Bitcoin Forum
December 09, 2016, 02:22:28 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Printer security  (Read 1261 times)
Vandroiy
Legendary
*
Offline Offline

Activity: 1036


View Profile
January 03, 2012, 02:21:29 PM
 #1

The topic of paper wallets came up a lot recently, so I just wanted to make sure everyone is aware there has been a major hacking method disclosed for massive amounts of HP printers.

http://www.cccblog.org/2011/11/29/millions-of-printers-open-to-hack-attack/

I don't have the sources, but the CCC did a talk about it somewhere, use Google if you haven't heard yet. Basically, if you have one of the endangered printers with re-writable firmware restoration memory, either figure out how to check it or destroy it.

Needless to say, this goes for Casascius especially. Do you use an HP printer, and if so, can you perform checks on the memory banks involved? From what I know, there are sometimes two of them, both idiotically unprotected: the active firmware and the factory restoration memory.
1481250148
Hero Member
*
Offline Offline

Posts: 1481250148

View Profile Personal Message (Offline)

Ignore
1481250148
Reply with quote  #2

1481250148
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481250148
Hero Member
*
Offline Offline

Posts: 1481250148

View Profile Personal Message (Offline)

Ignore
1481250148
Reply with quote  #2

1481250148
Report to moderator
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
January 03, 2012, 02:27:24 PM
 #2

My understanding (and it would be what I do) is that Cascius generation and printing machine is disconnected from the network.  Cold Isolation. 

The combination of Linux, live CD w/o persistence, and non-network should keep any generation machine secure. 

Still hackers are interesting people.  Pretty funny if someone has an encrypted document so the hackers just steal a copy from printer memory.   I am sure in time someone will come up w/ printers that accepted encrypted print spool and use public/private key signing for firmware changes.  That is why I like hackers.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 03, 2012, 02:31:45 PM
 #3

I didn't use any HP printers in the production of physical bitcoins.  Nothing had network access either.


Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Vandroiy
Legendary
*
Offline Offline

Activity: 1036


View Profile
January 03, 2012, 02:39:34 PM
 #4

Ah, Casascius, that's good to hear. Still might not hurt to check whether the printer is capable of remembering stuff -- probably best to not connect it to the net again unless this can be ruled out.

I'm astonished that HP printers were not using signed firmware updates, or at least have a security switch for flashing it! That's not a question of adding a feature, that's an unacceptable blunder in terms of security! It never ceases to amaze me how little companies care for security.

What's worse, some documents were able to auto-flash a printer they're printed on. That way, hackers are able to infect perfectly firewalled printers. Insanity!
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 03, 2012, 02:51:12 PM
 #5

I used a consumer-grade inkjet to print everything, a deliberate security-related decision (based on my belief that I'd have an easier time detecting laser toner from the outside if I as a hacker had things like radiation or medical imaging technology at my disposal).

I'd expect it to be quite a stretch for it to have a hack at all at this point for my inkjet, let alone one that is advanced enough to queue print jobs into what limited memory it probably has, wait for later network access, and forward them to an attacker.  The day my sort of printer generates internet traffic coinciding with the size of incoming print jobs will be the day millions of others do as well, something unlikely to go unnoticed by sysadmins around the world.  Something I would expect to see long before hacks progressed to storing and forwarding jobs printed while the printer had no network connection.  We also don't print much on that printer in the first place, so the vector of a firmware flash riding on a document into that printer has been virtually non-existent.

Interesting proposition though.  I have already printed all the private keys I expect to use for a very long time so that I could wipe the disks that contained them (total printed 29000 keys, only about 6500 used).  But next batch perhaps justifies an inkjet printer lacking network capability entirely, especially if for nothing else, if I use up 29k keys, the next batch will probably be much larger.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
January 03, 2012, 03:01:20 PM
 #6

I'm astonished that HP printers were not using signed firmware updates, or at least have a security switch for flashing it! That's not a question of adding a feature, that's an unacceptable blunder in terms of security! It never ceases to amaze me how little companies care for security.

Sadly features sell, security doesn't.

Most consumer grade motherboards also allow unsigned firmware changes which now allows BIOS resident viruses & rootkits.  You can drop a brand new HDD in, w/ clean install and be compromised from day 1.  The advent of windows bios update utilities now makes BIOS/firmware resident malware more of a threat.
gnar1ta$
Donator
Hero Member
*
Offline Offline

Activity: 756


View Profile
January 03, 2012, 03:18:34 PM
 #7

So for those of us who don't have computer science degrees and ocasionally print paper wallets, what can be done to lower the risks? 

Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 03, 2012, 03:26:10 PM
 #8

So for those of us who don't have computer science degrees and ocasionally print paper wallets, what can be done to lower the risks? 

I had suggested "wallet seeds" on another thread.  And printers that connect strictly via USB are going to be immune...

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
Vandroiy
Legendary
*
Offline Offline

Activity: 1036


View Profile
January 03, 2012, 03:50:20 PM
 #9

So for those of us who don't have computer science degrees and ocasionally print paper wallets, what can be done to lower the risks? 

Hm... I figure the risk isn't all that high unless someone either detects your bitcoin address format or knows you have enough coins to be worth stealing and manually targets you. I'd say just stay up2date about your printer's firmware and possible news concerning it.

But I'm really not well-informed about this, just thought I might bring up the topic. Most likely, the chaotic nature of everything will prevent hacks from causing much harm in most cases, since viruses don't really know what to look for.

