0:00:00.000,0:00:19.255
35C3 preroll music
0:00:19.255,0:00:30.393
Herald Angel: So… Yaniv Balmas is a[br]software engineer and he started tinkering
0:00:30.393,0:00:35.558
with Commodore's C64 when he was 8[br]years old.
0:00:35.558,0:00:38.836
He was kind of a teenage hacker of games as well.
0:00:38.836,0:00:43.497
And now he's in the security field and he[br]got interested in the fax machine
0:00:43.497,0:00:51.762
together with his friend Eyal Itkin, who[br]is also a security guy and malware researcher.
0:00:51.762,0:00:57.373
And together they're going to tell us[br]about the fax machines and What The Fax?!
0:00:57.373,0:01:00.911
Why still using people those machines?
0:01:00.911,0:01:03.805
And it's gonna be really interesting I think.
0:01:03.805,0:01:08.278
And the title is also[br]"Hacking your network likes it's 1980 again"
0:01:08.278,0:01:12.308
I'm really excited. Please give a warm[br]round of applause to those two guys.
0:01:12.308,0:01:15.552
applause
0:01:15.552,0:01:25.159
fax modem sounds
0:01:31.259,0:01:35.568
Yaniv: Thank you, thank you guys.[br]Hi, CCC!
0:01:35.568,0:01:39.276
You probably know this sound, right?[br]And now get to know us:
0:01:39.276,0:01:44.553
My name is Yaniv Balmas, I'm a security[br]researcher. I work at Check Point Research,
0:01:44.553,0:01:50.172
and with me here today is Eyal Itkin, also a[br]security researcher, also works at
0:01:50.172,0:01:55.269
Check Point Research, and let's begin[br]with talking a bit about the history of fax.
0:01:55.269,0:01:59.131
So I guess that not many of you know[br]that fax started,
0:01:59.131,0:02:03.745
it was first invented in 1846 by a scientist[br]called Alexander Bain.
0:02:03.745,0:02:09.480
Fun fact, this happened 20 years before[br]the invention of the light bulb.
0:02:09.480,0:02:14.060
And then it had some more advances to it,[br]this is the actual first thing that looked
0:02:14.060,0:02:16.582
like a fax machine, a standard fax machine.
0:02:16.582,0:02:20.710
And again, this thing was invented 20[br]years before the invention of the telephone.
0:02:20.710,0:02:25.292
So humanity was sending faxes before we[br]had light or talked over the phone.
0:02:25.292,0:02:29.948
And then there was some more[br]advancements like radio fax,
0:02:29.948,0:02:34.894
and an another important point in time is[br]1966, where a small unknown company
0:02:34.894,0:02:39.995
called Xerox invented – came out with the[br]first commercial fax machine.
0:02:39.995,0:02:42.988
This is the advertisement for it.
0:02:42.988,0:02:49.805
And in 1980 a strange organization[br]called ITU defined the core standards for fax.
0:02:49.805,0:02:56.234
Namely it's T.30, T.4, T.6, and those[br]standars are still the same standards
0:02:56.234,0:03:00.304
that we use today – basically, with just[br]minor changes to them.
0:03:00.304,0:03:05.065
So this was all in the past.[br]But what's happening today?
0:03:05.065,0:03:09.512
I mean today we have far better ways[br]to send electronic documents
0:03:09.512,0:03:11.544
from one to the other, right?
0:03:11.544,0:03:14.882
You know, let's compare fax to just, I dunno,[br]off the top of my head
0:03:14.882,0:03:21.704
just, you know, one method like, let's say, email.[br]And just to, you know, remind you.
0:03:21.704,0:03:27.758
We are comparing this… to this, okay?[br]So… let's look at some of the features here.
0:03:27.758,0:03:36.433
In terms of quality, in terms of accessibility,[br]I'm pretty sure that all of you here
0:03:36.433,0:03:43.424
have 24/7 access to emails. Not so sure[br]you're carrying around your fax machines with you.
0:03:43.424,0:03:48.679
In terms of reliability, well, when you[br]send a fax, you don't really know
0:03:48.679,0:03:52.979
if it got received or not. Yes, there is[br]this strange confirmation page,
0:03:52.979,0:03:55.910
but it doesn't really mean anything.[br]I mean, if there's no paper in the
0:03:55.910,0:04:01.812
receiving fax, you still get it. If the[br]dog ate it, you still get it.
0:04:01.812,0:04:08.895
There's absolutely no reliability in fax.[br]Regarding authenticity, well, we can argue
0:04:08.895,0:04:12.638
about emails, if it's authenticated or[br]not, it could be forged, of course.
0:04:12.638,0:04:16.449
But we do have public key cryptography[br]and stuff like that, that will help us
0:04:16.449,0:04:21.842
when talking about emails, while we don't have…[br]we don't have nothing when it comes to fax.
0:04:21.842,0:04:26.487
Absolutely no authenticity. So, if we're[br]looking at this table, one might think to
0:04:26.487,0:04:31.307
himself: Okay, so… Who the hell still[br]uses fax today? It's 2018.
0:04:31.307,0:04:37.285
I mean, it deserves a place in the museum[br]of great technologies and that's it.
0:04:37.285,0:04:40.144
So, nobody is using fax today, right?
0:04:40.227,0:04:41.796
Wrong.
0:04:41.858,0:04:44.929
Everybody are using fax today.
0:04:44.929,0:04:52.322
You see, fax is used to send these very[br]critical maritime maps to ships at open seas
0:04:52.322,0:04:57.924
90% of the japanese population uses fax –[br]according to Wikipedia at least.
0:04:57.924,0:05:02.965
And if you google any kind of combos like[br]"contact us" and "fax" or stuff like that,
0:05:02.965,0:05:08.379
you will come up with something like[br]300 million results. 300 million published
0:05:08.379,0:05:13.006
fax numbers in Google. And that's not[br]counting the unpublished numbers.
0:05:13.006,0:05:17.978
That's a huge amount of numbers. But it's[br]not all about numbers. It's not "how many
0:05:17.978,0:05:22.126
fax machines are out there?", but it's[br]also "Who is using fax?"
0:05:22.126,0:05:25.957
You see, if you're a small corporation, a[br]medium corporation, a huge corporation,
0:05:25.957,0:05:30.344
you have fax. Not necessarily anybody is[br]sending fax to this number, but there is a
0:05:30.344,0:05:35.614
fax machine sitting there waiting for a[br]fax to be received. If you're a bank,
0:05:35.614,0:05:41.211
you simply love faxes. This is[br]Bank of China, the biggest bank in the
0:05:41.211,0:05:47.129
world, and that's the fax number of it.[br]I think most importantly, if you're a
0:05:47.129,0:05:49.697
government organization… you…[br]laughter
0:05:49.697,0:05:53.362
… simply wake up in the morning and you[br]want to have more fax. This is
0:05:53.362,0:05:56.979
Donald Trump's fax number if anybody wants[br]to send him a fax. Go ahead.
0:05:56.979,0:06:02.975
That's it. It's not a secret, it's from[br]Google… We should send him something
0:06:02.975,0:06:10.020
by the way. And the thing is that, you know, those[br]banks and government institutions, they
0:06:10.020,0:06:14.844
don't only support fax, allow you to send[br]fax, the funny thing is that actually most
0:06:14.844,0:06:18.726
of the time, it's mandatory to send fax,[br]there is no other way. You can either
0:06:18.726,0:06:22.473
postal mail it, or fax it. They didn't[br]hear about anything else.
0:06:22.473,0:06:26.426
So we looked at this, state of affairs, [br]strange state of affairs,
0:06:26.426,0:06:31.063
and said to ourselves: "This looks[br]strange". I mean, it can't be true.
