[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:19.26,Default,,0000,0000,0000,,{\i1}35C3 preroll music{\i0}
Dialogue: 0,0:00:19.26,0:00:30.39,Default,,0000,0000,0000,,Herald Angel: So… Yaniv Balmas is a\Nsoftware engineer and he started tinkering
Dialogue: 0,0:00:30.39,0:00:35.56,Default,,0000,0000,0000,,with Commodore's C64 when he was 8\Nyears old.
Dialogue: 0,0:00:35.56,0:00:38.84,Default,,0000,0000,0000,,He was kind of a teenage hacker of games as well.
Dialogue: 0,0:00:38.84,0:00:43.50,Default,,0000,0000,0000,,And now he's in the security field and he\Ngot interested in the fax machine
Dialogue: 0,0:00:43.50,0:00:51.76,Default,,0000,0000,0000,,together with his friend Eyal Itkin, who\Nis also a security guy and malware researcher.
Dialogue: 0,0:00:51.76,0:00:57.37,Default,,0000,0000,0000,,And together they're going to tell us\Nabout the fax machines and What The Fax?!
Dialogue: 0,0:00:57.37,0:01:00.91,Default,,0000,0000,0000,,Why still using people those machines?
Dialogue: 0,0:01:00.91,0:01:03.80,Default,,0000,0000,0000,,And it's gonna be really interesting I think.
Dialogue: 0,0:01:03.80,0:01:08.28,Default,,0000,0000,0000,,And the title is also\N"Hacking your network likes it's 1980 again"
Dialogue: 0,0:01:08.28,0:01:12.31,Default,,0000,0000,0000,,I'm really excited. Please give a warm\Nround of applause to those two guys.
Dialogue: 0,0:01:12.31,0:01:15.55,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:01:15.55,0:01:25.16,Default,,0000,0000,0000,,{\i1}fax modem sounds{\i0}
Dialogue: 0,0:01:31.26,0:01:35.57,Default,,0000,0000,0000,,Yaniv: Thank you, thank you guys.\NHi, CCC!
Dialogue: 0,0:01:35.57,0:01:39.28,Default,,0000,0000,0000,,You probably know this sound, right?\NAnd now get to know us:
Dialogue: 0,0:01:39.28,0:01:44.55,Default,,0000,0000,0000,,My name is Yaniv Balmas, I'm a security\Nresearcher. I work at Check Point Research,
Dialogue: 0,0:01:44.55,0:01:50.17,Default,,0000,0000,0000,,and with me here today is Eyal Itkin, also a\Nsecurity researcher, also works at
Dialogue: 0,0:01:50.17,0:01:55.27,Default,,0000,0000,0000,,Check Point Research, and let's begin\Nwith talking a bit about the history of fax.
Dialogue: 0,0:01:55.27,0:01:59.13,Default,,0000,0000,0000,,So I guess that not many of you know\Nthat fax started,
Dialogue: 0,0:01:59.13,0:02:03.74,Default,,0000,0000,0000,,it was first invented in 1846 by a scientist\Ncalled Alexander Bain.
Dialogue: 0,0:02:03.74,0:02:09.48,Default,,0000,0000,0000,,Fun fact, this happened 20 years before\Nthe invention of the light bulb.
Dialogue: 0,0:02:09.48,0:02:14.06,Default,,0000,0000,0000,,And then it had some more advances to it,\Nthis is the actual first thing that looked
Dialogue: 0,0:02:14.06,0:02:16.58,Default,,0000,0000,0000,,like a fax machine, a standard fax machine.
Dialogue: 0,0:02:16.58,0:02:20.71,Default,,0000,0000,0000,,And again, this thing was invented 20\Nyears before the invention of the telephone.
Dialogue: 0,0:02:20.71,0:02:25.29,Default,,0000,0000,0000,,So humanity was sending faxes before we\Nhad light or talked over the phone.
Dialogue: 0,0:02:25.29,0:02:29.95,Default,,0000,0000,0000,,And then there was some more\Nadvancements like radio fax,
Dialogue: 0,0:02:29.95,0:02:34.89,Default,,0000,0000,0000,,and an another important point in time is\N1966, where a small unknown company
Dialogue: 0,0:02:34.89,0:02:39.100,Default,,0000,0000,0000,,called Xerox invented – came out with the\Nfirst commercial fax machine.
Dialogue: 0,0:02:39.100,0:02:42.99,Default,,0000,0000,0000,,This is the advertisement for it.
Dialogue: 0,0:02:42.99,0:02:49.80,Default,,0000,0000,0000,,And in 1980 a strange organization\Ncalled ITU defined the core standards for fax.
Dialogue: 0,0:02:49.80,0:02:56.23,Default,,0000,0000,0000,,Namely it's T.30, T.4, T.6, and those\Nstandars are still the same standards
Dialogue: 0,0:02:56.23,0:03:00.30,Default,,0000,0000,0000,,that we use today – basically, with just\Nminor changes to them.
Dialogue: 0,0:03:00.30,0:03:05.06,Default,,0000,0000,0000,,So this was all in the past.\NBut what's happening today?
Dialogue: 0,0:03:05.06,0:03:09.51,Default,,0000,0000,0000,,I mean today we have far better ways\Nto send electronic documents
Dialogue: 0,0:03:09.51,0:03:11.54,Default,,0000,0000,0000,,from one to the other, right?
Dialogue: 0,0:03:11.54,0:03:14.88,Default,,0000,0000,0000,,You know, let's compare fax to just, I dunno,\Noff the top of my head
Dialogue: 0,0:03:14.88,0:03:21.70,Default,,0000,0000,0000,,just, you know, one method like, let's say, email.\NAnd just to, you know, remind you.
Dialogue: 0,0:03:21.70,0:03:27.76,Default,,0000,0000,0000,,We are comparing this… to this, okay?\NSo… let's look at some of the features here.
Dialogue: 0,0:03:27.76,0:03:36.43,Default,,0000,0000,0000,,In terms of quality, in terms of accessibility,\NI'm pretty sure that all of you here
Dialogue: 0,0:03:36.43,0:03:43.42,Default,,0000,0000,0000,,have 24/7 access to emails. Not so sure\Nyou're carrying around your fax machines with you.
Dialogue: 0,0:03:43.42,0:03:48.68,Default,,0000,0000,0000,,In terms of reliability, well, when you\Nsend a fax, you don't really know
Dialogue: 0,0:03:48.68,0:03:52.98,Default,,0000,0000,0000,,if it got received or not. Yes, there is\Nthis strange confirmation page,
Dialogue: 0,0:03:52.98,0:03:55.91,Default,,0000,0000,0000,,but it doesn't really mean anything.\NI mean, if there's no paper in the
Dialogue: 0,0:03:55.91,0:04:01.81,Default,,0000,0000,0000,,receiving fax, you still get it. If the\Ndog ate it, you still get it.
Dialogue: 0,0:04:01.81,0:04:08.90,Default,,0000,0000,0000,,There's absolutely no reliability in fax.\NRegarding authenticity, well, we can argue
Dialogue: 0,0:04:08.90,0:04:12.64,Default,,0000,0000,0000,,about emails, if it's authenticated or\Nnot, it could be forged, of course.
