Printer Hacking Gets Easier

Tuesday, August 19, 2014 @ 05:08 PM gHale


Printers have long been a potential source to hack into networks, but now it may be easier than ever to get in through multifunction printers.

Access through these devices could allow access to Active Directory accounts, said Rapid 7 security consultant Deral Heiland, adding he can gain access to corporate active directory credentials through credentials stored in the latest printers in one in every two attempts.

RELATED STORIES
IoT Beware: Worm Hitting Devices
Android Gyroscopes Act as Listening Device
Using Wi-Fi to Broadcast Phone Location
New Android and iOS Mobile Malware

Four years ago, he said, they had only a 10 to 15 percent success rate.

High end Konica Minolta, Sharp, Dell, Canon and HP enterprise multi function printers spewed usernames, email addresses and passwords from address books, even after some vendors released fixes. Researchers were able to entice the machines to give up Active Directory usernames and application data and offered hostname information.

Heiland said in one published report he was able to gain access to Active Directory environments by extracting useable credential data from multi-function printers 40 to 50 percent of the time.

He walked into a 1000-person company that has some current business/enterprise printers and 40 to 50 percent of the time he was able to get Active Directory credentials off those printers to gain elevated access.

“A lot of people don’t realize these high end printers can store passwords in the address books,” he said.

The Canon hack worked because encryption of passwords in the POST request could end up turned off, enabling an attacker to ask for the passwords, Heiland said.

Data extractable from the printers included usage tracking, scanned-in files and emails, and LDAP credentials.

He said an LDAP pass-back attack worked on almost all enterprise printers since most allowed remote LDAP lookups which would send attackers plain-text passwords.

During one enterprise security test Heiland said he was able to access the payroll database for its 4000 staff through a human resources printer the company did not isolate.



Leave a Reply

You must be logged in to post a comment.