0:06:31.063,0:06:35.840
Humanity came so far and we're still using[br]these old technologies, so…
0:06:35.840,0:06:38.572
What The Fax?!
0:06:38.572,0:06:43.369
And we decided and try to do something[br]about it. And we started very long
0:06:43.369,0:06:50.224
research to try and find some security[br]vulnerabilities in fax. And before we do
0:06:50.224,0:06:56.698
that, you need to explain how fax looks[br]like today. You see, today fax doesn't
0:06:56.698,0:07:01.888
look like it looked 20 or 30 years ago. [br]Then, it was just standalone fax machines.
0:07:01.888,0:07:02.618
Right?
0:07:02.618,0:07:08.382
Today, fax is mostly old technology[br]embedded within newer technology.
0:07:08.382,0:07:16.030
So, we have fax to email services or email[br]to fax services, we have as I said before,
0:07:16.030,0:07:22.237
radio fax and fax over satellite and stuff[br]like that. I think most commonly, we have
0:07:22.237,0:07:28.725
this. These machines. All-in-one printers.[br]You buy them, they scan, they print.
0:07:28.725,0:07:32.525
And they fax. It actually comes with a[br]phone cable out of the box, so you can
0:07:32.525,0:07:37.341
connec… I guess most people connect it?[br]I also think that is the most common
0:07:37.341,0:07:41.838
faxing solution today. So we decided to[br]take a look at these machines.
0:07:41.838,0:07:47.412
These fax machines.[br]If you look at these boxes
0:07:47.412,0:07:52.248
from a security point of view you can[br]imagine them to be just black boxes.
0:07:52.248,0:07:56.464
And those black boxes have interfaces.[br]In one side of the box we have interfaces
0:07:56.464,0:08:02.021
like WiFi, bluetooth, ethernet, stuff like[br]that, these interfaces connect the printer
0:08:02.021,0:08:05.751
to the internal network, the external[br]network, basically it connects it to the
0:08:05.811,0:08:11.534
world. And on the other side of this box,[br]there's this little interface here that
0:08:11.534,0:08:16.721
connects this black box to somewhere[br]to the 1970s I would say.
0:08:16.721,0:08:18.396
Laughter
0:08:18.396,0:08:19.986
So that's pretty funny.
0:08:20.041,0:08:26.894
And if you remember, at the end of the day[br]these printers are basically nothing but
0:08:26.894,0:08:31.468
computers. They have CPUs, they have[br]memories, they have operating systems,
0:08:31.476,0:08:34.598
they are computers. Not standard ones,[br]but they are computers.
0:08:34.598,0:08:39.871
And we were thinking to ourselves, imagine[br]this scenario: There's an attacker sitting
0:08:39.871,0:08:45.326
somewhere in the world. All he has is[br]access to a phone line and his targets fax
0:08:45.326,0:08:50.366
number. What will happen if this attacker,[br]this guy, would be able to send a
0:08:50.366,0:08:55.443
malicious fax and with this malicious fax[br]he would be able to exploit the printer.
0:08:55.448,0:09:00.958
Then he has complete control over the[br]printer, right? If he does that, he could
0:09:00.978,0:09:07.196
then maybe pivot through any one of those [br]other interfaces, let's say the Ethernet
0:09:07.196,0:09:12.228
and jump from this printer to the rest of[br]the network, the internal network.
0:09:12.228,0:09:16.778
Effectively creating a bridge between the[br]external world and the internal network
0:09:16.778,0:09:20.090
through the phone line.[br]That's 1980s again!
0:09:20.090,0:09:26.377
So we thought this is a really cool attack[br]scenario and we decided to accept this
0:09:26.377,0:09:31.774
challenge and go for it. Try and actually[br]show this thing happening in reality.
0:09:31.774,0:09:37.282
We were really excited about this.[br]But then after we slept a bit and drank
0:09:37.282,0:09:42.797
a bit, sat down and talked about it, we[br]kind of found out that there is like a lot
0:09:42.797,0:09:47.920
of challenges, really hard challenges in[br]front of us and we're not really sure how
0:09:47.920,0:09:54.148
to deal with them. Let me name just a few[br]of them. One of the challenges is how do
0:09:54.148,0:09:58.010
we obtain the firmware. The code that this[br]printer runs. It's not like you have it
0:09:58.010,0:10:02.566
everywhere. And after we get it, how do we[br]analyze this firmware?
0:10:02.566,0:10:03.776
After we analyze it,
0:10:03.776,0:10:07.521
we need to understand what operating[br]system are those printers running.
0:10:07.521,0:10:10.122
And then we need to understand how to[br]debug a printer..
0:10:10.122,0:10:11.792
I never debugged a printer before..
0:10:11.792,0:10:15.098
I need to understand how to debug[br]a printer. And after we do all that,
0:10:15.098,0:10:20.032
we need to understand… How does fax even[br]work? We only know the beeping sounds like
0:10:20.032,0:10:25.823
most of us I think. And after we did all[br]that, we can start talking about where can
0:10:25.823,0:10:29.325
we find vulnerabilities inside this[br]big, big, big ecosystem.
0:10:29.325,0:10:33.716
And today, we'll try to take you through[br]these challenges, one-by-one and explain
0:10:33.716,0:10:38.157
how to do it until we'll be able to[br]actually do the scenario that we just
0:10:38.157,0:10:43.634
showed you. So, let's start with the first[br]challenge.
0:10:43.634,0:10:49.282
How do we obtain the firmware [br]for the printer?
0:10:49.282,0:10:53.082
So, meet our nice printer.[br]It's an HP inkjet printer,
0:10:53.082,0:10:59.237
an HP Officejet printer, we chose this[br]model, first of all we chose HP because
0:10:59.237,0:11:03.729
it has like – I think – 40% of the market[br]share so it's not that we dislike HP, we
0:11:03.729,0:11:07.632
really like them, but unfortunately for[br]them, they are just the biggest target out
0:11:07.632,0:11:12.108
there. And this specific model, well we[br]had a lot of reasons why we chose this
0:11:12.108,0:11:16.800
printer. But basically it's the cheapest[br]one.
0:11:16.800,0:11:19.267
Laughter
0:11:19.267,0:11:23.029
We bought it. We didn't have a lot of[br]budget. We bought it and we abused it for
0:11:23.029,0:11:30.716
a lot of time. And our goal was to break[br]fax, but before we do that, we had to
0:11:30.716,0:11:36.877
break the printer. I mean literally break[br]the printer. So yeah, that was the fun
0:11:36.877,0:11:42.320
part of the project, we broke it. And[br]inside the printer we find this thing:
0:11:42.320,0:11:46.583
The main PCB, the brains behind the[br]printer, and it looks like this.
0:11:46.583,0:11:49.006
Let's map the critical components of it:
0:11:49.006,0:11:53.836
So we have here: Flash ROM, [br]SPANSION some model,
0:11:53.836,0:11:59.131
and then we have some more memory here,[br]this might look like not a lot, because
0:11:59.131,0:12:04.594
the PCB has two sides to it of course,[br]and on the other side of it we have the
0:12:04.594,0:12:08.001
more interesting components, like USB,[br]WiFi, electricity, SRAM,
0:12:08.001,0:12:13.457
battery – probably for the memory but who[br]knows – and now we have two very
0:12:13.457,0:12:18.682
interesting components here. One of them[br]is the main CPU. It's a Marvell CPU, and
0:12:18.682,0:12:23.530
it's proprietarily manufactured for HP.[br]So we can't tell anything about it,
0:12:23.530,0:12:27.526
there's no available specs, nothing.[br]We can just find bits of information
0:12:27.526,0:12:34.712
here and there. And then we have the fax[br]modem. It's located here and it's a
0:12:34.712,0:12:42.717
CSP1040. What we need to understand now is[br]how do these two components operate and
0:12:42.717,0:12:46.646
what is the relationship between them?[br]If we do that, we're one step further.
