Schneier on Security
A blog covering security and security technology.
« The Continuing Incompetence of Terrorists |
| Friday Squid Blogging: LOLSquid »
June 18, 2010
Remote Printing to an E-Mail Address
This is cool technology from HP:
Each printer with the ePrint capability will be assigned its own e-mail address. If someone wants to print a document from an iPhone, the document will go to HP's data center, where it is rendered into the correct format, and then sent to the person's printer. The process takes about 25 seconds.
Maybe this feature was designed with robust security, but I'm not betting on it. The first people to hack the system will certainly be spammers. (For years I've gotten more spam on my fax machine than legitimate faxes.) And why would HP fix the spam problem when it will just enable them to sell overpriced ink cartridges faster?
Any other illegitimate uses for this technology?
EDITED TO ADD (7/13): Location-sensitive advertising to your printer.
Posted on June 18, 2010 at 1:37 PM
• 67 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Isn't SPAM bad enough?
Everything depends upon whether there is an exploit in the printer, itself, that can be triggered from the outside.
My HP 7250 is on my internal LAN so if it can execute arbitrary code it can siphon my LAN's topology or perform other attacks.
The printer in my firm prints banners between jobs that identify who printed what. So, the next time I need to prank someone I just:
1) Write a memo from them to the boss calling him an idiot, and mail it to the phone. Maybe with their banner (so the nosy admin that sorts printouts can rat him to the boss) or maybe with the boss's banner (for a direct reaction).
2) Google up some naughty photos, print them with their banner page, and call HR to complain. (Or print a complaint with the HR woman's banner for double-abuse fun).
Sure, I could do all this now, but we have these pesky IT guys who keep logs of all the print jobs. They need some additional work factor to figure out who it was sending email from the local public library to the printer.
sending documents to HP datacenter via email... and I need to print my tax report!
Can anybody track down the email address of printers inside HP, so we can 'try' this technology out?
Google wants to do something similar with "Google Cloud Print".
Want to bet that your documents will stay backed up on HP's or Google's servers for a while? How long before a law enforcement agency subpoenas everything printed out on a particular device? Or, even better, suppose the governemnt decides to require them to retain documents for a certain period? All you need to do is make something incriminating print out, then tip off the appropriate authorities. (Though just in case they think to ask where it came from, make sure to send the print job from a cybercafe or similarly anonymizing service.)
OK, I couldn't resist. I went over to HP's web site to check it out:
Totally open to insider attack, the printer will give it's email address to anybody who walks up to in and pushes a couple of buttons. No logs.
Moreover, in the "secure" mode it simply checks that the "from" address is in a list. Not that we've ever seen spammers or other ne'er-do-wells forge from addresses.
Who was in the design review for this product? It's amazing nobody thought this was a bad idea. All the engineers at HP can't be so ink-sales-focused.
You could make an easy security fix by requiring a certain "password" in the subject line of the e-mail. It's not real security, but it's probably good enough to stop most spammers, or as a first line of defense. You could also only accept e-mail from a certain address or hold them on a print server until they are verified.
Come to think of it, I could see Google in particular trying to be extra-helpful by providing an interface where you can see what you've printed recently. And, when the inevitable vulnerability turns up, so will the rest of the world...
I'd imagine it will probably be possible for a malformed print job to be sent to a print that lands in memory instead of the print queue. Load up a printer with pictures that will land a person in jail and then drop a dime on him. Ensure that the malformed print jobs look like local print jobs that were saved by the printer. Even if the target realizes how the images were added to the printer, they would be ruined.
Didn't HP give into the Treasury department a couple of years ago and add in anti-counterfeiting technology to all of its printers and scanners? I wonder how long it will take for someone to mail in a request to print hundred-dollar bills? The perfect Joe-job...
Perhaps this printer was designed for use in an RFC 1149 environment. With a middleman (HP's data centre) to translate the packets, there's no need to worry about soiling your printer or getting feather jams.
Want to bet that such printers are two-way animals, sending back information as well, quite possibly taken from your network. Those things are worse than an open router or unsecured connection.
If it's a check printer, this could be really bad. Not just from spammers, but from disgruntled employees - just print directly to the AP printers, print out an envelop and a check, and watch the money roll in.
I imagine lots of questionable persons would use it to send slightly annoying to trace death threats. I could further imagine a savvy enough hacker could use the process to locate the physical printer, thus enabling stalking. But, the spam is enough that I would never buy one.
I've seen blog posts this week saying that HP will use the technology to push advertisements to the printers. Yeah, that's just what I need; I'm not already throwing away mounds of junk mail every week.
Getting someone arrested for kiddie porn, getting random people fired from work for normal porn or illegal/questionable content (here's how you culture anthrax!), etc. The possibilities for outbound abuse are fairly unlimited.
What's scarier is if you are printing confidential information this way; I'd love to see the retention policies from HP.
Sure, e-mail someone you hate child pornography.
Between DOS attacks to HP's or Google's printing service and 'oh my internet connection is down... so I can't print to any of the printers in my office or the one sitting next to me!?', being reliant on other people's infrastructure to do something as basic/simple as print (rube goldberg anyone?! occam's razor please!?), and then all of the security concerns around this - too many to count or fix with hacks and sledgehammers. UG.
Having an internal service for a company would be fine - integrated with MS Exchange (or your local email server or infrastructure) for instance - would be simple and easy. This solution seems just plain silly. If you have a private and secure cloud then that sounds better - but then you still have to rely on Internet connectivity to print, ick. ;)
It will greatly ease social engineering attacks...A printed memo, from the company president (or HR, or whoever requests such things), asking for access for x individual to y project...Please send all correspondence to email@example.com, he is our new...'consultant'. Please treat him with the utmost respect...
Now I have some legitimate email address to type into a web site to avoid spam to my regular email address.
Find the email addresses for your competitor's printers and sign them up for spam, so that your competitor bears the paper/ink/tie-up costs.
all those proposing random adding password to subjects and other pseudo secure stuff
the secure identification of mail sender has been already been resolved
use smime, with a proper certificate chain, releasing one certificate only to authorized *people* so that if a person certificate is stolen you can point your finger and assign blame where is due
(that's why you need people and not roles or groups or aliases)
Concerning the CW article, it's not only the targeted ads directly sent to the printed that is frightening/annoying, it's also how they do it by sniffing the local network to discover what is the most pertinent advertisements.
And then, M. Nigro (from HP) justify this intrusion in everyone's privacy by this incredible statement:
"What we discovered is that people were not bothered by it [an advertisement],"
It reminds me this famous quote:
stupidity should be painful
From the Computerworld link @D posted above:
"Through IP (Internet Protocol) sniffing, you have an idea about where those printers are so naturally it allows you to kind of already target your offers," Nigro said.
This has Bad Idea(tm) written all over it.
Dunno about the security features, but it is hardly a new invention; it was mentioned in RFC822:
"A mailbox receives mail. It is a conceptual entity which does not necessarily pertain to file storage. For example, some sites may choose to print mail on their line printer and deliver the output to the addressee's desk."
Hu, that could get handy for HP...
...*print* your customers a handy note every time their toner/ink is running out! ;)
Don't wait! You've already turned millions of Windows computers into botnets, so here's your chance to dump your crap to people's printers and blame HP! Even non-HP printers can be targeted by claiming they introduced the feature to remain competitive.
Really.... I find this useless. Can't you just wait till you get to where ever your going to print the thing?
Surely the traditional Mandelbrot in postscript job? But would that stuff the destination printer, or HP's servers?
Maybe both-- you'd expect PS to be passed to the printer as-is, but then if you get a Web interface where you can preview your final document...
I would say "just use smime to authenticate the sender", then I realized it says "iPhone". Stupid apple still hasn't added S/MIME email to the iPhone.
It would work nicely from Windows mobile, or other devices that support S/MIME email.
An interesting avenue for a phishing attack, I'd say. On the one hand, it'll be weird to have a document you don't recognize. On the other, a hard copy document feels much more authentic than anything in your inbox, even if you don't remember how it got there.
Imagine how many people could be terrorized by fake threats of (fill in the blank), either mass-mailed, or "mistakenly" addressed from Abdul to Mohommad, but with a "typo" that resulted in it being sent to millions...
Why didn't this come out in time for the Movie Plot Threat contest?
"No Officer. Someone else must have printed that incriminating evidence on my printer."
I'm not sure what worries me more, the case where that's the truth or where it's a bold faced lie.
Correct me if I'm wrong but didn't the woman who brought HP down from one of the most respected names in technology to the equivalent of "Dirtbags Inc" during her tenure at the top recently stand for political office recently?
The thought occurs to me that this must be a political candidates best fantasy...
Name me one politico that would not just love to have their campaign spam sent to hardcopy at your expense at a touch of a button...
(Please send all flames to firstname.lastname@example.org ;)
Yeah, the very first things that come to mind are porn, child porn, a script feeding random threads from /b/ into the printer, and rough drafts of ragequit letters to someone's boss.
If you were nicer, you could send a photo of a kitten to someone to brighten up their day.
The security scheme is similar to that implemented by Amazon for emailing documents to the Kindle. There's been no reports of such attacks on the Kindle.
It doesn't sound very secure, but a spammer must know both the email address of the device and one of the email addresses on the authorised list. That geometrically increases the overhead of any brute force attack.
Security and spam are one side, control is the other side.
