread thin and doing the best they can. But especially as companies are struggling with a cybersecurity skills gap, a little heightened awareness around the office can go a long way.
For specialist advice regarding your specific circumstances, please contact the BCR team.