Jump to content

Accessing PC through network printer?


mahohmei

Recommended Posts

I'm the sysadmin for a university academic department, and I have a user who is receiving confidential information from the federal government.

The terms of the contract are that the data must be worked on with a standalone PC that has the NIC disabled in the BIOS, and the data must be stored encrypted. No problem; this is all easy. The user may export data to CD or print it for use, but must shred the CD or paper when finished. No problem.

She'd also like to be able to print documents. Again, no problem...printer connected via USB.

The office housing this standalone PC has a network printer in it. When one prints from the network-connected PC in that room, they just use IP printing.

I'm eyeing the unused USB port on the printer. If I were to connect the printer's USB port to the standalone PC, and the printer is connected to the network at large, I would be technically satisfying the contract, but there would not be a true airgap.

Has anyone out there ever heard of a successful attack on a PC being carried by network <-Ethernet-> network printer <-USB-> standalone PC? I'm conceptually thinking about someone flashing the printer's firmware to turn the printer into a USB rubber ducky or USB docking station.

I'm assuming here that the attacker would not have physical access to the printer.

Thanks!

Link to comment
Share on other sites

Printers can contain harddrives that retain (some of) the print jobs with full content.

See the video this guy posted starting from 5:00. Granted, he's talking about a copier but I wouldn't be at all surprised if the bigger printers have one aswell.

Edited by Cooper
Link to comment
Share on other sites

If it is a bigger printer then it could well be running a Java VM, and if that is the case then it can be quite easy to remotely upload you're own java bytecode for it run. At the very least I would say that it would be trival to put together some bytecode to email all print jobs to someone.

To play safe I would give them a separate USB printer connected to the machine.

Link to comment
Share on other sites

Big printers run Java these days? Slightly surprising given the still fairly deplorable state of printing in java apps.

But yeah, I think the separate USB printer is the way to go. The cheaper the better as there's likely to be anything on there that retains state.

Link to comment
Share on other sites

For the effort you are going to for the rest of this I'd shell out the few dollars for a cheap USB printer and connect that. Even if the risk from the current printer is so small that it is realistically nothing you don't want the hassle of it being part of the investigation if the data does leak.

Link to comment
Share on other sites

For the effort you are going to for the rest of this I'd shell out the few dollars for a cheap USB printer and connect that. Even if the risk from the current printer is so small that it is realistically nothing you don't want the hassle of it being part of the investigation if the data does leak.

There's your answer!

Link to comment
Share on other sites

I would think print spooling from the PC instead of spooling directly to the printer may be more ideal in this situation. Maybe the printer would not retain much of anything using this setting?!

Doubtful. Such printers would receive jobs in full before starting on them. That your PC has it spooled first doesn't make a lick of difference, not in the least because the printer itself doesn't know that and even if it did, it couldn't do anything with that info since you could pull the plug at any time.

Link to comment
Share on other sites

A possible way that popped up in my brain would be via the prrinter's web-interface.

If malware is planted there, it could infect the admin pc when he's setting up the system. And from there it could

spread through the whole network... in theory.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...