The first step in taking away control from the owner (and user) of the printer have been so called printer drivers. In making them proprietary manufacturers could
- decide what operating system you are allowed to use
- force users to buy new hardware by not providing drivers for newer versions of the OS
- *define* when the ink cartridge is empty
- manipulate the users operation during driver installation at their will.
This is the next step. The owner of the printer can't operate it at all. It's operated remotely from the manufacturer. User will have to send their documents to the manufaturer and kindly ask for printing. To do so they will probably have to install some fancy proprietary upload tool with all the nice features that printer drivers have today.
I suspect that HP will base the "security" on these printers on their already-existing "presto" technology, an "email printer" aimed at senior citizens who can't get the hang of computers.
Presto uses a list of "approved" senders (you give grandma a stack of cards you've printed (using HP ink, of course). This has a URL, and the hopeful correspondent enters in their email address. Maybe there was also a Catcha in there; I can't remember.
Yes, this is pretty weak "security," but it might be good enough. It was 100% successful at blocking spam for my mom, who had the system for a year (until the#$%$@^ thing broke a month out of extended warranty).
" Sure, e-mail someone you hate child pornography. "
But the government has thought of it for you!
No anonimity means they'll be able to find the culprit and jail him!
You'll be freed in a few years, after we've made sure you're not up to no good, and fingerprinting you, DNAprinting you, and raping you to make sure you don't have drugs/explosives in your ass.
Thank you government!
You're thinking of Carly Fiorina, who just won the primary to be the Repulican candidate for a Senate seat in California.
I like the idea of hourly spoofing an official HP informative page with a white text on inky black background that reads:
*** WARNING ***
Your printer has too much ink!
For the typical home user, I can't see a huge hole here (yes, its possible). It partially depends on how HP assigns the addresses, but a combination of a fairly obscure printer name and the locked down from address should confer enough security for the home user (I'm considering one so I can print from my Iphone/Ipad/Netbook on the road).
Business is different, I would not use one of these for any secure use (anyone who set one up as an AP printer should be fired, immediately).
First off finding out the email address will not be that difficult as it will be sent in plain text off to HP.
Anyone between you and HP just has to log it.
Now as we know ISPS etc are virtually required to log all such information for LEA access.
Now I realy cannot see these DB's being that secure.
So the question becomes at what point does it become worth somebodies time and effort to get hold of this information?
Then find out (as it's input side to HP) what IP adress V domain name it belongs to.
Well the chances are that other info against the sending IP address (such as ordinary emails) will give that away.
Also there is the question of if the likes of Google etc snag the info out of a users system simply by asking the client software.
Thankfully for mobile users the IP address ranges the phone companies use are so overloaded that there might be 300 mobiles behind each IP address they use.
The simple fact is there is no security just obscurity in this system and it is just a matter of aggregating data.
The question then becomes what would be a sufficient advantage for somebody to agrigate the information and exploite it.
It is the same with Amazons Kindle no security but no incentive to attack it (currently) means it gives a false perception to the users of not being vulnerable.
The downside is when there is an incentive a lot of people are going to be very unhappy all at the same time (assuming it's a spam like attack).
Step 1: Breach HPs system, with say a conversion overflow bug.
Step 2: Discover/use a bug in the remote print system to compromise every printer with this feature - n.b. these printers can talk to the world.
Step 3: Get the printers to forward all prints to wikileaks....
Step 4: Democracy restored, have a nice day.
Stupid question - where are you guys finding the child porn that you're sending to these victims? No, I'm not looking for some! It just reminds me of the recipes that start with "First, catch a rabbit..." This attack might make good anti-security anti-theater but it ultimately makes the threat seem less credible. I agree that legal porn (or craigslist 'casual encounter' pages) could make life interesting though.
I don't think "it would be too hard to guess" arguments work for phishing and worse (e.g., making bogus claims that you're a grandkid who's been arrested and need you to wire some money and please please please don't tell mom + dad). An attacker might not be able to guess this information but a system compromised by a spambot could run an app that checks for the appropriate registry entries and adds a sniffer for email account information at the most common ISP and gmail addresses.
So, this is the excuse office guys will use when their boss asks them to explain the 50 pages of penis enlargement flyers in the paper tray.
You actually believe that HP will give one flying shit about consumer security and implement SMime or some other advanced Signature/ID scheme in a consumer product?
What planet are you living on?
Printed suicide terrorist attacks as sending "BOOOOM!" or "GOTCHA!" in Comic Sans size 666.
First step in security - don't buy HP.
>Didn't HP give into the Treasury
>department a couple of years ago and
>add in anti-counterfeiting technology to
>all of its printers and scanners?
That's been common for years. Color printer/copiers I worked with at least as early as 1997 had features to recognize U.S. currency and print them as "yellow backs" instead of green backs.