Dialogue: 0,0:04:12.64,0:04:16.45,Default,,0000,0000,0000,,But we do have public key cryptography\Nand stuff like that, that will help us
Dialogue: 0,0:04:16.45,0:04:21.84,Default,,0000,0000,0000,,when talking about emails, while we don't have…\Nwe don't have nothing when it comes to fax.
Dialogue: 0,0:04:21.84,0:04:26.49,Default,,0000,0000,0000,,Absolutely no authenticity. So, if we're\Nlooking at this table, one might think to
Dialogue: 0,0:04:26.49,0:04:31.31,Default,,0000,0000,0000,,himself: Okay, so… Who the hell still\Nuses fax today? It's 2018.
Dialogue: 0,0:04:31.31,0:04:37.28,Default,,0000,0000,0000,,I mean, it deserves a place in the museum\Nof great technologies and that's it.
Dialogue: 0,0:04:37.28,0:04:40.14,Default,,0000,0000,0000,,So, nobody is using fax today, right?
Dialogue: 0,0:04:40.23,0:04:41.80,Default,,0000,0000,0000,,Wrong.
Dialogue: 0,0:04:41.86,0:04:44.93,Default,,0000,0000,0000,,Everybody are using fax today.
Dialogue: 0,0:04:44.93,0:04:52.32,Default,,0000,0000,0000,,You see, fax is used to send these very\Ncritical maritime maps to ships at open seas
Dialogue: 0,0:04:52.32,0:04:57.92,Default,,0000,0000,0000,,90% of the japanese population uses fax –\Naccording to Wikipedia at least.
Dialogue: 0,0:04:57.92,0:05:02.96,Default,,0000,0000,0000,,And if you google any kind of combos like\N"contact us" and "fax" or stuff like that,
Dialogue: 0,0:05:02.96,0:05:08.38,Default,,0000,0000,0000,,you will come up with something like\N300 million results. 300 million published
Dialogue: 0,0:05:08.38,0:05:13.01,Default,,0000,0000,0000,,fax numbers in Google. And that's not\Ncounting the unpublished numbers.
Dialogue: 0,0:05:13.01,0:05:17.98,Default,,0000,0000,0000,,That's a huge amount of numbers. But it's\Nnot all about numbers. It's not "how many
Dialogue: 0,0:05:17.98,0:05:22.13,Default,,0000,0000,0000,,fax machines are out there?", but it's\Nalso "Who is using fax?"
Dialogue: 0,0:05:22.13,0:05:25.96,Default,,0000,0000,0000,,You see, if you're a small corporation, a\Nmedium corporation, a huge corporation,
Dialogue: 0,0:05:25.96,0:05:30.34,Default,,0000,0000,0000,,you have fax. Not necessarily anybody is\Nsending fax to this number, but there is a
Dialogue: 0,0:05:30.34,0:05:35.61,Default,,0000,0000,0000,,fax machine sitting there waiting for a\Nfax to be received. If you're a bank,
Dialogue: 0,0:05:35.61,0:05:41.21,Default,,0000,0000,0000,,you simply love faxes. This is\NBank of China, the biggest bank in the
Dialogue: 0,0:05:41.21,0:05:47.13,Default,,0000,0000,0000,,world, and that's the fax number of it.\NI think most importantly, if you're a
Dialogue: 0,0:05:47.13,0:05:49.70,Default,,0000,0000,0000,,government organization… you…\N{\i1}laughter{\i0}
Dialogue: 0,0:05:49.70,0:05:53.36,Default,,0000,0000,0000,,… simply wake up in the morning and you\Nwant to have more fax. This is
Dialogue: 0,0:05:53.36,0:05:56.98,Default,,0000,0000,0000,,Donald Trump's fax number if anybody wants\Nto send him a fax. Go ahead.
Dialogue: 0,0:05:56.98,0:06:02.98,Default,,0000,0000,0000,,That's it. It's not a secret, it's from\NGoogle… We should send him something
Dialogue: 0,0:06:02.98,0:06:10.02,Default,,0000,0000,0000,,by the way. And the thing is that, you know, those\Nbanks and government institutions, they
Dialogue: 0,0:06:10.02,0:06:14.84,Default,,0000,0000,0000,,don't only support fax, allow you to send\Nfax, the funny thing is that actually most
Dialogue: 0,0:06:14.84,0:06:18.73,Default,,0000,0000,0000,,of the time, it's mandatory to send fax,\Nthere is no other way. You can either
Dialogue: 0,0:06:18.73,0:06:22.47,Default,,0000,0000,0000,,postal mail it, or fax it. They didn't\Nhear about anything else.
Dialogue: 0,0:06:22.47,0:06:26.43,Default,,0000,0000,0000,,So we looked at this, state of affairs, \Nstrange state of affairs,
Dialogue: 0,0:06:26.43,0:06:31.06,Default,,0000,0000,0000,,and said to ourselves: "This looks\Nstrange". I mean, it can't be true.
Dialogue: 0,0:06:31.06,0:06:35.84,Default,,0000,0000,0000,,Humanity came so far and we're still using\Nthese old technologies, so…
Dialogue: 0,0:06:35.84,0:06:38.57,Default,,0000,0000,0000,,What The Fax?!
Dialogue: 0,0:06:38.57,0:06:43.37,Default,,0000,0000,0000,,And we decided and try to do something\Nabout it. And we started very long
Dialogue: 0,0:06:43.37,0:06:50.22,Default,,0000,0000,0000,,research to try and find some security\Nvulnerabilities in fax. And before we do
Dialogue: 0,0:06:50.22,0:06:56.70,Default,,0000,0000,0000,,that, you need to explain how fax looks\Nlike today. You see, today fax doesn't
Dialogue: 0,0:06:56.70,0:07:01.89,Default,,0000,0000,0000,,look like it looked 20 or 30 years ago. \NThen, it was just standalone fax machines.
Dialogue: 0,0:07:01.89,0:07:02.62,Default,,0000,0000,0000,,Right?
Dialogue: 0,0:07:02.62,0:07:08.38,Default,,0000,0000,0000,,Today, fax is mostly old technology\Nembedded within newer technology.
Dialogue: 0,0:07:08.38,0:07:16.03,Default,,0000,0000,0000,,So, we have fax to email services or email\Nto fax services, we have as I said before,
Dialogue: 0,0:07:16.03,0:07:22.24,Default,,0000,0000,0000,,radio fax and fax over satellite and stuff\Nlike that. I think most commonly, we have
Dialogue: 0,0:07:22.24,0:07:28.72,Default,,0000,0000,0000,,this. These machines. All-in-one printers.\NYou buy them, they scan, they print.
Dialogue: 0,0:07:28.72,0:07:32.52,Default,,0000,0000,0000,,And they fax. It actually comes with a\Nphone cable out of the box, so you can
Dialogue: 0,0:07:32.52,0:07:37.34,Default,,0000,0000,0000,,connec… I guess most people connect it?\NI also think that is the most common
Dialogue: 0,0:07:37.34,0:07:41.84,Default,,0000,0000,0000,,faxing solution today. So we decided to\Ntake a look at these machines.
