On September 20th, 2016, a large DDoS attack took down the site krebsonsecurity.com, the blog of renowned cybersecurity journalist, Brian Krebs. Without exaggerating, this is perhaps one of the first moments when the general public finally reacted to the threat residing within the Internet of Things (IoT). One month later, the Mirai malware knocked out almost half of the Internet using a botnet made up entirely of webcams, routers and baby monitors. The list of potentially ‘hackeable’ smart objects is continuously expanding – from connected cars to door closing systems in hotels and even cardiac devices.
While last year we were mainly concerned with these three threats: APTs, ransomware and DDoS attacks via IoT botnets, 2017 is likely to see the dawn of a hybrid type of hacking, one that would combine the techniques used in all three categories. Let’s say, for instance, that the connected objects of your enterprise were taken hostage. If you refuse to pay the ransom, those responsible threaten you with a DDoS attack. This new trend in cybercrime is also known as ‘jackware’. In other words, a more advanced type of ransomware, targeting exclusively IoT components. Or, should we rather say, RoT (the Ransomware of Things)?
The most recent incident of this type does not concern your connected socks (yes, that actually exists!), but, surprisingly so, your printers. Why is a printer hack so surprising in this day and time? Let’s just say that these endpoints, ever-present in the life of a company, should be better secured by now. To try and raise awareness, a gray hat called Stackoverflowin committed the biggest hack of connected printers to this date (we later learned that the hacker in question was actually a British high school student – GG UK!).
Beginning of February, 150,000 HP, Brother, Canon and Epson printers, used by professionals and private individuals alike, started printing out of nowhere bizarre drawings. The doodles were also accompanied by the following advice: you must secure your machine.
Some users were impressed with Stackoverflowin’s technique
A well-intended suitor (fortunately)
To gain access to these devices, Stackoverflowin designed his own automated script. Thus, he managed locating all open ports and, consequently, all printers left unprotected. The hacker’s scripts target exclusively printers with IPP (Internet Printing Protocol), LPD (Line Printer Daemon) and TCP / 9100 ports, all which are open to external connections. The scripts also contain an exploit that uses an RCE (remote code execution) vulnerability to trigger incognito printing jobs on targeted devices.
Stackoverflowin states that he’s stumbled upon quite some differences in the way each country secures its printers. The good news? France is not among the worst students since its operators are usually preconfigured to block any incoming connection.
It is important to clarify that the purpose of this gray hat hacker was not to build a botnet. Indeed, Stackoverflowin claims to have only tried to sound the alarm where the cybersecurity risks of online exposed printers are concerned.
“People have done this in the past and sent racist flyers etc. I’m not about that, I’m about helping people to fix their problem, but having a bit of fun at the same time; Everyone’s been cool about it and thanked me to be honest.” (source: BleepingComputer)
The hack to which Stackoverflowin is referring to took place in March 2016, when a cybercriminal nicknamed Weev triggered a spontaneous printing job on about a hundred printers, broadcasting anti-Semitic messages.
Not even having had graduated high school yet, the British youngster announced that he has done his part in raising awareness among the general public. And we can’t argue with him on that one.
A toxic relationship (unfortunately)
A report released last week reveals the disastrous security state of connected printers. Researchers also stated that these endpoints could easily be used as entry points and pivot points when attacking corporate networks.
To protect printers connected to the Internet, it is sufficient to verify that they can be accessed from the outside only using a secure protocol.
Problem solved, right? Yes, but no.
IoT spending is growing at a tremendous rate (3 times faster than traditional ICT markets). Today we’re talking about an attack targeting 150,000 printers, tomorrow the number could reach the order of millions. The truth is that we’ve committed, without even realizing it, to a toxic relationship with the IoT. However, we are still far from reaching a satisfactory level of security.
However, the year 2016 saw the beginning of a still weak movement, but nevertheless beneficial for our relationship with smart devices. The publication of the document “Strategic Principles in Securing IoT” by the US Department of Homeland Security and NIST is one example of the emerging efforts led by government agencies.
NIST is the National Institute of Standards and Technology, which is part of the US Department of Commerce. Over the years, the agency has had a positive impact on many aspects of cybersecurity. We hope that this approach – along with many others around the world – will help us move forward in 2017, working towards the goal of securing our digital lives against those who choose to extort from us.