Over the past few weeks, there has been an uptick in “attacks” on internet connected printers.  Just weeks after Stanford, Vanderbilt, and the University of California, Berkeley were hit with anti-Semitic flyers being pushed to their internet connected printers, a number of other institutions were hit with a similar but less malicious form of attack. Columbia University was unfortunately among the number of businesses and institutions that fell prey to this exploit. Though this particular attack was committed with relatively little malicious intent, these types of exploits will continue to be used as a tool to drain resources and be used as an avenue for hate speech.

The most ubiquitous print job to come out of Columbia’s internet connected printers was credited to self-proclaimed “whitehat security enthusiast” known as @lmaostack. Lmaostack is fairly active in the whitehat security community, and has a github repository with a couple of other exploits that he enjoyed executing and decided to share with the world.  During this campaign, Lmaostack was unexpectedly able to discover over 150,000 vulnerable hosts before actually going through with the exploit.

Lmaostack pushed print jobs like the one featured above to printers with open ports to a wide variety of institutions. However, when DCG analyzed the content in the printout, we identified a couple key elements that were suspect. Particularly suspicious is the claim that the printer is part of a botnet. Exploiting a vulnerability in Internet Printing Protocols to push raw print jobs doesn’t necessitate the fact that the printer is now infected and part of a botnet or even indicate that the device is susceptible to that kind of exploitation. This aspect of the print job seems to be just for the sake of attention grabbing and a bit of fear mongering. Additionally, DCG has observed no indication based on its research of the SIPA network that any devices at SIPA are currently part of a botnet.  Additionally, we can think of this attack as a physical denial of service if it was designed to print these out at a much larger scale. Though we often think of denial of service attacks in the context of a botnet being used to overload a system, denying their ability to “serve” we can extend that definition to this event in that unlimited print jobs being pushed to the printers could have prevented people from using the printers and/or caused physical wear and tear on the machines interrupting day to day operations of different institutions, particularly schools.

 

The How

Lmaostack created an automated script using C that sought out printers that matched their criteria for having a certain vulnerability they could exploit. In Columbia’s case, it seems that they were able to exploit open 9100 ports. Port 9100 is actually a TCP Port (TCP Port 9100), and specific ports are reserved to enable the functionality of specific network services and communications between devices. TCP Port 9100 is commonly used by printer manufacturers to provide a raw TCP Port for data. However, Port 9100 is not operated by commands but rather as previously stated provides a raw stream of data which is sent to the printer. This is why in this particular case, lmaostack used ASCII drawings and unformatted text as opposed to a flyer or preconstructed graphic that is printed from a file. Here, raw text inputs were printed. One unsettling fact was discovered after we had run an Nmap scan of Columbia’s secure network from outside of the network. In its network analysis, DCG discovered more than 100 publically-reachable devices with port 9100 open. Here is a small sample of what we scanned and discovered.

Potential Vulnerabilities:

Vuln 1: As previously mentioned, if this attack was committed by someone with malicious intent, the attacker could have conducted the equivalent of a denial of service attack by constantly feeding print jobs from the open port, and delaying the queue of print jobs requested by students. This would ultimately waste paper, ink, wear out internal components, and obviously prevent other print jobs from being completed. Additionally, it’s one thing to do this consumer printers in homes or schools, but consider the potential financial impact an attack like this could have on print shops or other places with industrial capacity printers.

Vuln 2:

Besides the troll print jobs and the physical denial of service, there lies a more potentially significant vulnerability: Our networks. If for example an attacker wanted to gain access to the network but can’t brute force their way in or can’t get any login data via SQL injects, this port could be used as a pivot point. An attacker could drop code onto a device via the 9100 port by using a buffer overflow and use that to pivot into the network. What this means in nontechnical terms is we have a window that is a little open but not big enough to climb through, but big enough to stick some tool through to unlock the front door to walk in.

 

Policy Recommendations and Lessons Learned

First and foremost, Columbia and SIPA’s IT offices should consider putting into place a policy that closes port 9100 from being accessed from devices that are outside of Columbia’s network.

Awareness: Columbia and SIPA should consider implementing a standard operating procedure for reporting phishing attempts, currently occurring attacks (like this printer attack) and general cyber incident reporting. Considering the quantity of print jobs these printers get sent by students it might not be immediately noticeable to someone in IT that an attack is occurring. Having a system to report these issues would increase response time.

Preventative Measures: Columbia and SIPA should approach cybersecurity and cyber hygiene from a public health perspective. Much like how we are educated on recognizing the symptoms of diseases and taking specific precautions to prevent from getting sick, we can do the same with cyber issues. Educating students and faculty on the “symptoms” of cyberattacks like phishing, noticing odd emails and attachments or noticing suspicious websites can help promote general awareness of cyber security and prevent potential exploits from occurring in the future.

Reflections

As a self-proclaimed whitehat hacker, lmaostack claimed that this exploit was done in good fun and to prove that it could be done. Allegedly their intention was to raise awareness about IoT security vulnerabilities. Like most hackers, lmaostack executed this exploit on a whim out of boredom and curiosity. However, their point has been made. This recent exploit proves that even University level institutions are not safe from very simple exploits like this and that it is time for everyone to take cyber security more seriously. Some firms have even gone so far as to conjecture that similar exploits could be used as entry and pivot points to further harm other corporate entities. Regardless of how one might view the damage caused by lmaostack’s meme-fueled printer exploit, bringing cybersecurity to the forefront as a clear and present danger to individuals, businesses, and other institutions to the owners of the 150,000 exploited printer owners is quite the feat.


I would like to finally extend a special thanks to C. Van de Werken and Natasha Cohen for giving me a starting point to know where to start looking and which resources and references I should be using to better understand what was happening on the technical side. You can find out more about Mr. Van de Werken’s work in cryptography and blockchain tech at his twitter here and learn more about Ms. Cohen’s work in cybersecurity at her page here.