Dialogue: 0,0:07:41.84,0:07:47.41,Default,,0000,0000,0000,,These fax machines.\NIf you look at these boxes
Dialogue: 0,0:07:47.41,0:07:52.25,Default,,0000,0000,0000,,from a security point of view you can\Nimagine them to be just black boxes.
Dialogue: 0,0:07:52.25,0:07:56.46,Default,,0000,0000,0000,,And those black boxes have interfaces.\NIn one side of the box we have interfaces
Dialogue: 0,0:07:56.46,0:08:02.02,Default,,0000,0000,0000,,like WiFi, bluetooth, ethernet, stuff like\Nthat, these interfaces connect the printer
Dialogue: 0,0:08:02.02,0:08:05.75,Default,,0000,0000,0000,,to the internal network, the external\Nnetwork, basically it connects it to the
Dialogue: 0,0:08:05.81,0:08:11.53,Default,,0000,0000,0000,,world. And on the other side of this box,\Nthere's this little interface here that
Dialogue: 0,0:08:11.53,0:08:16.72,Default,,0000,0000,0000,,connects this black box to somewhere\Nto the 1970s I would say.
Dialogue: 0,0:08:16.72,0:08:18.40,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:08:18.40,0:08:19.99,Default,,0000,0000,0000,,So that's pretty funny.
Dialogue: 0,0:08:20.04,0:08:26.89,Default,,0000,0000,0000,,And if you remember, at the end of the day\Nthese printers are basically nothing but
Dialogue: 0,0:08:26.89,0:08:31.47,Default,,0000,0000,0000,,computers. They have CPUs, they have\Nmemories, they have operating systems,
Dialogue: 0,0:08:31.48,0:08:34.60,Default,,0000,0000,0000,,they are computers. Not standard ones,\Nbut they are computers.
Dialogue: 0,0:08:34.60,0:08:39.87,Default,,0000,0000,0000,,And we were thinking to ourselves, imagine\Nthis scenario: There's an attacker sitting
Dialogue: 0,0:08:39.87,0:08:45.33,Default,,0000,0000,0000,,somewhere in the world. All he has is\Naccess to a phone line and his targets fax
Dialogue: 0,0:08:45.33,0:08:50.37,Default,,0000,0000,0000,,number. What will happen if this attacker,\Nthis guy, would be able to send a
Dialogue: 0,0:08:50.37,0:08:55.44,Default,,0000,0000,0000,,malicious fax and with this malicious fax\Nhe would be able to exploit the printer.
Dialogue: 0,0:08:55.45,0:09:00.96,Default,,0000,0000,0000,,Then he has complete control over the\Nprinter, right? If he does that, he could
Dialogue: 0,0:09:00.98,0:09:07.20,Default,,0000,0000,0000,,then maybe pivot through any one of those \Nother interfaces, let's say the Ethernet
Dialogue: 0,0:09:07.20,0:09:12.23,Default,,0000,0000,0000,,and jump from this printer to the rest of\Nthe network, the internal network.
Dialogue: 0,0:09:12.23,0:09:16.78,Default,,0000,0000,0000,,Effectively creating a bridge between the\Nexternal world and the internal network
Dialogue: 0,0:09:16.78,0:09:20.09,Default,,0000,0000,0000,,through the phone line.\NThat's 1980s again!
Dialogue: 0,0:09:20.09,0:09:26.38,Default,,0000,0000,0000,,So we thought this is a really cool attack\Nscenario and we decided to accept this
Dialogue: 0,0:09:26.38,0:09:31.77,Default,,0000,0000,0000,,challenge and go for it. Try and actually\Nshow this thing happening in reality.
Dialogue: 0,0:09:31.77,0:09:37.28,Default,,0000,0000,0000,,We were really excited about this.\NBut then after we slept a bit and drank
Dialogue: 0,0:09:37.28,0:09:42.80,Default,,0000,0000,0000,,a bit, sat down and talked about it, we\Nkind of found out that there is like a lot
Dialogue: 0,0:09:42.80,0:09:47.92,Default,,0000,0000,0000,,of challenges, really hard challenges in\Nfront of us and we're not really sure how
Dialogue: 0,0:09:47.92,0:09:54.15,Default,,0000,0000,0000,,to deal with them. Let me name just a few\Nof them. One of the challenges is how do
Dialogue: 0,0:09:54.15,0:09:58.01,Default,,0000,0000,0000,,we obtain the firmware. The code that this\Nprinter runs. It's not like you have it
Dialogue: 0,0:09:58.01,0:10:02.57,Default,,0000,0000,0000,,everywhere. And after we get it, how do we\Nanalyze this firmware?
Dialogue: 0,0:10:02.57,0:10:03.78,Default,,0000,0000,0000,,After we analyze it,
Dialogue: 0,0:10:03.78,0:10:07.52,Default,,0000,0000,0000,,we need to understand what operating\Nsystem are those printers running.
Dialogue: 0,0:10:07.52,0:10:10.12,Default,,0000,0000,0000,,And then we need to understand how to\Ndebug a printer..
Dialogue: 0,0:10:10.12,0:10:11.79,Default,,0000,0000,0000,,I never debugged a printer before..
Dialogue: 0,0:10:11.79,0:10:15.10,Default,,0000,0000,0000,,I need to understand how to debug\Na printer. And after we do all that,
Dialogue: 0,0:10:15.10,0:10:20.03,Default,,0000,0000,0000,,we need to understand… How does fax even\Nwork? We only know the beeping sounds like
Dialogue: 0,0:10:20.03,0:10:25.82,Default,,0000,0000,0000,,most of us I think. And after we did all\Nthat, we can start talking about where can
Dialogue: 0,0:10:25.82,0:10:29.32,Default,,0000,0000,0000,,we find vulnerabilities inside this\Nbig, big, big ecosystem.
Dialogue: 0,0:10:29.32,0:10:33.72,Default,,0000,0000,0000,,And today, we'll try to take you through\Nthese challenges, one-by-one and explain
Dialogue: 0,0:10:33.72,0:10:38.16,Default,,0000,0000,0000,,how to do it until we'll be able to\Nactually do the scenario that we just
Dialogue: 0,0:10:38.16,0:10:43.63,Default,,0000,0000,0000,,showed you. So, let's start with the first\Nchallenge.
Dialogue: 0,0:10:43.63,0:10:49.28,Default,,0000,0000,0000,,How do we obtain the firmware \Nfor the printer?
Dialogue: 0,0:10:49.28,0:10:53.08,Default,,0000,0000,0000,,So, meet our nice printer.\NIt's an HP inkjet printer,
Dialogue: 0,0:10:53.08,0:10:59.24,Default,,0000,0000,0000,,an HP Officejet printer, we chose this\Nmodel, first of all we chose HP because
Dialogue: 0,0:10:59.24,0:11:03.73,Default,,0000,0000,0000,,it has like – I think – 40% of the market\Nshare so it's not that we dislike HP, we
Dialogue: 0,0:11:03.73,0:11:07.63,Default,,0000,0000,0000,,really like them, but unfortunately for\Nthem, they are just the biggest target out
Dialogue: 0,0:11:07.63,0:11:12.11,Default,,0000,0000,0000,,there. And this specific model, well we\Nhad a lot of reasons why we chose this
Dialogue: 0,0:11:12.11,0:11:16.80,Default,,0000,0000,0000,,printer. But basically it's the cheapest\None.