0:12:46.646,0:12:53.184
So that's what we tried to do. And as I[br]said, the first challenge is to get the
0:12:53.184,0:12:57.153
firmware of this thing. And when we're[br]looking a bit closer into this PCB, we
0:12:57.153,0:13:02.262
find these 2 very interesting interfaces:[br]One of them is a serial debug, the other
0:13:02.262,0:13:08.151
is JTAG. If you're familiar with them, you[br]know that they give you debugging
0:13:08.151,0:13:11.951
capabilities, or at least memory read,[br]memory write, exactly what we need to get
0:13:11.951,0:13:15.444
the firmware. So we're smiling to[br]ourselves saying "Haha, this is going to
0:13:15.444,0:13:19.519
be really easy". But unfortunately it's[br]not. Because the JTAG is, of couse,
0:13:19.519,0:13:24.747
disabled completely. We can't do anything[br]with it. And the serial port, we managed
0:13:24.747,0:13:30.228
to connect to it. And we get this terminal[br]that for almost every instruction we type
0:13:30.228,0:13:34.302
gives us this error: "I don't understand".[br]Well, we don't understand either.
0:13:34.302,0:13:35.795
laughter
0:13:36.102,0:13:40.394
But it looks like this terminal is not[br]going to get us very far. So we dropped
0:13:40.394,0:13:45.433
this path and tried and look for other[br]ways to get the firmware and obviously one
0:13:45.433,0:13:52.963
of the most common ways is to try and grab[br]the firmware upgrade and after looking a
0:13:52.963,0:13:59.429
bit in the internet we find this jewel,[br]this FTP site by HP that contains
0:13:59.429,0:14:02.734
every firmware version for[br]every HP product
0:14:02.734,0:14:05.186
ever produced in the history[br]of HP and the Internet
0:14:05.186,0:14:08.130
and a lot of other stuff.
0:14:08.130,0:14:12.713
And it actually took us about, I think, [br]two weeks to find our firmware within
0:14:12.713,0:14:12.963
Laughter
0:14:12.963,0:14:18.197
… this mess of firmwares. But once we[br]did,
0:14:18.197,0:14:21.082
we had a firmware upgrade file.[br]Applause
0:14:21.082,0:14:24.971
Yes, thank you! It's still alive so you[br]can go there and look for some… there's a
0:14:24.971,0:14:29.101
lot of interesting stuff in there. And now[br]we've got ourselves a file. And this file
0:14:29.101,0:14:33.201
is the firmware upgrade file. It's not an[br]executable file, it's just a binary,
0:14:33.201,0:14:36.396
and now we kinda need to understand…
0:14:36.396,0:14:38.924
How do you even upgrade [br]a printer firmware?
0:14:38.924,0:14:42.787
I never did it i before. Anybody did it?[br]Anybody upgraded these firmwares? Lately?
0:14:42.787,0:14:46.948
Ah, good. Good for you. Good for you.
0:14:46.948,0:14:52.320
Anyway, the answer to this question is[br]surprisingly… funny, I would say.
0:14:52.320,0:14:54.170
You just print it.
0:14:54.170,0:14:55.170
Laughter
0:14:55.170,0:14:59.366
That's because, you see, a printer[br]receives a firmware upgrade just the same
0:14:59.366,0:15:04.155
way as it receives a normal print job.[br]That's the thing and it's actually pretty
0:15:04.155,0:15:09.504
nice and it's defined in a HP protocol,[br]it's called PCL XL Feature Reference
0:15:09.504,0:15:13.984
Protocol Class 2.1 Supplement. And if[br]you're still sane after reading this like
0:15:13.984,0:15:19.837
300 pages of insanity you understand that[br]this thing defines something called a
0:15:19.837,0:15:24.455
PJL – print job language. If you ever[br]scanned from a printer to the network you
0:15:24.455,0:15:30.198
see this port I think 9100, something like[br]that, open, that you send print jobs to,
0:15:30.198,0:15:35.583
and it's the same port that you send the[br]firmware upgrade to, and that's nice.
0:15:35.583,0:15:38.255
So when we look at the file, it actually[br]confirms this,
0:15:38.255,0:15:41.783
because it actually begins[br]with the words: PJL – Print job language.
0:15:41.783,0:15:44.499
So that's nice. So now we know it's a[br]print job language.
0:15:44.499,0:15:48.317
But unfortunately this document doesn't[br]document anything about the firmware
0:15:48.317,0:15:53.010
upgrade protocol, or anything, [br]because it's HP proprietary.
0:15:53.010,0:15:55.710
So unfortunately we had [br]to do it ourselves
0:15:55.710,0:16:01.931
and analyze this thing. Now I'm not going[br]to take you through the entire process of
0:16:01.931,0:16:07.169
unwrapping this firmware because frankly[br]it's quite boring. But I'll just tell you
0:16:07.169,0:16:11.167
that it's composed of several layers of[br]compression, one of them is called
0:16:11.167,0:16:14.974
NULL decoder, the other is called TIFF[br]decoder, and another one called Delta Raw
0:16:14.974,0:16:21.344
decoder. And the thing is that these[br]things do something like… If the previous
0:16:21.344,0:16:25.685
line was all blanks, and if this line is[br]also all blanks, just write one instead of
0:16:25.685,0:16:30.095
the line, so that gives you some kind of[br]compression, and it makes really a lot of
0:16:30.095,0:16:34.702
sense when you're talking about print jobs[br]because paper has a lot of spaces in it,
0:16:34.702,0:16:39.626
but when you're talking about binary files[br]it makes absolutely no sense to do it this
0:16:39.626,0:16:46.809
way. But still, it just works this way, so[br]after we understand that, we were able to
0:16:46.809,0:16:50.489
decode everything, decompress everything,[br]and we're talking to ourselves and
0:16:50.489,0:16:53.420
laughing, when you're [br]a hammer everything looks like a nail,
0:16:53.420,0:16:56.333
and when you're a printer, [br]everything looks like a print job.
0:16:56.333,0:16:58.000
Laughter
0:16:58.000,0:17:02.241
So that was nice. And now, after we did[br]that, we have a big file that hopefully
0:17:02.241,0:17:04.986
now is our firmware.
0:17:04.986,0:17:07.408
So how do we analyze it?
0:17:07.408,0:17:10.929
Looking at this thing right at the[br]beginning of the file, there's something
0:17:10.929,0:17:14.917
that really looks like a table. It doesn't[br]only really look like a table, it is
0:17:14.917,0:17:20.636
a table. We define it, it looks like this.[br]And what this table defines is a loading
0:17:20.636,0:17:25.560
address, section name and location in[br]binary. So what that means is that our big
0:17:25.560,0:17:30.548
file is actually split into several[br]sections. This table just defines those
0:17:30.548,0:17:35.350
sections. So now we are able to split this[br]big file into several smaller chunks and
0:17:35.350,0:17:40.867
inspect each chunk. The most important[br]chunk, the one that looks most promising
0:17:40.867,0:17:47.102
looks like it contains our firmware. So we[br]took a closer look into that and that's
0:17:47.102,0:17:52.249
what we saw: It actually looks like our[br]firmware. That's because you see: That's
0:17:52.249,0:17:55.412
one of the strings that we've seen here.
