Printers, desk phones, and other office hardware cannot be protected using normal security software.
To most people, office printers are innocuous workplace gathering points—places to complain about the ever-disappearing toner or that colleague who apparently loves killing trees. To Ang Cui, they are high-value targets that give hackers a way to breach sensitive systems and steal trade secrets.
Red Balloon Security, a startup cofounded by Cui, has developed technology that can protect such equipment from hackers. This involves watching for signs of tampering with the low-level code—or firmware—that runs on these devices. The company plans to demonstrate the first device injected with the defensive code, a Cisco IP phone, this week.
“Printers are low-hanging fruit,” says Cui, a 30-year-old PhD student at Columbia University, who has demonstrated numerous techniques for hacking into printers and other office hardware. “Most firmware was written a decade ago, when attacks against them weren’t envisioned,” he says. Ordinary office equipment is increasingly computerized and connected to the corporate network. Office phones, for example, are often networked, allowing calls to be rerouted and voice-mail messages to be e-mailed. This hardware represents an attractive target for hackers, but because the machines were never perceived as a potential vulnerability, there is no way to run conventional antivirus software on them.
In late 2011, Cui showed how sending carefully crafted commands to a Hewlett-Packard LaserJet printer could give an attacker remote control over the machine, thereby providing a way to collect sensitive data and sneak past normal corporate security measures. Cui scanned the Internet for vulnerable printers and found 201 unprotected machines at the Department of Defense. HP was prompted to release firmware updates for 56 different printer models.
Millions more machines, including routers, network switches, and industrial equipment, rely on the kind of embedded software that Cui’s work focuses on. “The issue about printer vulnerabilities is but the tip of the proverbial iceberg,” says Salvatore Solfo, Cui’s advisor at Columbia and a cofounder of Red Balloon Security.
The startup is refining an idea Cui came up with in 2009, when he created so-called symbiote code, which can be added to firmware to modify it without disrupting its normal behavior. Once meshed with the firmware, this code can help prevent a malicious attack. Last year, Cui demonstrated an automated way to unpack and modify firmware, making it easier to add this symbiote code to different types of hardware. The researchers plan to release more details of the technology later this month. “We’re not ‘installing’ symbiotes into embedded devices in the traditional sense, like you install a program onto your laptop,” Cui explains. “We are modifying the actual binary of the embedded program itself.”
The symbiote code modifies a machine’s firmware in a random way, which means that “what an attacker may learn about one instance of a specific device will not be useful to attack the entire set of such devices,” says Stolfo. “As it now stands today, any exploit an attacker develops for a particular embedded device works for all of those devices.”
Red Balloon’s cofounders say they have contracted with several companies and U.S. government agencies but have not disclosed who they are working with; the startup doesn’t have a formal relationship with Cisco for now.
“There’s probably interest in this technology from the military, governments, and banks concerned about state-connected authors using malware as a launching-off point to carry espionage and steal trade secrets,” says Justin Cappos, a systems security professor at NYU-Poly’s Department of Computer Science. But he adds that vendors will need to feel that demand justifies the extra cost of hardening devices across their product lines.
Widespread adoption will hinge on whether manufacturers like HP believe the technology will help them sell more printers. “I’m not sure if your typical end user would be worrying about their printers being remotely ‘hackable,’” Cappos says.