it’s a printer! it’s a file system! it’s both!

Not sure if this particular printer is a threat...

You probably don’t give much thought to the printers on your network, at least from a security point of view.  Well, some recent research presented at the ShmooCon hacker conference in Washington DC last week, provides some insight into how HP printers can be used in a quite surprising way.

It turns out that HP’s networked printers all have some storage built in to them in the form of RAM disks.  Normally, this storage is used to load fonts onto the printers.  Well, Ben Smith of the security research group remote-exploit.org got to thinking about that storage and how it might be put to use.

Smith described a toolsuite he designed called PrintFS, which takes the storage on all of those networked printers and aggregates it into a hidden file system, accessible only to those in the know.  PrintFS makes the printer storage look like a hard disk to computers with the software installed.

A program called PFScanner is used to find all of the printers on the network suitable for use with PrintFS.  According to Smith, PFScanner was written to evade signature based intrusion detection systems by varying the order in which it carries out its scanning steps.

When files are written to the virtual printer disk, they are compressed, encrypted and given randomly assigned file names which are mapped to a table stored on the computer running PrintFS.  Each file is stored on two separate printers, so that if a printer is turned off, rebooted or removed, the files in its memory are not lost.

PrintFS could provide attackers with a valuable tool for evading detection.  In many cases, attackers who gain access to networks spend a lot of time finding the information of value, packaging that information, storing on a staging server, and then exfiltrating the data.  One of the ways that these long term attacks are discovered is when an alert system administrator finds the attacker’s cache of data waiting for transmission off the network.  By hiding the data in a virtual disk which is off the radar of most system administrators, the attackers gain more time to exploit the network.

PrintFS has another advantage for the attacker… if their presence on the network is detected, one of the tools in the suite provides a “panic button” which they can use to reboot all of the printers which make up the virtual hard drive.  Since the data is stored in the RAM of the printers, pushing the panic button will remove all of the data and leave no forensic evidence behind.

Given that PrintFS is a hacker tool, it is not surprising that Smith included some other functionality… for example, the PrintJack module which serves as a GUI for the scanner also allows the mischievous attacker to change the messages on printers’ status displays to something of their own choosing, say “Insert a quarter to print.”  The tool also has a denial of service mode which can either simply prevent jobs from being accepted by the printer or cause the printer to print black pages continuously, exhausting the supply of paper and/or toner.

I think what is most important about PrintFS is how it takes devices on our networks which we don’t give much thought to and uses them in a way which exploits their “dullness” to mask our ability to see what the attackers are up to.  While I hope that HP comes up with a patch to prevent this attack from being successful on newer printers, it is very likely that the majority of the millions of HP printers out in the field will remain vulnerable, since upgrading printer firmware is not on the top priority list for most IT departments.

It seems to me that the way to detect attacks like PrintFS is to get a good baseline of the traffic on your network and to look for anomalies involving the amount of data transferred between IP addresses and the times of those transfers.  If your office hours are nine to five and you start seeing megabytes of traffic flowing from a workstation to a printer at 3 AM, this is a good time to put on your investigator hat and find out why.

PrintFS is scheduled for release in the next week or two at www.remote-exploit.org.  It is written in the Python scripting language, which means that it will run on a variety of platforms (Windows, Linux and Mac).

PrintFS is just one of a number of interesting tools and techniques discussed during ShmooCon 2011.  I’ll be be posting more about what I learned at ShmooCon over the coming weeks.

This post is a transcript of a piece I did for broadcast on IGTV – the weekly video broadcast of New York Metro InfraGard.

Leave a Reply