0:17:55.412,0:17:56.569
Laughter
0:17:56.569,0:18:00.896
Yeah! We all saw that before, right? It's[br]"Error: I don't understand". But it's not
0:18:00.896,0:18:05.348
completely "Error: I don't understand".[br]There's some missing bytes in here.
0:18:05.348,0:18:09.537
And actually those missing bytes are[br]pretty consistent throughout the entire
0:18:09.537,0:18:13.945
chunk. So although we know that we are[br]looking at the code, we can't actually
0:18:13.945,0:18:18.638
see the code until we have those missing[br]bytes filled. We need to understand: Why
0:18:18.638,0:18:23.764
are they there and what were they replaced[br]with? So let's try to analyze this thing
0:18:23.764,0:18:28.578
together, quickly, now. But first, let's[br]try to understand what is this thing.
0:18:28.578,0:18:34.750
We have a lot of things in mind, every one[br]seemed crazy, but I think the least crazy
0:18:34.750,0:18:40.682
option was that this is yet another form[br]of compression. A really bad one, again.
0:18:40.682,0:18:44.437
Because when we tried to compress this[br]thing with zlib, for example, we get like
0:18:44.437,0:18:49.146
80% better compression than it currently[br]is, and we know that the printer has zlib,
0:18:49.146,0:18:53.895
because we see zlib strings in there, so[br]why not use zlib? I don't know.
0:18:53.895,0:18:57.716
But still, we are left with a challenge.[br]So this is one snippet of the code that
0:18:57.716,0:19:00.420
you just saw, [br]so let's try to decompress this.
0:19:00.420,0:19:03.957
First of all, you need to understand this[br]thing is composed of two types of
0:19:03.957,0:19:08.471
characters, one are ASCII characters,[br]stuff that you can read, and some other
0:19:08.471,0:19:13.781
are stuff that you can't read, non-ASCII[br]characters. And those non-ASCII characters
0:19:13.781,0:19:18.054
are actually those missing bytes that we[br]have. So we need to understand what they
0:19:18.054,0:19:22.135
are, so let's take a closer look at them.[br]And if you stare at this thing long enough
0:19:22.135,0:19:27.386
you'll start seeing some kind of pattern.[br]I'll save you the trouble and just show you.
0:19:27.386,0:19:33.529
It's composed of these one single bytes,[br]and then those double bytes in there.
0:19:33.529,0:19:37.838
And if the distance between the single[br]bytes looks suspiciously patterned,
0:19:37.838,0:19:42.212
8 bytes, 9 bytes, 9 bytes, 8 bytes, over[br]and over again, so what does this mean,
0:19:42.212,0:19:47.094
where is the pattern here? If you look at[br]this from a different angle, maybe the
0:19:47.094,0:19:52.353
pattern will look a bit clearer. You see[br]that F7 and F7, they look the same.
0:19:52.353,0:19:55.469
The FF and FF, they look the same.[br]Something here looks really pattern-ish.
0:19:55.469,0:20:00.044
In order to understand this pattern, you[br]need to sharpen your binary view a bit,
0:20:00.044,0:20:05.124
and if you understand that FF is just[br]8 one bits, and if you do that
0:20:05.124,0:20:08.794
consistently for all of these chunks, you[br]will start seeing the pattern.
0:20:08.794,0:20:13.631
The pattern is that the zero bit always[br]falls within this two-byte hole.
0:20:13.631,0:20:18.131
It's consistent throughout the file. And[br]what this means is that the first byte is
0:20:18.131,0:20:22.638
just a bitmap describing the following[br]8 bytes after it. That's what it means.
0:20:22.638,0:20:27.171
And that's perfect because now we[br]understand what is this single bytes, but
0:20:27.171,0:20:32.202
we still don't understand, what are those[br]double bytes? And they were replaced with
0:20:32.202,0:20:37.615
something, but with what? So if you know[br]anything about compression, you know that
0:20:37.615,0:20:41.572
there's not a lot of options here really.[br]It could be either a forward or backward
0:20:41.572,0:20:46.499
pointer, it could be a dictionary of some[br]sort, or it could be a sliding window.
0:20:46.499,0:20:50.200
Now we can pretty easily confirm that[br]it's not a forward/backward pointer just
0:20:50.200,0:20:54.167
because we tried to follow the references[br]in the file, we see nothing that should be
0:20:54.167,0:20:58.922
there, same goes for dictionary. We can't[br]find anything that's consistent enough to
0:20:58.922,0:21:03.000
be a dictionary. So it leaves us only with[br]with the option of a sliding window.
0:21:03.000,0:21:08.366
Once we're equipped with this information,[br]we go to our favorite place, to Google.
0:21:08.366,0:21:12.821
And try to find some similar[br]implementations to this. Luckily for us,
0:21:12.821,0:21:18.797
in some very dark corner of the internet,[br]we find this wiki page. It defines
0:21:18.797,0:21:25.145
something called a Softdisk Library[br]Format. I won't ask if someone knows what
0:21:25.145,0:21:31.988
Softdisk is, because probably somebody[br]knows here, it's CCC after all. But inside
0:21:31.988,0:21:35.817
this thing it defines some kind of[br]compression algorithm that looks very
0:21:35.817,0:21:41.623
similar to ours. It looks actually really[br]really like ours. Actually, it's exactly
0:21:41.623,0:21:48.299
our compression algorithm. So yeah. That's[br]nice. And I think the funny thing here is
0:21:48.299,0:21:53.786
that this compression algorithm was used[br]in the past somewhere, and only there.
0:21:53.786,0:21:56.221
Can you guess where?
0:21:56.235,0:21:58.612
Waiting for response from the audience
0:21:58.612,0:22:03.820
Uh, yeah, somebody who didn't see chuckles[br]this presentation before?
0:22:04.116,0:22:06.661
Yeah! It was used in Commander Keen.
0:22:06.661,0:22:09.230
Softdisk is the company who produced[br]Commander Keen.
0:22:09.230,0:22:12.181
So the compression algorithm [br]from Commander Keen made its way,
0:22:12.181,0:22:17.094
somehow, into the entire HP line of[br]products.
0:22:17.094,0:22:18.860
Laughter
0:22:18.860,0:22:23.284
Applause
0:22:23.284,0:22:27.577
How? I don't know! You can check if there[br]was anybody who was fired from Softdisk
0:22:27.577,0:22:32.062
and hired in HP. Probably that would be my[br]guess. But we'll never know.
0:22:32.062,0:22:36.757
So now we understand exactly what is this[br]thing, and how does this compression work.
0:22:36.757,0:22:40.687
We have the missing data that we need. And[br]this data means that those two bytes are
0:22:40.687,0:22:44.541
actually composed of window location and[br]data length. And that's all we need, and
0:22:44.541,0:22:48.404
let me show you, like really quickly, how[br]this compression works. So we have an
0:22:48.404,0:22:51.950
input text, output text and sliding[br]window. We want to compress this string
0:22:51.950,0:22:56.397
over here, and let's try and do it.[br]So first byte is the bitmap, so we leave
0:22:56.397,0:23:01.170
it empty for now. Then, second byte, we[br]start with "A". So we place it both in the
0:23:01.170,0:23:05.447
output text and in the sliding window.[br]Then we go to "B", same thing. "C", same
0:23:05.447,0:23:09.717
thing. "D", again, and now we get to "A".[br]But "A" is already present in the sliding
0:23:09.717,0:23:13.631
window, so we don't need to write it in[br]the output text, we can just do
0:23:13.631,0:23:19.183
nothing and then go to "B", same thing,[br]it's just the following character in the
0:23:19.183,0:23:23.735
sliding window, and then when we get to[br]"E", we just write "00 02". That means
0:23:23.735,0:23:28.636
"Go to the sliding window at position 0,[br]and take the first two bytes". That's what
0:23:28.636,0:23:33.420
it means. Then we continue to "E", "F",[br]"G", after we did that, we input our
0:23:33.420,0:23:38.490
bitmap here, and now we know the bitmap[br]value and that's all there is to it.
