On 12/07/2011 02:30 PM, Leslie S Satenstein wrote:
:) then you are smarter than 98% of the rest of us (I've just pull that number from the hat), but what makes you think the copycentre can't suffer from the same problem we are discussing here?
- wireless has nothing to do with the vuln. described. As long as some computer has "only print" access (read: able to reach port 9100 (jd) or 510(lpd) or 631(ipp) of the printer) and AFAIK there are no firewalls between printers and the rest of the LAN in any normal network, I repeat, the printers are vulnerable from any internal connection. FCS, even if you connect your mobile phone on an AP and get access to the local LAN, then you can infect all the printers from that LAN using only your phone (ok, it has to be a good smart phone, running some specially crafted software on it), there is no need for a malicious hacker to get access to the mighty print server :) - any update has to be digitally signed and in any case there should not be possible to send a firmware update using the same mechanism as normal printing... (at least it should use a web interface with auth, or some ftp mechanism) And now let's not panic: From what I can see, there is no way to make an "universal virus" - each printer model has a different firmware, running on different hardware (more or less), so making a real virus is not an easy task (on the contrary, if you want just to destroy a bunch of machines, that's easy: just write a firmware full of nulls) - I presume we might see (there are already on the wild some of them) "targeted" attacks - If we need to get into a company like Google let's say, we will investigate what kind of printers Google uses internally and we'll prepare a special firmware for those models. Again, this is not trivial, but an organization with resources can and will do it, it's just that an amateur security researcher like me will not be able to do it in his spare 2 hrs time (or maybe I am just not that good at it, why not?). A different, more sneaky, approach would be to download each printer's firmware on the "infection spreading machine" and patch that firmware on the spot - that will keep the firmware version and all the functions identical in the printer, adding the "extra code" will be almost invisible - who check the md5's of his printer firmware dump? (this is more from spy movies that from the real world, but after we saw Stuxnet nothing seems impossible, ain't it?) Lastly, just by curiosity, try to run a scan on a random /16 of the internet for open ports 9100, 515 or 631 - it's amazing how many people put their printers directly on the internet! -- Best Regards, Sorin Toma |
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