Many moons ago, when hacking was more civilized, and when just about everyone had hardcopy terminals, one of the more sophomoric tricks was to entice someone into looking at a text file filled with ASCII control-L's (form-feeds). Somewhat funny as long as you weren't paying for that roll of Silent 700 thermal paper.
The modern (and still civilized) hack would be to print blank pages until the printer trays are empty (nuisance enough, but no need for nasty images). Those sheets would be re-usable of course, unless you adorned them with the famous US government statement: This page is intentionally blank.
This shouts out as promising for another illegitimate use:
"...the document will go to HP's data center, where it is rendered into the correct format, and then sent to the person's printer..."
*How* does the data get from HP to the user's printer? i.e. does the printer make periodic outbound network connections, or does it require the user's router to nat an external port to the printer's jetdirect port?
Can we send malformed request and obtain the user's IP address?
On a lighter note. If I were to mess with someone's printer in this manner, I'd probably just send periodic messages like: "you don't talk to me any more", "do you want anything printed?", "I print, therefore I am" and "who is that guy with the axe outside the window?".
I've gotten rid of my fax machine due to spam more than ten years ago, the number was never publically listed anywhere, and yet I still get the annoying beep-oink-groan calls every odd night..
I can't wait until this great entertainment hits my printer as well..
Are there any *useful* use-cases for this printers? Somehow I can't think of any. Shall they replace the holiday postcard to grandma?
It's like during the dot-com boom, when a refrigerator salesman was trying to sell me on an internet connected fridge - "but you could do your video-teleconferences from you fridge!" to which my response was "why?"
I find it astonishing that anyone would voluntarily send all their documents through the data centre of a company that a few years ago used illegal investigative methods against their own board and (non-HP) associates of their board, refused to apologise or make any admission of wrongdoing and pretty much got away with it. I'd have serious doubts about the competence of any CSO who allowed one of these anywhere near their network!
The ad thing is just icing on the cake.
It strikes me that this is an example of a company trying to find something "innovative" enough to get a few extra sales in, without there being any real benefit to the end user.
I really, totally, fail to see any reason to get one.
* You can send an email from your phone / laptop to the printer*
I see this, but why is that better than any of the current options?
I can send print jobs to my printer at home via my laptop or phone over this magical thing called a Local Area Network. It works really well, has a mix of WiFi and Ethernet and at no stage do I have to worry about the data sitting on HP's servers. Big bonus - I am responsible for the security without trusting AN Other company.
It might be the case I want to send a print job while I am out and about, but think for a moment - Why? At some point I will need physical access to the printout, so why not wait until I am back into the LAN and do it then?
Maybe I need to send a print job so someone else can grab it and use it. Why not email it to the person and let them print it?
As I said, I totally fail to see any purpose in this. Which probably means it will be a massive hit worldwide....
With regard to attacks - most have already been mentioned but you can add in the wonders of having your _own_ local printer DOS'd in many forms. Isnt that a great price to pay for pointless technology?
Postscript is a complete language. So just send the shortest obfuscated non-halting file to every printer in the world. A million times. Sure, you can eventually clear the queue. Printing stuff from mobile devices is definitely an issue, but geez.
It'll be interesting to watch the free market (e.g. eBay) price of one of these printers, and see whether it depends on what mailing lists it's on.
If you are a contractor or subcontractor for a DOJ funded watch program you can easily keep jobs going sending info from groups that are being watched already, peaceniks, anti torture groups, emails in Arabic with just enough key words to keep your subject(s) in Patriot Act Limbo...nobody investigates fraud in the domestic surveillance game.
Looking at this from a Data Privacy/Protection issue (in the EU context) I'd be concerned that this tech could undermine efforts to encrypt laptops etc to protect personal data. if "roadwarriors" print documents with personal data included in them from their secure & encrypted laptops to printers in the office via an email print service through the Cloud.
Risks I see include content of documents being exposed in the cloud in transit or (even more mundanely) the document sitting on a printer for hours before anyone (legitimately) picks it up and acts on it.
Also, as HP would now be processing personal data on behalf of their clients they would need to register as a Data Processor with each EU Data Protection authority, particularly if their printer customers are in Telco or other specified industries (see http://www.irishtimes.com/newspaper/ireland/2010/... and http://castlebridge-associates.com/press-release/... for details of why)
The only thing I want to send to these printers is something along the lines, "Help Ples! We are slave in factory of printer near Mekong. They give very little food us, one only cup water every day, we must work twenty hour at one time. Our parent not know we are where, probably worry sick. This only chance to put message in printer while guard asleep. You help or we die, see family never again! Ples help!"
@GreenSquirrel: what you're missing is that printing from your phone is not that easy with iphone/android. That's probably the use case they're going for.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.