0:23:38.490,0:23:40.130
That's the compression algorithm.
0:23:40.130,0:23:42.885
It's pretty easy[br]looking at it this way, right?
0:23:42.885,0:23:48.979
Looking at it in reverse is a bit more[br]difficult, but yes, now we can do that.
0:23:48.979,0:23:52.839
And now we completely open everything, and[br]yes, we have our firmware, you can read
0:23:52.839,0:23:56.321
everything. It's actual code. And now we[br]need to understand:
0:23:56.321,0:24:00.139
What does this code mean? And basically,[br]first of all, we need to understand what
0:24:00.139,0:24:03.984
architecture is this, what is the[br]operating system and so on and so on.
0:24:03.984,0:24:09.771
So it took us quite some time to do that.[br]But let me give you a brief explanation.
0:24:09.771,0:24:13.575
First of all, the operating system is[br]called ThreadX. It's a real-time operating
0:24:13.575,0:24:20.707
system. The CPU, the processor, is ARM9[br]big-endian, and then it has several
0:24:20.707,0:24:25.039
components to it, like stuff that's[br]related to system, some common libraries,
0:24:25.039,0:24:31.936
and tasks. Tasks are the equivalent of[br]processes in normal operating systems.
0:24:31.936,0:24:37.129
In the system stuff we have boot loaders[br]and some networking functionality and some
0:24:37.129,0:24:43.356
other stuff, Common Libraries we have a[br]lot of common libraries, and tasks, once
0:24:43.356,0:24:46.811
we're able to isolate them, we can[br]understand exactly the tasks, and once
0:24:46.811,0:24:52.677
we do that, we now know that all we need[br]to do is focus on these tasks, because
0:24:52.677,0:24:55.230
they're the tasks relevant[br]to fax protocols,
0:24:55.230,0:24:56.940
we can leave everything else aside.
0:24:56.940,0:25:01.807
It will make our work much more easy. We[br]want to start doing that. But,
0:25:01.807,0:25:07.704
just a second before we do that. Looking[br]at this, we see something that looks not
0:25:07.704,0:25:13.286
really… I don't know, it doesn't make[br]sense a lot. This thing is Spidermonkey.
0:25:14.066,0:25:18.818
Every HP printer contains a Spidermonkey[br]library. I don't know if you know what
0:25:18.818,0:25:22.724
Spidermonkey is, but basically it's the[br]JavaScript implementation by Mozilla.
0:25:22.955,0:25:26.275
It's used in Firefox for example. And we[br]were thinking to ourselves:
0:25:26.275,0:25:30.487
Why does a printer need to render[br]JavaScript? It makes no sense.
0:25:30.487,0:25:34.893
I mean yeah, it has a web server, but it's[br]not a web client. We couldn't think of
0:25:34.893,0:25:37.955
any situation in which a printer needs to[br]render JavaScript.
0:25:37.955,0:25:43.402
It looked really strange to us. So we[br]decided to try and see where this printer
0:25:43.402,0:25:49.365
is actually using JavaScript, so we went[br]back a bit and checked and we found that
0:25:49.385,0:25:53.949
JavaScript is used in a feature called[br]PAC – Proxy Auto Configuration.
0:25:53.982,0:26:04.612
It's pretty common, it's a good protocol.[br]It defines proxies when you're doing DHCP
0:26:04.760,0:26:09.716
or something like that. The thing is that[br]the top layer functionality of this entire
0:26:09.716,0:26:15.408
PAC functionality was written by HP.[br]And when we were looking at that, we see
0:26:15.408,0:26:20.424
all this functionality, and we see this[br]strange thing here. The printer once it
0:26:20.424,0:26:23.519
does this PAC functionality, it tries to[br]connect to this domain:
0:26:23.519,0:26:26.846
fakeurl1234.com. Just connect to it and[br]do nothing with it.
0:26:26.846,0:26:31.378
Some sort of sanity test I guess? I don't[br]really know why.
0:26:31.378,0:26:39.386
But the interesting thing here is: Do you[br]know who owns the domain fakeurl1234.com?
0:26:39.386,0:26:42.115
Laughter mixed with murmur
0:26:42.115,0:26:42.908
No, it's not HP.
0:26:42.908,0:26:44.731
Murmur & responses from the audience
0:26:44.734,0:26:47.614
Ehh, Check Point is kinda… eh…, yeah.
0:26:48.886,0:26:49.595
I own it.
0:26:50.087,0:26:51.690
Laughter
0:26:51.690,0:26:53.080
Applause
0:26:53.080,0:26:58.290
It just wasn't registered.[br]So, we registered it for 5 Dollars.
0:26:58.290,0:27:02.115
And now every HP printer is connecting to[br]my domain. Chuckling
0:27:02.336,0:27:06.336
Laughter
0:27:06.496,0:27:09.899
Applause
0:27:09.899,0:27:13.319
So, if anybody wants to buy the domain, I[br]have a very good price for you:
0:27:13.319,0:27:14.560
More than 5 dollars.
0:27:14.560,0:27:18.808
And now I'll hand it over[br]to Eyal to continue.
0:27:19.363,0:27:23.394
Eyal Itkin: Okay, thank you Yaniv.[br]After we've finished messing around with
0:27:23.394,0:27:27.378
Spidermonkey, it's time to focus back on[br]fax, so T.30.
0:27:27.378,0:27:31.706
T.30 – in its full name it's[br]ITU-T recommendation T.30 – is a standard
0:27:31.706,0:27:37.521
that defines the fax protocol. Actually[br]it's a very very long PDF, more than
0:27:37.521,0:27:42.025
300 pages. It defines all the phases and[br]messages we need in order to send and
0:27:42.025,0:27:48.131
receive a fax document. It was first[br]defined very long ago, 1985, and was last
0:27:48.131,0:27:53.377
updated more than a decade ago. So from[br]our perspective that's a very good idea,
0:27:53.377,0:27:59.504
because we want to find vulnerabilities in[br]an old and complicated protocol.
0:27:59.504,0:28:04.439
We're most probably going to find some.[br]After we read through the standard we
0:28:04.439,0:28:12.358
started to dynamically look at it, opened[br]it in IDA and look up on the T.30 task.
0:28:12.358,0:28:17.798
And you can see that the state machine is[br]quite huge as you can see here in IDA, and
0:28:17.798,0:28:22.984
actually that's a small state machine.[br]Because most of the code blocks you can
0:28:22.984,0:28:27.309
see over here contain additional state[br]machines inside them. Meaning that this is
0:28:27.309,0:28:31.894
going to be a very very huge and[br]complicated state machine to reverse.
0:28:31.894,0:28:36.594
And if that wasn't enough it turns out[br]that HP really likes to use
0:28:36.594,0:28:40.388
function pointers and global variables in [br]their code. Meaning that statically
0:28:40.388,0:28:47.336
reverse-engineering this huge task is[br]going to be very complicated. Although I
0:28:47.336,0:28:52.266
personally prefer to statically[br]reverse-engineer, this time we had to
0:28:52.266,0:28:56.783
choose a different tactic, we'll need to[br]dynamically reverse-engineer this thing
0:28:56.783,0:29:00.463
and for this we'll need to have a[br]debugger.
