Abstract
Printers are common devices whose networked use is vastly unsecured, perhaps due to an enrooted assumption that their services are somewhat negligible and, as such, unworthy of protection. This article develops structured arguments and conducts technical experiments in support of a qualitative risk assessment exercise that ultimately undermines that assumption. Three attacks that can be interpreted as post-exploitation activity are found and discussed, forming what we term the Printjack family of attacks to printers. Some printers may suffer vulnerabilities that would transform them into exploitable zombies. Moreover, a large number of printers, at least on an EU basis, are found to honour unauthenticated printing requests, thus raising the risk level of an attack that sees the crooks exhaust the printing facilities of an institution. There is also a remarkable risk of data breach following an attack consisting in the malicious interception of data while in transit towards printers. Therefore, the newborn IoT era demands printers to be as secure as other devices such as laptops should be, also to facilitate compliance with the General Data Protection Regulation (EU Regulation 2016/679) and reduce the odds of its administrative fines.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Shemshadi, A., Sheng, Q.Z., Qin, Y., Sun, A., Zhang, W.E., Yao, L.: Searching for the internet of things: where it is and what it looks like. Pers. Ubiquit. Comput. 21, 1097–1112 (2017)
Costantino, G., Matteucci, I.: CANDY CREAM - haCking infotAiNment anDroid sYstems to Command instRument clustEr via cAn data fraMe. In: Proceedings of the 17th IEEE International Conference on Embedded and Ubiquitous Computing EUC 2019. IEEE (2019, in press)
Union, E.: General Data Protection Regulation (EU Regulation 2016/679) (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL
Shodan: search engine for the Internet of Things (2019). https://www.shodan.io/
Wikipedia: European states by GDP. https://en.wikipedia.org/wiki/List_of_sovereign_states_in_Europe_by_GDP_(nominal)
International Organization for Standardization: Information technology - Security techniques - Information security risk management (2018). https://www.iso.org/standard/75281.html
Sirbu, M.: Security concerns in a 5G era: are networks ready for massive ddos attacks? (2019). https://www.scmagazineuk.com/security-concerns-5g-era-networks-ready-massive-ddos-attacks/article/1584554
Vice: How 1.5 Million Connected Cameras Were Hijacked to Make an Unprecedented Botnet (2016). https://www.vice.com/en_us/article/8q8dab/15-million-connected-cameras-ddos-botnet-brian-krebs
MITRE (2019). https://cve.mitre.org/
MITRE: CVE-printer (2019). https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=printer
MITRE: CVE-printer (2019). https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=printers
NIST: CVE-2014-3741 (2014). https://nvd.nist.gov/vuln/detail/CVE-2014-3741
Müller, J., Mladenov, V., Somorovsky, J., Schwenk, J.: SoK: exploiting network printers. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 213–230 (2017)
Wireshark: Wireshark project (2019). https://www.wireshark.org/
Ettercap: Ettercap project (2019). https://www.ettercap-project.org/
GitHub: Printer Exploitation Toolkit (2018). https://github.com/RUB-NDS/PRET
Muller, J.: Printer Tool Wiki (2017). http://hacking-printers.net/wiki/index.php/Main_Page
Vice: This Teen Hacked 150,000 Printers to Show How the Internet of Things Is Shit (2017). https://www.vice.com/en_us/article/nzqayz/this-teen-hacked-150000-printers-to-show-how-the-internet-of-things-is-shit
Acknowledgements
We are indebted to Gianpiero Costantino and Ilaria Matteucci for arousing innumerable inspiring discussions. This work has been partially supported by the GAUSS national research project (MIUR, PRIN 2015, Contract 2015KWREMX).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bella, G., Biondi, P. (2019). You Overtrust Your Printer. In: Romanovsky, A., Troubitsyna, E., Gashi, I., Schoitsch, E., Bitsch, F. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2019. Lecture Notes in Computer Science(), vol 11699. Springer, Cham. https://doi.org/10.1007/978-3-030-26250-1_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-26250-1_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-26249-5
Online ISBN: 978-3-030-26250-1
eBook Packages: Computer ScienceComputer Science (R0)