Monday, March 28, 2016

Weev weaves his back into the news by abusing Internet connected printers

Famous 'hacker' Andrew Auernheimer (aka 'Weev') is back in the news again, this time for abusing Internet connected printers.

Weev created a script to send commands to Internet connected printers and caused them to print out an anti-semitic flyer.  I won't post that cruft here, its offensive content is not relevant to the substance of this post.

What did Weev do?
He sent commands to thousands of printers in US IP spaces that had TCP port 9100 open.  This port is commonly used by printers to receive postscript commands and print data.  It turns out that it is also unauthenticated.  Weev scanned for printers across US IP address ranges and sent data to the open ports he found.


Then, he laughed about it - publicly on social media.  For a guy who went to prison previously for hacking, this isn't exactly a smart move.  Many have argued that if he hadn't publicized his AT&T 'hack' (really a URL modification), he probably wouldn't have been convicted under our extremely broken CFAA.

Weev also seems to be taunting the FBI in his Twitter posts.


Weev's own account of what he did is here (caution: contains offensive language).

How are printers even directly connected to the Internet?
If IPv4 address space is exhausted, why do printers have public IP addresses?  The answer is that many universities have obscene amounts of IPv4 address space.  They also tend to lack firewalls.  Some early Internet adopting companies have large IPv4 ranges as well, though they tend to be better protected.

At Rendition Infosec, we've worked with two companies in the last three years that have enough public IPv4 address space for all of their internal hosts.  In these cases, we recommended emphatically that they use NAT and not give internal hosts public IPv4 addresses.  With a public IPv4 address, you're one firewall misconfiguration away from having an internal host on the open Internet.  Use NAT, even if you don't technically have to - you get a huge security benefit built in.

Is this illegal?
Weev has stated repeatedly that he sent commands to devices on the Internet that required no authentication and were waiting for his commands.  Hence he has done nothing illegal.

This argument is ridiculous.  Someone asked me last night on Twitter if leaving the printers accessible to the Internet gave Weev some sort of implied authorization.  No, of course it doesn't.  If that's the case, leaving your garage door open invites people to steal its contents.  Note: neither is smart, but both are definitely illegal.

Could it have been worse?
This definitely could have been worse.  The printers accepted PostScript commands.  While PostScript commands normally just print text, they can contain device control commands as well.  As far as we know, Weev did not attempt to exploit any PostScript parsers in the printers themselves (although many have vulnerabilities).  PostScript commands could have been issued to cause the printers to go into endless loops of printing out garbage until they were rebooted.

What should I do?
Well, first if you are using public IPv4 address space for your devices, migrate to NAT.  Next, inventory your systems.  Impacted organizations failed SANS critical security control #2 (software inventory).  Nobody in security would realize these printers were exposed to the Internet and not take some action.  This doesn't just go for printers, you should know every port of every IP you have exposed to the Internet.  Anything less is negligent.

No printers with public IP addresses?  You should take this as a wake up call to check for your exposure internally.  After all, a malware sample could easily take advantage of your printers.  Social engineering might be easier with something printed rather than emailed.  And there may be liability or reputation concerns with the pages that come off your printer.  Take this opportunity to segment your network and close unused ports.

1 comment:

  1. I've been using Kaspersky security for many years, I'd recommend this Anti-virus to everyone.

    ReplyDelete

Note: Only a member of this blog may post a comment.