compromising multifunction printers - dfn-cert€¦ · significance vulnerability reaches maximal...
TRANSCRIPT
![Page 1: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/1.jpg)
Compromising Multifunction PrintersA Case Study of Epson MFP Security
Yves-Noel Weweler
![Page 2: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/2.jpg)
Multifunction Printers
„MFP (Multi Function Product/ Printer/ Peripheral),multifunctional, all-in-one (AIO) ...“https://en.wikipedia.org/wiki/Multi-function_printer
Typically combine:• Printer• Scanner• Photocopier• Fax
Today they are small sized computers capableof running fully blown operating systems
224. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 3: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/3.jpg)
Interrogation
How secure are MFP‘s and how can an attacker communicate unnoticed with a device?
Motivation:
• Germany (2014): ~ 81 million citizens• Ink-jet printer: 22.71 million (~ 28%)
• Multifunction printer: 21.68 million (~ 26.7%)https://multifunktionsdruckertest-24.de/entwicklung-des-anteils-von-druckern-und-scannern-in-deutschen-haushalten/
• Highly sensible documents
• Connected to access control systems
324. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 4: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/4.jpg)
Epson WF-2540
Hardware:• ARM926EJ-Sid Processor• 64 MB RAM• 12 MB EEPROM• FAX / DATA Modem• LAN / WLAN / USB
Software:• GNU/Linux Kernel 2.6.18 • BusyBox 1.7.2• uClibc 0.9.29• Proprietary binaries
424. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 5: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/5.jpg)
How to Compromise?
Locally:• USB
• Hardware access (EEPROM)
Remote:• Network services
• Self-built HTTP Server
• Firmware updates
524. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 6: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/6.jpg)
Firmware Structure
624. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 7: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/7.jpg)
IPL-Header
• Describe firmware structure with records
• Records refer to data sections
• Checksums do not cover headers
724. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 8: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/8.jpg)
Dumping the Memory
• Readout EEPROM‘s
• Unveil hidden contents
• Understand bootcode & checksums
824. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 9: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/9.jpg)
![Page 10: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/10.jpg)
![Page 11: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/11.jpg)
![Page 12: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/12.jpg)
Update Process Mechanics
• 1:1 copy of firmware into flash
• Hidden JFFS2 filesystem
• Bootloader not updated by firmware
1224. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 13: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/13.jpg)
Firmware
• Taken apart the firmware format
• Decoded checksum algorithm
• Capable of repacking custom firmware
• Capable of compiling own software
Problems:• No signing
• No encryption
• Poor checksums
1324. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 14: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/14.jpg)
Firmware Update Mechanism
• USB
• HTTP (LAN / WLAN)
• ~40 – 45 seconds
Two level process:1. Enter update mode2. Upload firmware binary
Problems:• No authentication• No CSRF prevention
1424. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 15: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/15.jpg)
Remote Exploitation Upgrade
• Victim visits a website and executes a malicious script
• Victim is tricked into updating the printer using CSRF, acting as the attacker
1524. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 16: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/16.jpg)
Hidden Communication
Unnoticed communication with a device?• Utilize integrated modem
• Use FAX connection as a proxy
• Access networks without IP-connectivity
Modem:• Softmodem
• Hook communication between modem and applications
• Implemented using a kernelmodule
1624. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 17: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/17.jpg)
Hooking the Modem
• Man-in-the-Middle-Attack on data channel
• Controlling incoming and outgoing connections
• Reading and writing data
Yves-Noel Weweler 24. DFN-Konferenz "Sicherheit in vernetzten Systemen" 18
![Page 18: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/18.jpg)
Significance
Vulnerability reaches maximal CVSS-Value of 10
EPSON:• ~15% market share in 2014• ~4.9 million printers sold in 2014• ~343 printer models
http://www.epson.com/cgi-bin/Store/BuyInkList.jsp
Vulnerable devices:• ~62 printers in the "WorkForce" series• ~5946 vulnerable devices in the IPv4 range (03/2016)• "Stylus" series (~211 models) probably also vulnerable
1924. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 19: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/19.jpg)
How to protect?
Epson started shipping new firmware at the beginning of 2016
• Update your printers firmware
• Restrict device access
• Block HTTP on port 80 for non administrative users
Yves-Noel Weweler 24. DFN-Konferenz "Sicherheit in vernetzten Systemen" 20
![Page 20: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/20.jpg)
Summary
How secure are MFP‘s and how can an attacker communicate unnoticed with a device?
• Successful penetration of printers
• All devices with network access are vulnerable
• Control over integrated modem
• Modem can be used to transfer data withoutIP-connectivity
2124. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler
![Page 21: Compromising Multifunction Printers - DFN-CERT€¦ · Significance Vulnerability reaches maximal CVSS-Value of 10 EPSON: •~15% market share in 2014 •~4.9 million printers sold](https://reader033.vdocument.in/reader033/viewer/2022042412/5f2c555b9b8f0d58975a6a1e/html5/thumbnails/21.jpg)
Questions?Thank you for your attention
2224. DFN-Konferenz "Sicherheit in vernetzten Systemen"Yves-Noel Weweler