0:29:00.463,0:29:06.235
As Yaniv mentioned earlier, nobody knows[br]how can we debug a printer.
0:29:06.235,0:29:11.976
We already tried built-in JTAG and [br]serial port and that failed.
0:29:11.976,0:29:16.084
We then searched for a builtin GDB stub we[br]could use,
0:29:16.084,0:29:18.964
but I couldn't find any such stub.
0:29:18.964,0:29:24.215
At this point it's very important to[br]remember that even if we could control the
0:29:24.215,0:29:29.432
execution flow, no-one can put a debugger[br]without controlling the execution flow,
0:29:29.432,0:29:34.760
and we can't do anything, it's a black[br]box, I can send papers and that's it.
0:29:35.330,0:29:40.948
And even if I could control the execution[br]flow and load my debugger, the printer
0:29:40.948,0:29:46.295
uses a hardware watchdog. And this is an[br]external hardware mechanism that monitors
0:29:46.295,0:29:51.566
the main CPU and whenever the main CPU[br]enters an endless loop or it halts,
0:29:51.566,0:29:59.140
the watchdog reboots the entire printer.[br]This means that since essentially a
0:29:59.140,0:30:02.904
breakpoint halts the program,
0:30:02.904,0:30:06.239
whenever we hit a breakpoint, [br]the watchdog will kill us.
0:30:06.239,0:30:11.086
So we need to find a way around this[br]thing, the easiest way we could find out
0:30:11.086,0:30:16.780
was to split this enormous task into[br]chunks, if we could find any code
0:30:16.780,0:30:21.785
execution vulnerability, we could try to[br]execute code over the printer and load our
0:30:21.785,0:30:27.066
own debugger. And at this stage we had[br]luck, and we believe that luck is an
0:30:27.066,0:30:35.058
important part in every research project.[br]On the 19th of July, SENRIO published a
0:30:35.058,0:30:37.538
vulnerability called "Devil's Ivy".
0:30:37.694,0:30:42.875
Devil's Ivy is a remote code execution in[br]gSOAP and many embedded devices (and our
0:30:42.875,0:30:47.334
printer included) tend to implement a web[br]server for management and configuration,
0:30:47.334,0:30:52.604
and in our case this web server uses[br]gSOAP, and it even uses a vulnerable
0:30:52.604,0:30:57.810
version of gSOAP, so we now have our[br]vulnerability, and we'll need to exploit
0:30:57.810,0:31:03.310
it. For those of you not familiar with[br]Devil's Ivy, here is the code.
0:31:03.737,0:31:05.495
And here is the vulnerability itself.
0:31:06.361,0:31:10.629
Devil's Ivy is a signed integer underflow[br]vulnerability,
0:31:10.629,0:31:13.199
meaning that we'll need to send
0:31:13.199,0:31:19.240
enough data for the variable to go from[br]negative back to positive. And that means
0:31:19.240,0:31:22.695
we need to send roughly 2 Gigabytes of[br]data to the printer.
0:31:23.446,0:31:26.870
So HP really prides itself on the printing[br]speed of the printer,
0:31:26.870,0:31:28.817
but not on the network speed.
0:31:30.355,0:31:35.382
After many optimization rounds we managed[br]to reduce the exploit time to roughly
0:31:35.382,0:31:43.419
7 minutes. So you start the exploit, you[br]wait, and after 7 minutes you have
0:31:43.419,0:31:50.761
your exploit. And here our good luck[br]ended, because we had a side effect in our
0:31:50.761,0:31:57.216
exploit, and after two to ten minutes the[br]printer will crash. And this means we will
0:31:57.216,0:32:02.600
need to wait an additional 7 minutes, [br]we'll have 2 minutes to debug it,
0:32:02.600,0:32:08.518
and then it will crash again. So we [br]waited a lot of 7 minutes in our research.
0:32:08.518,0:32:10.539
Laughter
0:32:10.539,0:32:15.793
If you recall, we wanted a debugger so we[br]could dynamically reverse-engineer the
0:32:15.793,0:32:20.240
firmware. We wanted read memory and write[br]memory, and now we have a debugging
0:32:20.240,0:32:25.179
vulnerability, so we can load a debugger,[br]we need to execute this debugger, so
0:32:25.179,0:32:28.930
we'll need executing permissions[br]to load it.
0:32:28.930,0:32:30.638
The most important thing is that we need
0:32:30.638,0:32:35.391
to execute our debugger without crashing[br]the firmware. Because we want the debugger
0:32:35.391,0:32:41.159
to run and the firmware to debug and we[br]want them to blend inside the
0:32:41.159,0:32:44.808
virtual address space of the printer,[br]living happily together.
0:32:44.808,0:32:52.163
We couldn't find any debugger that achieve[br]this goal, so I did what my mother usually
0:32:52.163,0:32:56.597
tells me not to do, we actually wrote our[br]own debugger.
0:32:58.089,0:33:02.492
So this is Scout. Scout is an instruction[br]based debugger that supports Intel CPUs
0:33:02.492,0:33:07.309
and ARM CPUs, because we have an ARM[br]printer. As a prototype we had a Linux
0:33:07.309,0:33:11.489
kernel driver, and this time we're going[br]to use it its embedded mode.
0:33:12.062,0:33:15.672
In embedded mode we compile it to be fully[br]positioned in the unintelligible,
0:33:15.672,0:33:19.607
because we essentially throw it somewhere[br]inside the firmware and expect it to
0:33:19.607,0:33:25.230
execute. We pre-equip it with useful[br]addresses like:
0:33:25.230,0:33:29.339
memcpy, socket, bind, listen, we[br]find using IDA.
0:33:29.339,0:33:33.330
And whenever it tries to [br]call these functions it goes to its
0:33:33.330,0:33:35.827
own GAT, finds the address and
0:33:35.827,0:33:38.292
jumps to it.
0:33:38.292,0:33:45.137
After we compile it, we use it in our[br]exploit, we jump into this blob, and it
0:33:45.137,0:33:49.354
starts up a TCP server, we can now connect[br]to to send instructions to
0:33:49.354,0:33:52.651
read memory, to write memory, [br]and whatever we want.
0:33:53.588,0:33:59.219
You can find Scout in our GitHub, with the[br]examples for Linux kernel driver and
0:33:59.219,0:34:02.791
embedded mode. And we're actually using it[br]for some CVEs now,
0:34:02.791,0:34:06.913
so it's highly recommended.
0:34:06.913,0:34:09.487
Now that we reach this point in our talk,
0:34:09.487,0:34:14.813
we haven't yet described to you how a fax[br]actually works, so with Scout we
0:34:14.813,0:34:18.252
dynamically reverse-engineered the[br]firmware, and now we can actually
0:34:18.252,0:34:24.669
describe to you how a fax actually works.[br]In order to send a fax, we need a sending
0:34:24.669,0:34:29.688
machine, we need to send it to some modem,[br]the packets from the modem will be
0:34:29.688,0:34:35.266
processed in the CPU, and afterwards, the[br]data is going to be processed and probably
0:34:35.266,0:34:42.021
printed. Let's see how it starts. We start[br]with network interaction,
0:34:42.021,0:34:48.402
probing and ranging, equalizer and echo[br]cancelling, more training,
0:34:48.402,0:34:51.738
and you actually need to be quite familiar[br]with these steps,
0:34:51.738,0:34:53.314
because they sound like this:
0:34:53.314,0:34:55.333
repetitive fax modem sounds
0:34:56.017,0:35:01.298
With these beeps, we actually created an[br]HDLC tunnel. Through this tunnel, we're
0:35:01.298,0:35:07.882
going to send our T.30 messages, to[br]the CPU. In T.30 you have phase A,
0:35:07.882,0:35:12.784
in which we send the caller ID, which is[br]a string. In phase B you negotiate the
0:35:12.784,0:35:16.996
capabilities, so I send my capabilities[br]and receive the printer's capabilities.
