You Overtrust Your Printer

Abstract: Printers are common devices whose networked use is vastly unsecured, perhaps due to an enrooted assumption that their services are somewhat negligible and, as such, unworthy of protection. This article develops structured arguments and conducts technical experiments in support of a qualitative risk assessment exercise that ultimately undermines that assumption. Three attacks that can be interpreted as postexploitation activity are found and discussed, forming what we term the Printjack family of attacks to pri… Show more

“…A reference use case sees an insider scan their local network for available 9100 ports. We define the Printjack family of attacks against network printers as follows [1]: Printjack 1 attack, zombies for traditional DDoS ( §4.1); Printjack 2 attack, paper DoS ( §4.2); Printjack 3 attack, privacy infringement ( §4.3).…”

“…This article is an abridged version of two workshop papers, one on Printjack [1] and one on Phonejack [2]. It adds relevant research questions and their answers, a clear definition of the assumed threat model, an assessment of the attack likelihood from the outside of the network and a revised, fullyjustified taxonomy for possible attack protection measures with respect to the stated threat model.…”

Multi-service Threats: Attacking and Protecting Network Printers and VoIP Phones alike

“…A reference use case sees an insider scan their local network for available 9100 ports. We define the Printjack family of attacks against network printers as follows [1]: Printjack 1 attack, zombies for traditional DDoS ( §4.1); Printjack 2 attack, paper DoS ( §4.2); Printjack 3 attack, privacy infringement ( §4.3).…”

“…This article is an abridged version of two workshop papers, one on Printjack [1] and one on Phonejack [2]. It adds relevant research questions and their answers, a clear definition of the assumed threat model, an assessment of the attack likelihood from the outside of the network and a revised, fullyjustified taxonomy for possible attack protection measures with respect to the stated threat model.…”

Multi-service Threats: Attacking and Protecting Network Printers and VoIP Phones alike

“…More precisely, we define a family of three attacks and, following the same style used against printers before [3], we term it the Phonejack family of attacks against VoIP:…”

“…A fundamental question we raised with printers [3] firmly arises also in this case. Why are phones configured without any security measure at all when we are used to protecting our institutional laptops with a number of such measures, such as authentication, just to begin with?…”

“…One of our favourite examples is the Samsung refrigerator leveraged to violate a set of Gmail credentials [15]. Another example we contributed is about printers, whose unprotected 9100 ports allow an attacker to mount a paper DoS as well as to eavesdrop the contents of the printouts [3].…”

VoIP Can Still Be Exploited - Badly

Vulnerabilities in Office Printers, Multifunction Printers (MFP), 3D Printers, and Digital Copiers: A Gateway to Breach Our Enterprise Network