4. Jens Müller - Exploiting Network Printers
PRinter Exploitation Toolkit (PRET)
Hacking Printers Wiki
https://www.blackhat.com/docs/us-17/thursday/us-17-Mueller-Exploiting-Network-Printers.pdf
INTERNAL USE ONLY – DO NOT DISTRIBUTE
15. Self-healing HP
Enterprise and
Managed printers can
automatically repair
themselves from attack
in real time
HP JetAdvantage
Security Manager
automatically assesses and
remediates device security
settings
15
The world’s most secure printing*
Real-time threat detection, automated monitoring, and built-in software validation
Run-time intrusion
detection
During run-time, HP printers
detect and prevent
unexpected changes to
memory
HP Sure Start
During startup, the
integrity of the boot
code or BIOS is
validated
Whitelisting
When loading
firmware, only
authentic, good
code—digitally signed
by HP—is loaded
HP Connection
Inspector
When connecting to the
network, HP Enterprise printers
put a stop to suspicious
4. Continuous
monitoring
Protects operations and stops
attacks while device is running
Inspects outgoing network
connections to stop suspicious
requests (Enterprise only)
1. Check BIOS/boot
code
Prevents the execution of
malicious code during bootup
by allowing only HP-signed,
genuine code to be loaded
3. Check printer
settings
After a reboot, HP
JetAdvantage Security
Manager checks and fixes any
affected security settings
2. Check
firmware
Allows only authentic,
good firmware—digitally
signed
by HP—to be loaded
Automatic Reboot
INTERNAL USE ONLY – DO NOT DISTRIBUTE
16. Advancing Regulation
16
o Feb. 2018: PCI DSS 3.2
o March 2017: New York Cybersecurity Regulation
(23 NYCRR Part 500)
o April 2017: US-CERT Federal Notification
o Sep. 2017: Securities and Exchange Commission
launches Cyber Unit
o May 2018: GDPR – General Data Protection
Regulation
o 2018: Canada PIPEDA Mandatory Breach
Notifications INTERNAL USE ONLY – DO NOT DISTRIBUTE
17. Security control questions
Question Regulation
What controls are in place to identify and track the
activity of each user who has privileged user rights
across the print infrastructure ?
HIPAA 164.312(a)(2)(i)
Assign a unique name and/or number for identifying
and tracking user identity. Required.
Does an accurate CMDB (list of printer assets) exist
that includes all printers noting the firmware version,
owners, software, type of use, etc.?
HIPAA Control164.310(d)(2)(iii)
Tracking Assets.
What controls are in place to protect sensitive or
private print jobs and scan jobs while in motion ?
HIPAA 164.312(e)(1)
Transmission Controls.
17
INTERNAL USE ONLY – DO NOT DISTRIBUTE
18. 18
Outdated OS security and firmware
No BIOS protection from persistent, stealthy malware
No security policy enforcement
Vulnerable to visual hacking
Weak and vulnerable password protection
Published security vulnerabilities
Complicated or lacking user authentication
Lack of document security options
EVERY ENDPOINT
DECISION
IS A SECURITY
DECISION.
INTERNAL USE ONLY – DO NOT DISTRIBUTE
https://www.blackhat.com/docs/us-17/thursday/us-17-Mueller-Exploiting-Network-Printers.pdf
https://www.youtube.com/watch?v=DwKzSO4yA_s&t=1468s – YouTube video of Jens presenting at Blackhat
Poll Title: Choose which one describes your current printing environment
https://www.polleverywhere.com/multiple_choice_polls/Ywzy1oHqWmWOcU4
Poll Title: When did you last update your fleets' firmware?
https://www.polleverywhere.com/multiple_choice_polls/1fvFuQWYxSRbOKq
Poll Title: My company uses a SIEM tool to help monitor the network
https://www.polleverywhere.com/multiple_choice_polls/x9ZObQz0kaUHfT0
Defend your network with the world’s most secure printing. Only HP print security offers real-time detection, automated monitoring and built-in software validation to stop threats the moment they start. With HP, you’re more secure on every level, so the trouble that’s out there stays out.
Print security features automatically detect and stop attacks
HP business printers, from Pro through Enterprise, can automatically detect and stop an attack (and notify your system of potential trouble) during all phases of operation:
During start up. The boot code (for Pro devices) or BIOS (for Enterprise and Managed devices) is a set of instructions used to load critical hardware components and initiate firmware. The integrity of the code is validated at every boot cycle—helping to safeguard your device from attack.
When loading firmware. Only authentic, good code—digitally signed by HP—is loaded into memory. If an anomaly is detected, the printer reboots to a secure, offline state and notifies IT.
During run-time. HP embedded features help protect printers while they’re powered on and connected to the network—right when most attacks occur. HP devices detect and prevent unexpected changes to memory.
When connecting to the network. Unique HP technology is used to inspect outgoing network connections to stop malware from “calling home” to malicious servers, stealing data, and compromising your network. (Enterprise printers only)
HP Enterprise and Managed devices can self-heal
In addition to being able to detect and stop threats, HP Enterprise and Managed printers automatically self-heal from attacks, so IT doesn’t need to intervene. These features automatically trigger a reboot in the event of an attack or anomaly:
HP Sure Start. If the BIOS is compromised, HP Sure Start forces a reboot and reloads with a safe “golden copy” of its BIOS.
Run-time intrusion detection monitors complex firmware and memory operations, automatically stops the intrusion, and reboots in the event of an attack.
HP Connection Inspector uses unique HP technology to evaluate outgoing network connections, determine what’s normal, stop suspicious requests, and thwart malware by automatically triggering a reboot.
With the investment protection that upgradeable HP FutureSmart firmware provides, you can add some of these embedded features to many existing HP Enterprise and Managed printers.
Configured for security—automatically
Part of good device security is making sure that your device is configured properly. The default settings on HP business printers are designed to make them more secure from the start. And HP JetAdvantage Security Manager plays a key role in keeping them secure. After a reboot occurs—or any time a new device is added to the network—HP Security Manager automatically assesses and, if necessary, remediates device security settings to comply with pre‑established configuration policies. IT managers can schedule regular Security Manager assessment/remediations, or manually launch one at any time.
Ensuring proper device configuration not only helps protect your network and data, it helps you meet compliance regulations and avoid costly fines.
Detect and document threats
Administrators can be notified of security events via Security Information and Event Management (SIEM) tools such as SIEMonster, ArcSight and Splunk.
Disclaimers:
Most secure printing: HP’s most advanced embedded security features are available on HP Enterprise and Managed-class devices with FutureSmart firmware 4.5 or above and is based on HP review of 2017 published embedded security features of competitive in-class printers. Only HP offers a combination of security features for integrity checking down to the BIOS with self-healing capabilities. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/printersecurityclaims.
Select HP LaserJet Pro, OfficeJet Pro, and PageWide Pro devices include embedded features that can detect and stop an attack. For more information, please visit hp.com/go/PrintersThatProtect.
HP JetAdvantage Security Manager must be purchased separately. To learn more, please visit hp.com/go/securitymanager.