Why You Should Fear Your “mundane” Office Equipment

DEF CON 27

Presented by: Mario Rivas, Daniel Romero
Date: Saturday August 10, 2019
Time: 12:00 - 12:45
Location: Track 3

The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating system and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations.

In order to assess the current state of mainstream enterprise printer product security and to challenge common assumptions made about the security of these devices, which sit on key parts of enterprise networks and process sensitive data, we set out on a vulnerability and exploitation research project of six known vendors. We were able to find remote vulnerabilities in all printers tested through various attack vectors, revealing a large number of 0-day vulnerabilities in the process.

In this talk we walk through the entire research engagement, from initial phases such as threat modelling to understand printer attack surfaces to the development of attack methodologies and fuzzing tools used to target printer-specific protocols and functions. Besides of remarking important vulnerabilities found and their respective CVE’s, proof of concept exploits showing how it is possible to gain full control of printers and all of the data they manage will be presented. This will show how to use enterprise printers as a method of persistence on a network, perhaps to exfiltrate sensitive data or support C2 persistence on Red Team engagements.

We also address a number of challenges that researchers can face when performing vulnerability research on devices such as printers and how we used different techniques to overcome these challenges, working with limited to no debugging and triage capabilities. We also present mitigations that printer manufacturers can implement in order to reduce printer attack surfaces and render exploitation more difficult.

Daniel Romero

Daniel is currently a security consultant and researcher at NCC Group. During his career he has worked in interesting security projects, always trying to “break” as much as possible. In the last years Daniel has mostly been focused on embedded devices / IoT and all what surrounds it such as hardware, code review, reverse engineering, fuzzing or exploiting. Twitter: @daniel_rome

Mario Rivas

Mario is a penetration tester and security consultant at NCC Group in Madrid. His interests revolve around all areas of computer security, always trying to learn new things, and specially enjoying writing tools during the process to make his life a bit easier. Twitter: @Grifo


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats