RISK ASSESSMENT RATING: 6.00
How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.
While it may not be immediately clear that this is a point of attack, wireless printers are becoming both more common and more vulnerable to attack.
The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.
Unlike many of our previous posts, the printer is not just a “plug-and-play” rogue device, nor does it have to be built. Instead, the attacker has to rely upon knowledge of a device that already exists on the network and may vary in attack simplicity.
The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.
The impact from a successful attack can be quite devastating - by using the misconfigured printer either as a window into the network or even by simply intercepting the print jobs sent to the printers, sensitive data can be much more easily accessed.
Wireless Printers are becoming more and more common around the world, providing convenience in several different ways. However, this convenience comes with a security cost. It is vital to understand the different wireless modes these printers can be in, as well as the dangers of default configurations and how they can be exploited by the bad guys when not properly configured.
Wireless printers, while thought of as an office convenience, can also be a convenient way for rogue actors to access your network. There are multiple ways in which wireless printers can be used as rogue devices. These are:
- Wireless Client
- Wireless Access Point (Infrastructure Mode)
- Wireless Access Point (Ad-Hoc Mode)
- Wireless Printer Web Interface
Mode 1: Wireless Client
When using the wireless feature of a printer in an environment with a pre-existing, secured wireless infrastructure, the best way to use the printer is to configure it as a wireless client as it will connect to the secured corporate wireless network. By default, most wireless printers are NOT configured as wireless access points, although they do usually have WiFi enabled. This wouldn't necessarily be a security issue if the printer itself wasn't setup to automatically connect to an open network used in initial configuration from the manufacture. Wireless printer manufacturers like HP and Canon all use open wireless networks with names like "hpsetup" and "default" to configure large numbers of wireless printers at the factory. The problem here are these open wireless networks saved in the printers’ "preferred wireless network list." When WiFi is enabled on the printer and the printer is in range of an open network with the same SSID name, the printer will automatically connect to that wireless network, thinking that it is the default wireless network used to configure it. This makes the printer a vulnerable wireless client to Evil AP attacks, just like many other types of wireless clients that probe for open networks they have previously connected to.
This can be a real threat for the corporate network when an attacker tricks the printer into connecting to a malicious access point (Evil AP), which can then potentially do things such as take over the printer, dump the memory of sensitive printed documents, install hacker toolsets, and worse - potentially use the printer as a pivot point to gain access to the wired network if the printer is also connected to the network via Ethernet wire. Unfortunately, it is fairly common for someone to order a network printer that also has wireless capabilities, but only configures the wired Ethernet connection and fails to disable WiFi on the printer. In these cases, it is possible for an attacker to potentially access the rest of the wired network through the WiFi card of the printer.
This can be easily solved by disabling WiFi completely if only the Ethernet wired connection is intended to access the printer. If Wireless is the preferred method of connecting the printer to the network, it is vital to ensure that it is connecting to a wireless network with proper security and encryption. If possible, either remove the default open wireless network from the printer's preferred network list or disable it from automatically connecting to that open network. This way even if an attacker manages to de-authenticate the wireless printer from the corporate network, it won't automatically connect to a known open network like "hpsetup".
Mode 2: Wireless Access Point (Infrastructure Mode)
As wireless printers have become more prevalent, manufacturers often make the process of connecting to wireless printers even easier by configuring wireless printers to provide their own wireless access points by default so that wireless clients can simply connect to the printer itself. There are several issues here: for one, the default wireless access point the printer broadcasts is usually open, allowing anyone to connect to the printer directly over WiFi. If the printer is in its default state, an attacker can then access the printer's configuration and control with a default admin username and password - assuming an admin account is even present in a default configuration (which it usually is not). The attacker then has the capability to compromise almost anything, similar to when the printer is a vulnerable wireless client, except now it can also directly attack any other wireless clients connected to the printer’s wireless access point.
The other major issue for corporate wireless clients is that even if someone eventually locks the wireless printer's access point down, any corporate wireless client that has connected to the wireless printer in an open network state (no security or encryption), is now potentially vulnerable to an Evil AP attack, regardless of being within range of the wireless printer. By default, most wireless clients will automatically connect to an open wireless network they have previously connected to, giving the attacker the ability to hijack corporate wireless clients tricking them into connecting to a malicious wireless access point pretending to be the open wireless printer network. Again, if the corporate wireless client is also plugged into the wired network via Ethernet, the client can then potentially become a wireless bridge to access the wired network.
The key to avoiding this kind of problem is to properly configure the printer based on what the networking needs are. If it is intended to be a wireless only printer, configure it to use encryption and do not also plug it into the wired network. Wireless infrastructure considerations should be made, such as using strong encryption and security, and also using a proper channel to ensure the printer's wireless network is not causing wireless interference with the rest of the corporate wireless infrastructure. If the printer is intended to strictly be a wired network printer, disable the WiFi card on the device. To ensure corporate wireless clients are not automatically connecting to open wireless networks, remove open networks from the wireless clients preferred network list or simply disable automatically connecting to a preferred open network when in range.
Mode 3: Wireless Access Point (Ad-Hoc Mode):
This issue has all the same problems as when a printer is a regular wireless access point, except that when wireless clients connect in Ad-Hoc mode they also become open wireless access points themselves that anyone can connect to. Ad-Hoc mode should not be used normally in corporate environments, and is designed to be used more "on the go" in areas where wireless access is not available. These days, it is so trivial to setup a hotspot Access Point on almost any mobile device that Ad-Hoc mode isn't really needed to provide networking on the fly.
Mode 4: Wireless Printer Web Interface
As manufacturers attempt to make connecting to these wireless printers ever easier, many have added web interface functionality. They generally add a hard drive with simple ftp and a web interface, providing a web server that can be an alternate point of attack. The attacker can even then store stolen data on the printer via the network connection. Any hard drive with pre-installed firmware is also potentially vulnerable to attacks that no proper configuration can fix, giving attackers a potential window into an organization’s network through the printer’s wireless connection.
Unfortunately, it is still very common to see these types of wireless threats in corporate environments due to a lack of proper and thorough configuration on network printers. While one of the most critical threats of wireless printers being used as a potentially "wireless bridge" to the wired network, this is just one type of device that can act as a wireless bridge or wireless entry point to the rest of the corporate network. There are many types of wireless bridge devices that can easily be used as rogue devices, and even in environments with no wireless access these devices can be used to create a doorway into the wired network by transparently creating a wireless bridge access point.