Anyways, bottom line: check that printer firmware is up to date, especially on HP network printers, very especially if it has not been patched since the hacking party began in November or whenever it was.

And printers that connect strictly via USB are going to be immune...

I'd not be so certain about that. We know they can be infected using a rigged document, so outputting the data from the infected printer would be the problem. But USB-device-to-computer hasn't exactly been mankind's safest channel in the past, I think on WinXP one can still claim to be/have a HDD on USB and then insert malware via some rigged Autorun, unless that has been properly disabled. A rigged printer can claim to be an USB hub and emulate whatever insane structure of devices!

Hardware that executes arbitrary low-level assemblies is evil. Patch the printers, stop that from happening, or else people will find ways to abuse it eventually.
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
January 03, 2012, 04:58:41 PM
 #10

I don't have the sources, but the CCC did a talk about it somewhere, use Google if you haven't heard yet. Basically, if you have one of the endangered printers with re-writable firmware restoration memory, either figure out how to check it or destroy it.

Laser printers have always been full-fledged computers. The Original Apple LaserWriters had more CPU and memory than the computers they were typically hooked up to (running a GUI).

Being able to hack your printer is a good thing: if it is properly documented. It allows you to replace the firmware with your own firmware, for example.

As a rule of thumb, if it has built-in network access, it is a full-fledged computer. Before printing bitcoin you should determine how to isolate the printer from the network (not so easy with built-in wireless capability), and how to clear the memory afterward. I am not sure how far you will get asking the manufacturer how to clear the memory and restore the original firmware.

One thing the printer manufacturer won't want to talk about is any Currency Detection Module that may be present (especially colour models).


James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1344


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 03, 2012, 06:48:48 PM
 #11

Hm... I figure the risk isn't all that high unless someone either detects your bitcoin address format or knows you have enough coins to be worth stealing and manually targets you. I'd say just stay up2date about your printer's firmware and possible news concerning it.

But I'm really not well-informed about this, just thought I might bring up the topic. Most likely, the chaotic nature of everything will prevent hacks from causing much harm in most cases, since viruses don't really know what to look for.

Anyways, bottom line: check that printer firmware is up to date, especially on HP network printers, very especially if it has not been patched since the hacking party began in November or whenever it was.

What I'd expect to see long before then, is a browser "helper" object that looks for well-formed bitcoin addresses in web pages, and replaces them from a list of addresses belonging to an attacker.  That's a path of far less resistance for an attacker that would yield the same thing (and then far more) for an attacker versus hacking printers.  If I think of why one would hack a printer, stealing print jobs is one consideration, but using that printer to run something like OpenVPN and being a launch point for other attacks on that network seems more what a printer hack would be valued for by a hacker.

And printers that connect strictly via USB are going to be immune...

I'd not be so certain about that. We know they can be infected using a rigged document, so outputting the data from the infected printer would be the problem. But USB-device-to-computer hasn't exactly been mankind's safest channel in the past, I think on WinXP one can still claim to be/have a HDD on USB and then insert malware via some rigged Autorun, unless that has been properly disabled. A rigged printer can claim to be an USB hub and emulate whatever insane structure of devices!

Hardware that executes arbitrary low-level assemblies is evil. Patch the printers, stop that from happening, or else people will find ways to abuse it eventually.

Let me put it another way: a USB printer is immune to stealing keys off a paper wallet because it lacks a way to send them to an attacker.  Before someone goes to the effort of rooting a USB printer and making it claim to be a hard drive (which would clearly get noticed), I would expect numerous other viable attacks to be lower hanging fruit - like, for one, attempts to root the computer that's sending the print jobs there, and just stealing them on their way out.

I have never read about regular PC malware that steals print jobs, probably because it's not usually necessary - once malware gives remote control to an attacker, whatever the user is trying to print is probably readable straight off the file system in a native format that's easier to work with, without any need to go after a print queue.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper wallets instead.
film2240
Legendary
*
Offline Offline

Activity: 994


Professional filmmaker/Freelance videographer


View Profile WWW
January 03, 2012, 06:57:18 PM
 #12

Good informative thread and article.Thanks for that.I'm just glad my printer is a Canon MG5250 inkjet wi-fi MFD and not a vulnerable HP one.I hope that canons wi-fi MFDs aren't vulnerable to this hack/exploit.Great printer to work with (mine),high quality prints/scans/copies (as it can be used as a photocopier as well),relatively easy to use (I didn't even bother reading the manual lol) and prints onto CDs/DVDs as well and its wireless.

I'll make sure that I never get an HP printer anytime soon.

[This signature is available for rent]
[This signature is available for rent]
[This signature is available for rent]
[This signature is available for rent]
Phinnaeus Gage
Legendary
*
Offline Offline

Activity: 1302


Bitcoin: An Idea Worth Spending


View Profile
January 03, 2012, 07:08:20 PM
 #13

So for those of us who don't have computer science degrees and ocasionally print paper wallets, what can be done to lower the risks? 

I had suggested "wallet seeds" on another thread.  And printers that connect strictly via USB are going to be immune...

Can I safely assume you read my PM to you?

~Bruno~
Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
January 04, 2012, 04:03:51 AM
 #14

These kinds of attacks are not limited to HP printers.  HP just makes the most popular networked printers, but any networked printer (like your wifi one) can have the same problem.  Embedded firmwares frequently have poor security, unfortunately.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!