Dialogue: 0,0:11:16.80,0:11:19.27,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:11:19.27,0:11:23.03,Default,,0000,0000,0000,,We bought it. We didn't have a lot of\Nbudget. We bought it and we abused it for
Dialogue: 0,0:11:23.03,0:11:30.72,Default,,0000,0000,0000,,a lot of time. And our goal was to break\Nfax, but before we do that, we had to
Dialogue: 0,0:11:30.72,0:11:36.88,Default,,0000,0000,0000,,break the printer. I mean literally break\Nthe printer. So yeah, that was the fun
Dialogue: 0,0:11:36.88,0:11:42.32,Default,,0000,0000,0000,,part of the project, we broke it. And\Ninside the printer we find this thing:
Dialogue: 0,0:11:42.32,0:11:46.58,Default,,0000,0000,0000,,The main PCB, the brains behind the\Nprinter, and it looks like this.
Dialogue: 0,0:11:46.58,0:11:49.01,Default,,0000,0000,0000,,Let's map the critical components of it:
Dialogue: 0,0:11:49.01,0:11:53.84,Default,,0000,0000,0000,,So we have here: Flash ROM, \NSPANSION some model,
Dialogue: 0,0:11:53.84,0:11:59.13,Default,,0000,0000,0000,,and then we have some more memory here,\Nthis might look like not a lot, because
Dialogue: 0,0:11:59.13,0:12:04.59,Default,,0000,0000,0000,,the PCB has two sides to it of course,\Nand on the other side of it we have the
Dialogue: 0,0:12:04.59,0:12:08.00,Default,,0000,0000,0000,,more interesting components, like USB,\NWiFi, electricity, SRAM,
Dialogue: 0,0:12:08.00,0:12:13.46,Default,,0000,0000,0000,,battery – probably for the memory but who\Nknows – and now we have two very
Dialogue: 0,0:12:13.46,0:12:18.68,Default,,0000,0000,0000,,interesting components here. One of them\Nis the main CPU. It's a Marvell CPU, and
Dialogue: 0,0:12:18.68,0:12:23.53,Default,,0000,0000,0000,,it's proprietarily manufactured for HP.\NSo we can't tell anything about it,
Dialogue: 0,0:12:23.53,0:12:27.53,Default,,0000,0000,0000,,there's no available specs, nothing.\NWe can just find bits of information
Dialogue: 0,0:12:27.53,0:12:34.71,Default,,0000,0000,0000,,here and there. And then we have the fax\Nmodem. It's located here and it's a
Dialogue: 0,0:12:34.71,0:12:42.72,Default,,0000,0000,0000,,CSP1040. What we need to understand now is\Nhow do these two components operate and
Dialogue: 0,0:12:42.72,0:12:46.65,Default,,0000,0000,0000,,what is the relationship between them?\NIf we do that, we're one step further.
Dialogue: 0,0:12:46.65,0:12:53.18,Default,,0000,0000,0000,,So that's what we tried to do. And as I\Nsaid, the first challenge is to get the
Dialogue: 0,0:12:53.18,0:12:57.15,Default,,0000,0000,0000,,firmware of this thing. And when we're\Nlooking a bit closer into this PCB, we
Dialogue: 0,0:12:57.15,0:13:02.26,Default,,0000,0000,0000,,find these 2 very interesting interfaces:\NOne of them is a serial debug, the other
Dialogue: 0,0:13:02.26,0:13:08.15,Default,,0000,0000,0000,,is JTAG. If you're familiar with them, you\Nknow that they give you debugging
Dialogue: 0,0:13:08.15,0:13:11.95,Default,,0000,0000,0000,,capabilities, or at least memory read,\Nmemory write, exactly what we need to get
Dialogue: 0,0:13:11.95,0:13:15.44,Default,,0000,0000,0000,,the firmware. So we're smiling to\Nourselves saying "Haha, this is going to
Dialogue: 0,0:13:15.44,0:13:19.52,Default,,0000,0000,0000,,be really easy". But unfortunately it's\Nnot. Because the JTAG is, of couse,
Dialogue: 0,0:13:19.52,0:13:24.75,Default,,0000,0000,0000,,disabled completely. We can't do anything\Nwith it. And the serial port, we managed
Dialogue: 0,0:13:24.75,0:13:30.23,Default,,0000,0000,0000,,to connect to it. And we get this terminal\Nthat for almost every instruction we type
Dialogue: 0,0:13:30.23,0:13:34.30,Default,,0000,0000,0000,,gives us this error: "I don't understand".\NWell, we don't understand either.
Dialogue: 0,0:13:34.30,0:13:35.80,Default,,0000,0000,0000,,{\i1}laughter{\i0}
Dialogue: 0,0:13:36.10,0:13:40.39,Default,,0000,0000,0000,,But it looks like this terminal is not\Ngoing to get us very far. So we dropped
Dialogue: 0,0:13:40.39,0:13:45.43,Default,,0000,0000,0000,,this path and tried and look for other\Nways to get the firmware and obviously one
Dialogue: 0,0:13:45.43,0:13:52.96,Default,,0000,0000,0000,,of the most common ways is to try and grab\Nthe firmware upgrade and after looking a
Dialogue: 0,0:13:52.96,0:13:59.43,Default,,0000,0000,0000,,bit in the internet we find this jewel,\Nthis FTP site by HP that contains
Dialogue: 0,0:13:59.43,0:14:02.73,Default,,0000,0000,0000,,every firmware version for\Nevery HP product
Dialogue: 0,0:14:02.73,0:14:05.19,Default,,0000,0000,0000,,ever produced in the history\Nof HP and the Internet
Dialogue: 0,0:14:05.19,0:14:08.13,Default,,0000,0000,0000,,and a lot of other stuff.
Dialogue: 0,0:14:08.13,0:14:12.71,Default,,0000,0000,0000,,And it actually took us about, I think, \Ntwo weeks to find our firmware within
Dialogue: 0,0:14:12.71,0:14:12.96,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:14:12.96,0:14:18.20,Default,,0000,0000,0000,,… this mess of firmwares. But once we\Ndid,
Dialogue: 0,0:14:18.20,0:14:21.08,Default,,0000,0000,0000,,we had a firmware upgrade file.\N{\i1}Applause{\i0}
Dialogue: 0,0:14:21.08,0:14:24.97,Default,,0000,0000,0000,,Yes, thank you! It's still alive so you\Ncan go there and look for some… there's a
Dialogue: 0,0:14:24.97,0:14:29.10,Default,,0000,0000,0000,,lot of interesting stuff in there. And now\Nwe've got ourselves a file. And this file
Dialogue: 0,0:14:29.10,0:14:33.20,Default,,0000,0000,0000,,is the firmware upgrade file. It's not an\Nexecutable file, it's just a binary,
Dialogue: 0,0:14:33.20,0:14:36.40,Default,,0000,0000,0000,,and now we kinda need to understand…
Dialogue: 0,0:14:36.40,0:14:38.92,Default,,0000,0000,0000,,How do you even upgrade \Na printer firmware?
Dialogue: 0,0:14:38.92,0:14:42.79,Default,,0000,0000,0000,,I never did it i before. Anybody did it?\NAnybody upgraded these firmwares? Lately?
