mahohmei Posted January 27, 2015 Share Posted January 27, 2015 I'm the sysadmin for a university academic department, and I have a user who is receiving confidential information from the federal government. The terms of the contract are that the data must be worked on with a standalone PC that has the NIC disabled in the BIOS, and the data must be stored encrypted. No problem; this is all easy. The user may export data to CD or print it for use, but must shred the CD or paper when finished. No problem. She'd also like to be able to print documents. Again, no problem...printer connected via USB. The office housing this standalone PC has a network printer in it. When one prints from the network-connected PC in that room, they just use IP printing. I'm eyeing the unused USB port on the printer. If I were to connect the printer's USB port to the standalone PC, and the printer is connected to the network at large, I would be technically satisfying the contract, but there would not be a true airgap. Has anyone out there ever heard of a successful attack on a PC being carried by network <-Ethernet-> network printer <-USB-> standalone PC? I'm conceptually thinking about someone flashing the printer's firmware to turn the printer into a USB rubber ducky or USB docking station. I'm assuming here that the attacker would not have physical access to the printer. Thanks! Quote Link to comment Share on other sites More sharing options...
barry99705 Posted January 27, 2015 Share Posted January 27, 2015 Not that I've ever heard of. I'm sure it's possible, but the odds of that happening would be about the same as winning the lotto. Quote Link to comment Share on other sites More sharing options...
digip Posted January 27, 2015 Share Posted January 27, 2015 I could be wrong, but check with http://www.remote-exploit.org/articles/printfs/index.html and see if it can leverage access off or pivot from said printer to PC. Quote Link to comment Share on other sites More sharing options...
cooper Posted January 27, 2015 Share Posted January 27, 2015 (edited) Printers can contain harddrives that retain (some of) the print jobs with full content. See the video this guy posted starting from 5:00. Granted, he's talking about a copier but I wouldn't be at all surprised if the bigger printers have one aswell. Edited January 27, 2015 by Cooper Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted January 27, 2015 Share Posted January 27, 2015 If it is a bigger printer then it could well be running a Java VM, and if that is the case then it can be quite easy to remotely upload you're own java bytecode for it run. At the very least I would say that it would be trival to put together some bytecode to email all print jobs to someone. To play safe I would give them a separate USB printer connected to the machine. Quote Link to comment Share on other sites More sharing options...
cooper Posted January 27, 2015 Share Posted January 27, 2015 Big printers run Java these days? Slightly surprising given the still fairly deplorable state of printing in java apps. But yeah, I think the separate USB printer is the way to go. The cheaper the better as there's likely to be anything on there that retains state. Quote Link to comment Share on other sites More sharing options...
digininja Posted January 27, 2015 Share Posted January 27, 2015 For the effort you are going to for the rest of this I'd shell out the few dollars for a cheap USB printer and connect that. Even if the risk from the current printer is so small that it is realistically nothing you don't want the hassle of it being part of the investigation if the data does leak. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted January 28, 2015 Share Posted January 28, 2015 For the effort you are going to for the rest of this I'd shell out the few dollars for a cheap USB printer and connect that. Even if the risk from the current printer is so small that it is realistically nothing you don't want the hassle of it being part of the investigation if the data does leak. There's your answer! Quote Link to comment Share on other sites More sharing options...
d34d5t4r Posted February 3, 2015 Share Posted February 3, 2015 I would think print spooling from the PC instead of spooling directly to the printer may be more ideal in this situation. Maybe the printer would not retain much of anything using this setting?! Quote Link to comment Share on other sites More sharing options...
cooper Posted February 3, 2015 Share Posted February 3, 2015 I would think print spooling from the PC instead of spooling directly to the printer may be more ideal in this situation. Maybe the printer would not retain much of anything using this setting?! Doubtful. Such printers would receive jobs in full before starting on them. That your PC has it spooled first doesn't make a lick of difference, not in the least because the printer itself doesn't know that and even if it did, it couldn't do anything with that info since you could pull the plug at any time. Quote Link to comment Share on other sites More sharing options...
Broti Posted February 3, 2015 Share Posted February 3, 2015 A possible way that popped up in my brain would be via the prrinter's web-interface. If malware is planted there, it could infect the admin pc when he's setting up the system. And from there it could spread through the whole network... in theory. Quote Link to comment Share on other sites More sharing options...
barry99705 Posted February 4, 2015 Share Posted February 4, 2015 We always dban our client's leased printer drives when they swap them out. So far none of the printer companies have complained. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.