0:35:17.726,0:35:21.730
Phase C is the important step because here[br]we actually send our fax data,
0:35:21.730,0:35:26.971
line after line, and page after page.[br]And in phase D, we finish. I send an ACK,
0:35:26.971,0:35:31.520
I receive an ACK, and that's it.[br]Let us now see how a normal black/white
0:35:31.520,0:35:36.161
fax document is going to be sent through[br]the protocol. So we have our document,
0:35:36.161,0:35:41.426
it's going to be sent over the HDLC tunnel[br]using T.30 messages, over phase C, and the
0:35:41.426,0:35:46.686
receive document is actually the body of a[br]TIFF file compressed in G.3 or G.4
0:35:46.686,0:35:52.370
compressions. From our perspective, that's[br]partial good news, because there are
0:35:52.370,0:35:56.867
many vulnerabilities when parsing TIFF[br]headers, and we only control the data
0:35:56.867,0:36:01.116
of the file. The headers themselves are[br]going to be constructed by the printer
0:36:01.116,0:36:03.899
itself, using messages from phase A[br]and phase D.
0:36:03.899,0:36:11.255
So, we partially control a TIFF file and[br]after it's done and ready, the file
0:36:11.255,0:36:17.143
is going to be printed. Like every good[br]protocol – and here it becomes very
0:36:17.143,0:36:22.785
interesting – T.30 many extensions.[br]Can you guess what interesting extensions
0:36:22.785,0:36:24.293
there are in the protocol?
0:36:27.510,0:36:31.640
There's a security extension, but no-one[br]uses it, the other extension…
0:36:31.750,0:36:33.740
is..
0:36:33.740,0:36:34.597
Color Extension!
0:36:34.822,0:36:36.955
Actually you can send colorful faxes and
0:36:36.955,0:36:39.902
they really use it in hospitals [br]for some reason
0:36:41.670,0:36:44.362
Let's see how colorful fax works.
0:36:44.362,0:36:47.440
We send a document through [br]the HDLC tunnel,
0:36:47.440,0:36:53.836
over phase C, and the received document is[br]actually a JPEG file. This time we control
0:36:53.836,0:36:58.587
the header and the data of the file, and[br]we can do whatever we want to it,
0:36:58.587,0:37:00.476
and send it for printing.
0:37:00.476,0:37:02.806
Now that we know how a fax[br]actually works,
0:37:02.806,0:37:05.125
where should we look for [br]vulnerabilities in it?
0:37:05.125,0:37:10.036
Well, we have complicated state machines, [br]withstand strings, there are
0:37:10.036,0:37:13.518
several file layers, but the most[br]convenient layer is the applicative one,
0:37:13.518,0:37:17.452
and most importantly, JPEG, because we[br]control the entire file.
0:37:18.461,0:37:22.802
If we look at a JPEG file, it mainly[br]consists of markers, we have a
0:37:22.802,0:37:26.165
start marker, application marker with[br]length and data, more markers with length
0:37:26.165,0:37:29.367
and data, and so and and so on.
0:37:29.367,0:37:35.504
If we zoom in on one such marker, we can[br]see that in this marker we have a
0:37:35.504,0:37:41.368
compression table, a 4x4 compression[br]matrix for the exact document we send, we
0:37:41.368,0:37:45.510
have a header, length field, 4x4 matrix,[br]and the data itself.
0:37:46.383,0:37:52.667
If you zoom in a bit deeper, we can see[br]that here we get a matrix, we sum up all
0:37:52.667,0:37:56.656
of the values. This matrix should be[br]rather sparse, with zeroes, ones,
0:37:56.656,0:38:00.183
and twos. The accumulated value is going[br]to be our length field,
0:38:00.183,0:38:04.882
in this case 6 bytes, and 6 bytes are[br]going to be copied from the data to
0:38:04.882,0:38:08.582
a local, small, stack buffer.[br]Like this.
0:38:09.175,0:38:12.969
So if you consider vulnerabilities, at[br]this point we were like "What The Fax?!"
0:38:13.352,0:38:18.078
because that doesn't make sense. We[br]control the entire header. If you put huge
0:38:18.078,0:38:23.503
values in our matrix, like so, we have a[br]4 kilobyte length field copied into
0:38:23.503,0:38:29.232
a stack buffer of 256 bytes, effectively[br]having a stack-based buffer overflow in
0:38:29.232,0:38:30.909
our printer.
0:38:34.018,0:38:38.020
It's a trivial stack buffer overflow, we[br]have no byte constraints, we can use
0:38:38.040,0:38:43.773
whatever we want, null bytes, non-ASCII[br]bytes, whatever we want. And 4 kilobytes
0:38:43.773,0:38:49.429
user-controlled data, that's more than enough[br]to exploit. At this point we had to bypass
0:38:49.625,0:38:53.946
several operating system security[br]mitigations… Nah, not exactly.
0:38:53.946,0:38:55.441
Laughter
0:38:55.441,0:39:00.395
It's an …, fixed address spaces, no[br]canaries, it's the eighties, it's really
0:39:00.395,0:39:06.147
simple. We've got the CVEs from HP,[br]9.10 critical, you should really patch
0:39:06.147,0:39:11.339
your printers now. And here you can see[br]the response we have seen from HP after
0:39:11.339,0:39:14.463
we've worked with them to patch these[br]vulnerabilities,
0:39:14.463,0:39:17.392
which is a good time for our demo!
0:39:20.505,0:39:24.044
Yaniv Balmas: Unfortunately we couldn't[br]really live-demo, so we just filmed
0:39:24.044,0:39:27.530
something for you. So, this is our[br]attacker machine, all you need to do is
0:39:27.530,0:39:31.150
run this script, it's connected to a modem[br]that we bought for like 10 dollars
0:39:31.150,0:39:38.270
from Amazon. We're sending our malicious[br]fax to this printer, and… yeah.
0:39:38.270,0:39:42.554
Incoming call… from who?
0:39:45.000,0:39:46.000
Wait just a second.
0:39:46.778,0:39:49.459
Eyal Itkin: Faxes are slow.[br]Yaniv Balmas: Yeah, they are.
0:39:49.996,0:39:54.587
Yaniv Balmas: So, from an evil attacker of[br]course, we forged this easily. And now,
0:39:54.587,0:40:00.298
the printer is receiving the fax, and[br]processing it, and now it's obviously a
0:40:00.298,0:40:04.729
colorful fax, and now we have full control[br]over the printer, so it's ours.
0:40:05.795,0:40:09.654
But that's not enough! Because we want to[br]show that we can propagate to another
0:40:09.654,0:40:16.077
computer, so our malicious fax, contained[br]EternalBlue in it, so once any computer is
0:40:16.077,0:40:20.746
connected to the network, the fax now will[br]recognize it, and will try to exploit it,
0:40:20.746,0:40:22.672
and here you go!
0:40:22.893,0:40:31.482
Laughter & Applause
0:40:31.743,0:40:36.318
So yeah, we made it after all.[br]It was a long way.
0:40:36.482,0:40:40.645
Some conclusions we have to tell you:[br]First, PSTN seems to still be
0:40:40.645,0:40:45.487
a valid attack surface in 2018. Fax can[br]be used as a gateway to internal networks,
0:40:45.487,0:40:49.680
and old and outdated protocols… probably[br]not so good for you, try not to use them
0:40:49.680,0:40:54.260
if you can. What can you do to defend[br]yourself against this catastrophy?