Dialogue: 0,0:14:42.79,0:14:46.95,Default,,0000,0000,0000,,Ah, good. Good for you. Good for you.
Dialogue: 0,0:14:46.95,0:14:52.32,Default,,0000,0000,0000,,Anyway, the answer to this question is\Nsurprisingly… funny, I would say.
Dialogue: 0,0:14:52.32,0:14:54.17,Default,,0000,0000,0000,,You just print it.
Dialogue: 0,0:14:54.17,0:14:55.17,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:14:55.17,0:14:59.37,Default,,0000,0000,0000,,That's because, you see, a printer\Nreceives a firmware upgrade just the same
Dialogue: 0,0:14:59.37,0:15:04.16,Default,,0000,0000,0000,,way as it receives a normal print job.\NThat's the thing and it's actually pretty
Dialogue: 0,0:15:04.16,0:15:09.50,Default,,0000,0000,0000,,nice and it's defined in a HP protocol,\Nit's called PCL XL Feature Reference
Dialogue: 0,0:15:09.50,0:15:13.98,Default,,0000,0000,0000,,Protocol Class 2.1 Supplement. And if\Nyou're still sane after reading this like
Dialogue: 0,0:15:13.98,0:15:19.84,Default,,0000,0000,0000,,300 pages of insanity you understand that\Nthis thing defines something called a
Dialogue: 0,0:15:19.84,0:15:24.46,Default,,0000,0000,0000,,PJL – print job language. If you ever\Nscanned from a printer to the network you
Dialogue: 0,0:15:24.46,0:15:30.20,Default,,0000,0000,0000,,see this port I think 9100, something like\Nthat, open, that you send print jobs to,
Dialogue: 0,0:15:30.20,0:15:35.58,Default,,0000,0000,0000,,and it's the same port that you send the\Nfirmware upgrade to, and that's nice.
Dialogue: 0,0:15:35.58,0:15:38.26,Default,,0000,0000,0000,,So when we look at the file, it actually\Nconfirms this,
Dialogue: 0,0:15:38.26,0:15:41.78,Default,,0000,0000,0000,,because it actually begins\Nwith the words: PJL – Print job language.
Dialogue: 0,0:15:41.78,0:15:44.50,Default,,0000,0000,0000,,So that's nice. So now we know it's a\Nprint job language.
Dialogue: 0,0:15:44.50,0:15:48.32,Default,,0000,0000,0000,,But unfortunately this document doesn't\Ndocument anything about the firmware
Dialogue: 0,0:15:48.32,0:15:53.01,Default,,0000,0000,0000,,upgrade protocol, or anything, \Nbecause it's HP proprietary.
Dialogue: 0,0:15:53.01,0:15:55.71,Default,,0000,0000,0000,,So unfortunately we had \Nto do it ourselves
Dialogue: 0,0:15:55.71,0:16:01.93,Default,,0000,0000,0000,,and analyze this thing. Now I'm not going\Nto take you through the entire process of
Dialogue: 0,0:16:01.93,0:16:07.17,Default,,0000,0000,0000,,unwrapping this firmware because frankly\Nit's quite boring. But I'll just tell you
Dialogue: 0,0:16:07.17,0:16:11.17,Default,,0000,0000,0000,,that it's composed of several layers of\Ncompression, one of them is called
Dialogue: 0,0:16:11.17,0:16:14.97,Default,,0000,0000,0000,,NULL decoder, the other is called TIFF\Ndecoder, and another one called Delta Raw
Dialogue: 0,0:16:14.97,0:16:21.34,Default,,0000,0000,0000,,decoder. And the thing is that these\Nthings do something like… If the previous
Dialogue: 0,0:16:21.34,0:16:25.68,Default,,0000,0000,0000,,line was all blanks, and if this line is\Nalso all blanks, just write one instead of
Dialogue: 0,0:16:25.68,0:16:30.10,Default,,0000,0000,0000,,the line, so that gives you some kind of\Ncompression, and it makes really a lot of
Dialogue: 0,0:16:30.10,0:16:34.70,Default,,0000,0000,0000,,sense when you're talking about print jobs\Nbecause paper has a lot of spaces in it,
Dialogue: 0,0:16:34.70,0:16:39.63,Default,,0000,0000,0000,,but when you're talking about binary files\Nit makes absolutely no sense to do it this
Dialogue: 0,0:16:39.63,0:16:46.81,Default,,0000,0000,0000,,way. But still, it just works this way, so\Nafter we understand that, we were able to
Dialogue: 0,0:16:46.81,0:16:50.49,Default,,0000,0000,0000,,decode everything, decompress everything,\Nand we're talking to ourselves and
Dialogue: 0,0:16:50.49,0:16:53.42,Default,,0000,0000,0000,,laughing, when you're \Na hammer everything looks like a nail,
Dialogue: 0,0:16:53.42,0:16:56.33,Default,,0000,0000,0000,,and when you're a printer, \Neverything looks like a print job.
Dialogue: 0,0:16:56.33,0:16:58.00,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:16:58.00,0:17:02.24,Default,,0000,0000,0000,,So that was nice. And now, after we did\Nthat, we have a big file that hopefully
Dialogue: 0,0:17:02.24,0:17:04.99,Default,,0000,0000,0000,,now is our firmware.
Dialogue: 0,0:17:04.99,0:17:07.41,Default,,0000,0000,0000,,So how do we analyze it?
Dialogue: 0,0:17:07.41,0:17:10.93,Default,,0000,0000,0000,,Looking at this thing right at the\Nbeginning of the file, there's something
Dialogue: 0,0:17:10.93,0:17:14.92,Default,,0000,0000,0000,,that really looks like a table. It doesn't\Nonly really look like a table, it is
Dialogue: 0,0:17:14.92,0:17:20.64,Default,,0000,0000,0000,,a table. We define it, it looks like this.\NAnd what this table defines is a loading
Dialogue: 0,0:17:20.64,0:17:25.56,Default,,0000,0000,0000,,address, section name and location in\Nbinary. So what that means is that our big
Dialogue: 0,0:17:25.56,0:17:30.55,Default,,0000,0000,0000,,file is actually split into several\Nsections. This table just defines those
Dialogue: 0,0:17:30.55,0:17:35.35,Default,,0000,0000,0000,,sections. So now we are able to split this\Nbig file into several smaller chunks and
Dialogue: 0,0:17:35.35,0:17:40.87,Default,,0000,0000,0000,,inspect each chunk. The most important\Nchunk, the one that looks most promising
Dialogue: 0,0:17:40.87,0:17:47.10,Default,,0000,0000,0000,,looks like it contains our firmware. So we\Ntook a closer look into that and that's
Dialogue: 0,0:17:47.10,0:17:52.25,Default,,0000,0000,0000,,what we saw: It actually looks like our\Nfirmware. That's because you see: That's
Dialogue: 0,0:17:52.25,0:17:55.41,Default,,0000,0000,0000,,one of the strings that we've seen here.
Dialogue: 0,0:17:55.41,0:17:56.57,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:17:56.57,0:18:00.90,Default,,0000,0000,0000,,Yeah! We all saw that before, right? It's\N"Error: I don't understand". But it's not
Dialogue: 0,0:18:00.90,0:18:05.35,Default,,0000,0000,0000,,completely "Error: I don't understand".\NThere's some missing bytes in here.
Dialogue: 0,0:18:05.35,0:18:09.54,Default,,0000,0000,0000,,And actually those missing bytes are\Npretty consistent throughout the entire
Dialogue: 0,0:18:09.54,0:18:13.94,Default,,0000,0000,0000,,chunk. So although we know that we are\Nlooking at the code, we can't actually
Dialogue: 0,0:18:13.94,0:18:18.64,Default,,0000,0000,0000,,see the code until we have those missing\Nbytes filled. We need to understand: Why
Dialogue: 0,0:18:18.64,0:18:23.76,Default,,0000,0000,0000,,are they there and what were they replaced\Nwith? So let's try to analyze this thing
Dialogue: 0,0:18:23.76,0:18:28.58,Default,,0000,0000,0000,,together, quickly, now. But first, let's\Ntry to understand what is this thing.
Dialogue: 0,0:18:28.58,0:18:34.75,Default,,0000,0000,0000,,We have a lot of things in mind, every one\Nseemed crazy, but I think the least crazy
Dialogue: 0,0:18:34.75,0:18:40.68,Default,,0000,0000,0000,,option was that this is yet another form\Nof compression. A really bad one, again.
Dialogue: 0,0:18:40.68,0:18:44.44,Default,,0000,0000,0000,,Because when we tried to compress this\Nthing with zlib, for example, we get like
Dialogue: 0,0:18:44.44,0:18:49.15,Default,,0000,0000,0000,,80% better compression than it currently\Nis, and we know that the printer has zlib,
Dialogue: 0,0:18:49.15,0:18:53.90,Default,,0000,0000,0000,,because we see zlib strings in there, so\Nwhy not use zlib? I don't know.
Dialogue: 0,0:18:53.90,0:18:57.72,Default,,0000,0000,0000,,But still, we are left with a challenge.\NSo this is one snippet of the code that
Dialogue: 0,0:18:57.72,0:19:00.42,Default,,0000,0000,0000,,you just saw, \Nso let's try to decompress this.
Dialogue: 0,0:19:00.42,0:19:03.96,Default,,0000,0000,0000,,First of all, you need to understand this\Nthing is composed of two types of
Dialogue: 0,0:19:03.96,0:19:08.47,Default,,0000,0000,0000,,characters, one are ASCII characters,\Nstuff that you can read, and some other
Dialogue: 0,0:19:08.47,0:19:13.78,Default,,0000,0000,0000,,are stuff that you can't read, non-ASCII\Ncharacters. And those non-ASCII characters
Dialogue: 0,0:19:13.78,0:19:18.05,Default,,0000,0000,0000,,are actually those missing bytes that we\Nhave. So we need to understand what they
Dialogue: 0,0:19:18.05,0:19:22.14,Default,,0000,0000,0000,,are, so let's take a closer look at them.\NAnd if you stare at this thing long enough
Dialogue: 0,0:19:22.14,0:19:27.39,Default,,0000,0000,0000,,you'll start seeing some kind of pattern.\NI'll save you the trouble and just show you.
Dialogue: 0,0:19:27.39,0:19:33.53,Default,,0000,0000,0000,,It's composed of these one single bytes,\Nand then those double bytes in there.
Dialogue: 0,0:19:33.53,0:19:37.84,Default,,0000,0000,0000,,And if the distance between the single\Nbytes looks suspiciously patterned,
Dialogue: 0,0:19:37.84,0:19:42.21,Default,,0000,0000,0000,,8 bytes, 9 bytes, 9 bytes, 8 bytes, over\Nand over again, so what does this mean,
Dialogue: 0,0:19:42.21,0:19:47.09,Default,,0000,0000,0000,,where is the pattern here? If you look at\Nthis from a different angle, maybe the
Dialogue: 0,0:19:47.09,0:19:52.35,Default,,0000,0000,0000,,pattern will look a bit clearer. You see\Nthat F7 and F7, they look the same.
Dialogue: 0,0:19:52.35,0:19:55.47,Default,,0000,0000,0000,,The FF and FF, they look the same.\NSomething here looks really pattern-ish.
Dialogue: 0,0:19:55.47,0:20:00.04,Default,,0000,0000,0000,,In order to understand this pattern, you\Nneed to sharpen your binary view a bit,
Dialogue: 0,0:20:00.04,0:20:05.12,Default,,0000,0000,0000,,and if you understand that FF is just\N8 one bits, and if you do that
Dialogue: 0,0:20:05.12,0:20:08.79,Default,,0000,0000,0000,,consistently for all of these chunks, you\Nwill start seeing the pattern.
Dialogue: 0,0:20:08.79,0:20:13.63,Default,,0000,0000,0000,,The pattern is that the zero bit always\Nfalls within this two-byte hole.
Dialogue: 0,0:20:13.63,0:20:18.13,Default,,0000,0000,0000,,It's consistent throughout the file. And\Nwhat this means is that the first byte is
Dialogue: 0,0:20:18.13,0:20:22.64,Default,,0000,0000,0000,,just a bitmap describing the following\N8 bytes after it. That's what it means.
Dialogue: 0,0:20:22.64,0:20:27.17,Default,,0000,0000,0000,,And that's perfect because now we\Nunderstand what is this single bytes, but
Dialogue: 0,0:20:27.17,0:20:32.20,Default,,0000,0000,0000,,we still don't understand, what are those\Ndouble bytes? And they were replaced with
Dialogue: 0,0:20:32.20,0:20:37.62,Default,,0000,0000,0000,,something, but with what? So if you know\Nanything about compression, you know that
Dialogue: 0,0:20:37.62,0:20:41.57,Default,,0000,0000,0000,,there's not a lot of options here really.\NIt could be either a forward or backward
Dialogue: 0,0:20:41.57,0:20:46.50,Default,,0000,0000,0000,,pointer, it could be a dictionary of some\Nsort, or it could be a sliding window.
Dialogue: 0,0:20:46.50,0:20:50.20,Default,,0000,0000,0000,,Now we can pretty easily confirm that\Nit's not a forward/backward pointer just
Dialogue: 0,0:20:50.20,0:20:54.17,Default,,0000,0000,0000,,because we tried to follow the references\Nin the file, we see nothing that should be
Dialogue: 0,0:20:54.17,0:20:58.92,Default,,0000,0000,0000,,there, same goes for dictionary. We can't\Nfind anything that's consistent enough to
Dialogue: 0,0:20:58.92,0:21:03.00,Default,,0000,0000,0000,,be a dictionary. So it leaves us only with\Nwith the option of a sliding window.
Dialogue: 0,0:21:03.00,0:21:08.37,Default,,0000,0000,0000,,Once we're equipped with this information,\Nwe go to our favorite place, to Google.
Dialogue: 0,0:21:08.37,0:21:12.82,Default,,0000,0000,0000,,And try to find some similar\Nimplementations to this. Luckily for us,
Dialogue: 0,0:21:12.82,0:21:18.80,Default,,0000,0000,0000,,in some very dark corner of the internet,\Nwe find this wiki page. It defines
Dialogue: 0,0:21:18.80,0:21:25.14,Default,,0000,0000,0000,,something called a Softdisk Library\NFormat. I won't ask if someone knows what
Dialogue: 0,0:21:25.14,0:21:31.99,Default,,0000,0000,0000,,Softdisk is, because probably somebody\Nknows here, it's CCC after all. But inside
Dialogue: 0,0:21:31.99,0:21:35.82,Default,,0000,0000,0000,,this thing it defines some kind of\Ncompression algorithm that looks very
Dialogue: 0,0:21:35.82,0:21:41.62,Default,,0000,0000,0000,,similar to ours. It looks actually really\Nreally like ours. Actually, it's exactly
Dialogue: 0,0:21:41.62,0:21:48.30,Default,,0000,0000,0000,,our compression algorithm. So yeah. That's\Nnice. And I think the funny thing here is
Dialogue: 0,0:21:48.30,0:21:53.79,Default,,0000,0000,0000,,that this compression algorithm was used\Nin the past somewhere, and only there.
Dialogue: 0,0:21:53.79,0:21:56.22,Default,,0000,0000,0000,,Can you guess where?
Dialogue: 0,0:21:56.24,0:21:58.61,Default,,0000,0000,0000,,{\i1}Waiting for response from the audience{\i0}
Dialogue: 0,0:21:58.61,0:22:03.82,Default,,0000,0000,0000,,Uh, yeah, somebody who didn't see {\i1}chuckles{\i0}\Nthis presentation before?
Dialogue: 0,0:22:04.12,0:22:06.66,Default,,0000,0000,0000,,Yeah! It was used in Commander Keen.
Dialogue: 0,0:22:06.66,0:22:09.23,Default,,0000,0000,0000,,Softdisk is the company who produced\NCommander Keen.
Dialogue: 0,0:22:09.23,0:22:12.18,Default,,0000,0000,0000,,So the compression algorithm \Nfrom Commander Keen made its way,
Dialogue: 0,0:22:12.18,0:22:17.09,Default,,0000,0000,0000,,somehow, into the entire HP line of\Nproducts.
Dialogue: 0,0:22:17.09,0:22:18.86,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:22:18.86,0:22:23.28,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:22:23.28,0:22:27.58,Default,,0000,0000,0000,,How? I don't know! You can check if there\Nwas anybody who was fired from Softdisk
Dialogue: 0,0:22:27.58,0:22:32.06,Default,,0000,0000,0000,,and hired in HP. Probably that would be my\Nguess. But we'll never know.
Dialogue: 0,0:22:32.06,0:22:36.76,Default,,0000,0000,0000,,So now we understand exactly what is this\Nthing, and how does this compression work.
Dialogue: 0,0:22:36.76,0:22:40.69,Default,,0000,0000,0000,,We have the missing data that we need. And\Nthis data means that those two bytes are
Dialogue: 0,0:22:40.69,0:22:44.54,Default,,0000,0000,0000,,actually composed of window location and\Ndata length. And that's all we need, and
Dialogue: 0,0:22:44.54,0:22:48.40,Default,,0000,0000,0000,,let me show you, like really quickly, how\Nthis compression works. So we have an
Dialogue: 0,0:22:48.40,0:22:51.95,Default,,0000,0000,0000,,input text, output text and sliding\Nwindow. We want to compress this string
Dialogue: 0,0:22:51.95,0:22:56.40,Default,,0000,0000,0000,,over here, and let's try and do it.\NSo first byte is the bitmap, so we leave
Dialogue: 0,0:22:56.40,0:23:01.17,Default,,0000,0000,0000,,it empty for now. Then, second byte, we\Nstart with "A". So we place it both in the
Dialogue: 0,0:23:01.17,0:23:05.45,Default,,0000,0000,0000,,output text and in the sliding window.\NThen we go to "B", same thing. "C", same
Dialogue: 0,0:23:05.45,0:23:09.72,Default,,0000,0000,0000,,thing. "D", again, and now we get to "A".\NBut "A" is already present in the sliding
Dialogue: 0,0:23:09.72,0:23:13.63,Default,,0000,0000,0000,,window, so we don't need to write it in\Nthe output text, we can just do
Dialogue: 0,0:23:13.63,0:23:19.18,Default,,0000,0000,0000,,nothing and then go to "B", same thing,\Nit's just the following character in the
Dialogue: 0,0:23:19.18,0:23:23.74,Default,,0000,0000,0000,,sliding window, and then when we get to\N"E", we just write "00 02". That means
Dialogue: 0,0:23:23.74,0:23:28.64,Default,,0000,0000,0000,,"Go to the sliding window at position 0,\Nand take the first two bytes". That's what
Dialogue: 0,0:23:28.64,0:23:33.42,Default,,0000,0000,0000,,it means. Then we continue to "E", "F",\N"G", after we did that, we input our
Dialogue: 0,0:23:33.42,0:23:38.49,Default,,0000,0000,0000,,bitmap here, and now we know the bitmap\Nvalue and that's all there is to it.
Dialogue: 0,0:23:38.49,0:23:40.13,Default,,0000,0000,0000,,That's the compression algorithm.
Dialogue: 0,0:23:40.13,0:23:42.88,Default,,0000,0000,0000,,It's pretty easy\Nlooking at it this way, right?
Dialogue: 0,0:23:42.88,0:23:48.98,Default,,0000,0000,0000,,Looking at it in reverse is a bit more\Ndifficult, but yes, now we can do that.
Dialogue: 0,0:23:48.98,0:23:52.84,Default,,0000,0000,0000,,And now we completely open everything, and\Nyes, we have our firmware, you can read
Dialogue: 0,0:23:52.84,0:23:56.32,Default,,0000,0000,0000,,everything. It's actual code. And now we\Nneed to understand:
Dialogue: 0,0:23:56.32,0:24:00.14,Default,,0000,0000,0000,,What does this code mean? And basically,\Nfirst of all, we need to understand what
Dialogue: 0,0:24:00.14,0:24:03.98,Default,,0000,0000,0000,,architecture is this, what is the\Noperating system and so on and so on.
Dialogue: 0,0:24:03.98,0:24:09.77,Default,,0000,0000,0000,,So it took us quite some time to do that.\NBut let me give you a brief explanation.
Dialogue: 0,0:24:09.77,0:24:13.58,Default,,0000,0000,0000,,First of all, the operating system is\Ncalled ThreadX. It's a real-time operating
Dialogue: 0,0:24:13.58,0:24:20.71,Default,,0000,0000,0000,,system. The CPU, the processor, is ARM9\Nbig-endian, and then it has several
Dialogue: 0,0:24:20.71,0:24:25.04,Default,,0000,0000,0000,,components to it, like stuff that's\Nrelated to system, some common libraries,
Dialogue: 0,0:24:25.04,0:24:31.94,Default,,0000,0000,0000,,and tasks. Tasks are the equivalent of\Nprocesses in normal operating systems.
