misunderstanding scale

Jimmy Hess mysidia at gmail.com
Tue Mar 25 13:00:08 UTC 2014

On Sun, Mar 23, 2014 at 10:07 PM, Naslund, Steve <SNaslund at medline.com>wrote:

> As far as printers being a more dangerous attack vector than computers, I
> definitely don't buy that argument.  It does not change in v4 or v6.

Printers are not merely "attack vectors"; they are targets.
It only makes sense to describe them solely as potential vectors, if the
printer is connected to the LAN the real target is connected to.

In which situation: they are equally dangerous.
But: there are more hackers that can leverage a computer using generic
scripts than can mess with a vulnerable printer, using specialized attacks.

 Assuming that both stacks are vulnerable to attack I would be less worried
> about the printer because I am not aware of any of my printers running
> malware in v4.  I think the PC platform being much more

This is what makes printers more dangerous.  Users have no idea what code
is running on their printer.    It is the perfect place for an attacker to
patch the firmware: hole up,  and setup their backdoor VPN, proxy, or
tunnel,  because it's on 24x7 -- rarely replaced, almost never updated ---
 no  antimalware software.

> complex and having many more interfaces for active programming like DLLs,
> Java, ActiveX, etc, are much more the threat.  I personally have

The complexity of the available middleware and 3rd party APIs  has little
 to do with what kinds of attacks can be launched from a compromised
printer  being used to stage attacks;   once the device is compromised, the
intruder will bring the minimal software they need.

You're talking about APIs that greatly expand the attack surface of some
 computer software.  But it does not matter; if the socket protocol used
 by the printer was not designed with security in mind.

One good vulnerability is enough.    More known vulnerabilities doesn't
make it more dangerous  after it is compromised,  it just makes it that
much more impossible to harden.

With the printer --- there is little attention to vulnerabilities, so
chances are patches are not even available.

> not seen a DDoS attack launched by printers (they may exist but I am

You haven't seen any chargen or snmp activity at all??

DDoS reflection using clumsy appliance defaults is among the most popular
attacks to be facilitated by printers.

> not aware of them).  If I was going to design an attack for a printer, I
> would think that data theft would  be the most dangerous.  I have

The most likely use of compromising a printer (following DDoS -- which
doesn't require breaking in) is to provide a covert backdoor for staging
further compromise attempts or man-in-the-middle attacks.

The computer has more data storage, so it is privvy to more confidential
information and contents of network traffic from the computer is likely to
be the ultimate target.

But it just takes one Man-in-the-middle against a LAN computer, with
malware covertly injected to a webpage,  for a compromised printer to
breach a computer.

> wondered about multifunction printers emailing print data to someone but I
> have never seen that yet.

Maybe.   Is an intruder going to go through the trouble to compromise a
printer --  just to misdirect printouts?     Probably not.

But this requires profiling the intruder  versus information at risk --

They want  computing power,  banking information,  SSNs:

Typically stuff you will never find on printouts --- particularly within an
org whose staff are aware that documents sent to network printers go over
the LAN unencrypted,  and  therefore:  your printouts should never contain
that kind of information.

> Steven Naslund
> Chicago IL

More information about the NANOG mailing list