0:40:54.407,0:40:57.953
A lot of things. First of all, you can[br]patch your printers, as Eyal said,
0:40:57.953,0:41:03.193
this link will just tell you if your[br]printer is vulnerable, by the way, every
0:41:03.193,0:41:08.497
HP Inkjet (or HP Officejet) printer is[br]vulnerable to this thing, it's the biggest
0:41:08.497,0:41:11.364
line of printers from HP, over – I think –[br]200 or …
0:41:11.364,0:41:13.949
Eyal Itkin: 300[br]Yaniv Balmas: … 300 models are vulnerable
0:41:13.949,0:41:19.447
to this thing, so really go and update![br]Another thing I could tell you is:
0:41:19.447,0:41:25.282
If you don't need fax, don't use it.[br]Also, if you do need to use fax after all,
0:41:25.282,0:41:29.997
try and make sure your printer is[br]segregated from the rest of the network,
0:41:29.997,0:41:33.576
so even if somebody takes over the[br]printer, he will just be confined to the
0:41:33.576,0:41:38.988
printers, and won't be able to take over[br]your entire network. These are really good
0:41:38.988,0:41:41.565
suggestions, all of them, but really,
0:41:41.565,0:41:43.864
the best suggestion[br]I have to give you today is:
0:41:43.874,0:41:46.373
Please![br]Stop using fax!
0:41:46.604,0:41:47.923
Laughter
0:41:47.923,0:41:52.112
Applause
0:41:52.775,0:41:53.916
Thank you, thank you!
0:41:53.916,0:41:59.569
And, just one second before we finish,[br]this was a long way, a long journey.
0:41:59.569,0:42:04.162
We had some very good friends that helped[br]us a lot along the way,
0:42:04.162,0:42:06.022
physically, mentally, technically,
0:42:06.022,0:42:10.795
so we must mention them.[br]These are the guys here. Some of them are
0:42:10.795,0:42:13.837
in the crowd, so they deserve come claps.
0:42:13.998,0:42:16.246
applause
0:42:16.246,0:42:21.574
One special guy that helped us is[br]Yannay Livneh, he also deserves this, and…
0:42:21.574,0:42:25.997
… that's it basically, guys![br]So if you want to follow more of our work,
0:42:25.997,0:42:30.386
you can find us here. Follow us.[br]Thank you very much!
0:42:30.386,0:42:41.670
Applause
0:42:41.670,0:42:45.097
Herald Angel: Thank you very much.[br]We have 5 minutes for Q&A.
0:42:45.097,0:42:48.082
So please line up at the microphones.[br]If you want to leave now,
0:42:48.082,0:42:52.710
please do it to your right side, so this[br]side. From the stage it's the left side,
0:42:52.710,0:42:56.944
but for you it's the right side.[br]So please line up at the microphones.
0:42:56.944,0:43:05.679
I think I can see microphone 4 already,[br]so we'll start with microphone 4.
0:43:06.780,0:43:12.611
Question: First, thank you for this talk.[br]It's scary to see that these can be
0:43:12.611,0:43:18.762
exploited today. You talked about[br]email-to-fax or fax-to-email services,
0:43:18.762,0:43:26.371
and I wondered: Is it possible that there[br]are vulnerabilities in those as well?
0:43:26.371,0:43:33.615
I know Fritz!Box routers allow[br]fax-to-email, could you attack those,
0:43:33.615,0:43:34.561
possibly?
0:43:35.353,0:43:39.995
Yaniv Balmas: So basically, those services[br]use T.30 as well. We didn't look at them,
0:43:39.995,0:43:44.360
frankly. We had so much work to do with[br]the printer, that we didn't look at any
0:43:44.360,0:43:50.793
other printers, or any other services.[br]I can't say for sure, but if you're
0:43:50.793,0:43:54.481
looking for vulnerabilities, I would[br]recommend to go look there as well.
0:43:56.127,0:43:58.194
Herald Angel: Great, microphone number 5[br]please.
0:43:59.395,0:44:04.213
Question: What can you disclose about the[br]data that's hitting your URL?
0:44:05.425,0:44:06.252
Yaniv Balmas: The…? Uh!
0:44:06.473,0:44:10.188
Question: What can you disclose about the[br]machines that are knocking on your URL,
0:44:10.188,0:44:12.652
the fakeurl1234.
0:44:13.056,0:44:15.058
Yaniv Balmas: There are a lot of HP printers[br]out there.
0:44:15.058,0:44:17.243
Laughter
0:44:17.461,0:44:23.277
That's all I can disclose. Sorry.
0:44:25.842,0:44:27.626
Herald Angel: We have one question from[br]the Signal Angel, please.
0:44:28.771,0:44:33.295
Signal Angel: Did you try to activate JTAG[br]by upgrading to a modified firmware?
0:44:33.295,0:44:38.677
Eyal Itkin: We tried to use the JTAG, we[br]think it's disabled from the factory
0:44:38.677,0:44:45.014
lines, it was too much work. So we decided[br]to use Devil's Ivy, it's a good
0:44:45.014,0:44:50.305
vulnerability. Once we have Devil's Ivy[br]and we can use Scout, Scout is more than
0:44:50.305,0:44:51.412
enough for debugging.
0:44:52.503,0:44:59.159
Essentially, after we used the JPEG[br]vulnerability and we loaded up Scout,
0:44:59.159,0:45:03.143
Scout survived for weeks on a printer[br]without any crash.
0:45:03.693,0:45:05.010
So that's more than enough.
0:45:06.735,0:45:09.636
Herald Angel: Great, we'll go with[br]microphone number 2 please.
0:45:09.636,0:45:13.490
Question: Yes, thank you for the nice[br]talk, and I think you're completely right
0:45:13.490,0:45:19.048
you can have many problems with legacy[br]protocols, the only thing I do not really
0:45:19.048,0:45:25.526
get was the part how you then can[br]automatically successfully attack your
0:45:25.526,0:45:31.577
laptop on the network. My point would be:[br]My laptop is as secured as I'm going to
0:45:31.577,0:45:35.768
the internet cafe or something else, so[br]you would not be able – with your HP
0:45:35.768,0:45:40.228
printer – to start the calculator on my[br]Linux or even on my Windows.
0:45:41.502,0:45:46.891
Yaniv Balmas: Your laptop might be secure,[br]I'm sure it is, but many others are not.
0:45:46.891,0:45:52.440
We tried to show it using the EternalBlue[br]exploit, as you know, WannaCry, stuff like
0:45:52.440,0:45:56.183
that. This thing created a lot of…[br]– and there were patches out there –
0:45:56.183,0:46:01.840
…and still it was… So… we're not here to[br]attack anyone. We're just saying that
0:46:01.840,0:46:05.186
theoretically, if somebody wants to get[br]into the network and he has a
0:46:05.186,0:46:08.894
vulnerability that you have may have not[br]patched or secured, fax would be a bad
0:46:08.894,0:46:10.134
idea to have.
0:46:10.834,0:46:14.442
Question: But it was nothing which was[br]part of the printer…
0:46:14.442,0:46:20.551
Herald Angel: Sorry, unfortunately we do[br]not have more time for Q&A, so thank you
0:46:20.551,0:46:22.748
again very much.
0:46:22.994,0:46:24.192
Yaniv Balmas: Thank you!
0:46:24.513,0:46:32.694
Applause
0:46:32.694,0:46:36.764
Music
0:46:36.764,0:46:55.000
subtitles created by c3subtitles.de[br]in the year 2019. Join, and help us!