Dialogue: 0,0:24:31.94,0:24:37.13,Default,,0000,0000,0000,,In the system stuff we have boot loaders\Nand some networking functionality and some
Dialogue: 0,0:24:37.13,0:24:43.36,Default,,0000,0000,0000,,other stuff, Common Libraries we have a\Nlot of common libraries, and tasks, once
Dialogue: 0,0:24:43.36,0:24:46.81,Default,,0000,0000,0000,,we're able to isolate them, we can\Nunderstand exactly the tasks, and once
Dialogue: 0,0:24:46.81,0:24:52.68,Default,,0000,0000,0000,,we do that, we now know that all we need\Nto do is focus on these tasks, because
Dialogue: 0,0:24:52.68,0:24:55.23,Default,,0000,0000,0000,,they're the tasks relevant\Nto fax protocols,
Dialogue: 0,0:24:55.23,0:24:56.94,Default,,0000,0000,0000,,we can leave everything else aside.
Dialogue: 0,0:24:56.94,0:25:01.81,Default,,0000,0000,0000,,It will make our work much more easy. We\Nwant to start doing that. But,
Dialogue: 0,0:25:01.81,0:25:07.70,Default,,0000,0000,0000,,just a second before we do that. Looking\Nat this, we see something that looks not
Dialogue: 0,0:25:07.70,0:25:13.29,Default,,0000,0000,0000,,really… I don't know, it doesn't make\Nsense a lot. This thing is Spidermonkey.
Dialogue: 0,0:25:14.07,0:25:18.82,Default,,0000,0000,0000,,Every HP printer contains a Spidermonkey\Nlibrary. I don't know if you know what
Dialogue: 0,0:25:18.82,0:25:22.72,Default,,0000,0000,0000,,Spidermonkey is, but basically it's the\NJavaScript implementation by Mozilla.
Dialogue: 0,0:25:22.96,0:25:26.28,Default,,0000,0000,0000,,It's used in Firefox for example. And we\Nwere thinking to ourselves:
Dialogue: 0,0:25:26.28,0:25:30.49,Default,,0000,0000,0000,,Why does a printer need to render\NJavaScript? It makes no sense.
Dialogue: 0,0:25:30.49,0:25:34.89,Default,,0000,0000,0000,,I mean yeah, it has a web server, but it's\Nnot a web client. We couldn't think of
Dialogue: 0,0:25:34.89,0:25:37.96,Default,,0000,0000,0000,,any situation in which a printer needs to\Nrender JavaScript.
Dialogue: 0,0:25:37.96,0:25:43.40,Default,,0000,0000,0000,,It looked really strange to us. So we\Ndecided to try and see where this printer
Dialogue: 0,0:25:43.40,0:25:49.36,Default,,0000,0000,0000,,is actually using JavaScript, so we went\Nback a bit and checked and we found that
Dialogue: 0,0:25:49.38,0:25:53.95,Default,,0000,0000,0000,,JavaScript is used in a feature called\NPAC – Proxy Auto Configuration.
Dialogue: 0,0:25:53.98,0:26:04.61,Default,,0000,0000,0000,,It's pretty common, it's a good protocol.\NIt defines proxies when you're doing DHCP
Dialogue: 0,0:26:04.76,0:26:09.72,Default,,0000,0000,0000,,or something like that. The thing is that\Nthe top layer functionality of this entire
Dialogue: 0,0:26:09.72,0:26:15.41,Default,,0000,0000,0000,,PAC functionality was written by HP.\NAnd when we were looking at that, we see
Dialogue: 0,0:26:15.41,0:26:20.42,Default,,0000,0000,0000,,all this functionality, and we see this\Nstrange thing here. The printer once it
Dialogue: 0,0:26:20.42,0:26:23.52,Default,,0000,0000,0000,,does this PAC functionality, it tries to\Nconnect to this domain:
Dialogue: 0,0:26:23.52,0:26:26.85,Default,,0000,0000,0000,,fakeurl1234.com. Just connect to it and\Ndo nothing with it.
Dialogue: 0,0:26:26.85,0:26:31.38,Default,,0000,0000,0000,,Some sort of sanity test I guess? I don't\Nreally know why.
Dialogue: 0,0:26:31.38,0:26:39.39,Default,,0000,0000,0000,,But the interesting thing here is: Do you\Nknow who owns the domain fakeurl1234.com?
Dialogue: 0,0:26:39.39,0:26:42.12,Default,,0000,0000,0000,,{\i1}Laughter mixed with murmur{\i0}
Dialogue: 0,0:26:42.12,0:26:42.91,Default,,0000,0000,0000,,No, it's not HP.
Dialogue: 0,0:26:42.91,0:26:44.73,Default,,0000,0000,0000,,{\i1}Murmur &amp; responses from the audience{\i0}
Dialogue: 0,0:26:44.73,0:26:47.61,Default,,0000,0000,0000,,Ehh, Check Point is kinda… eh…, yeah.
Dialogue: 0,0:26:48.89,0:26:49.60,Default,,0000,0000,0000,,I own it.
Dialogue: 0,0:26:50.09,0:26:51.69,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:26:51.69,0:26:53.08,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:26:53.08,0:26:58.29,Default,,0000,0000,0000,,It just wasn't registered.\NSo, we registered it for 5 Dollars.
Dialogue: 0,0:26:58.29,0:27:02.12,Default,,0000,0000,0000,,And now every HP printer is connecting to\Nmy domain. {\i1}Chuckling{\i0}
Dialogue: 0,0:27:02.34,0:27:06.34,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:27:06.50,0:27:09.90,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:27:09.90,0:27:13.32,Default,,0000,0000,0000,,So, if anybody wants to buy the domain, I\Nhave a very good price for you:
Dialogue: 0,0:27:13.32,0:27:14.56,Default,,0000,0000,0000,,More than 5 dollars.
Dialogue: 0,0:27:14.56,0:27:18.81,Default,,0000,0000,0000,,And now I'll hand it over\Nto Eyal to continue.
Dialogue: 0,0:27:19.36,0:27:23.39,Default,,0000,0000,0000,,Eyal Itkin: Okay, thank you Yaniv.\NAfter we've finished messing around with
Dialogue: 0,0:27:23.39,0:27:27.38,Default,,0000,0000,0000,,Spidermonkey, it's time to focus back on\Nfax, so T.30.
Dialogue: 0,0:27:27.38,0:27:31.71,Default,,0000,0000,0000,,T.30 – in its full name it's\NITU-T recommendation T.30 – is a standard
Dialogue: 0,0:27:31.71,0:27:37.52,Default,,0000,0000,0000,,that defines the fax protocol. Actually\Nit's a very very long PDF, more than
Dialogue: 0,0:27:37.52,0:27:42.02,Default,,0000,0000,0000,,300 pages. It defines all the phases and\Nmessages we need in order to send and
Dialogue: 0,0:27:42.02,0:27:48.13,Default,,0000,0000,0000,,receive a fax document. It was first\Ndefined very long ago, 1985, and was last
Dialogue: 0,0:27:48.13,0:27:53.38,Default,,0000,0000,0000,,updated more than a decade ago. So from\Nour perspective that's a very good idea,
Dialogue: 0,0:27:53.38,0:27:59.50,Default,,0000,0000,0000,,because we want to find vulnerabilities in\Nan old and complicated protocol.
Dialogue: 0,0:27:59.50,0:28:04.44,Default,,0000,0000,0000,,We're most probably going to find some.\NAfter we read through the standard we
Dialogue: 0,0:28:04.44,0:28:12.36,Default,,0000,0000,0000,,started to dynamically look at it, opened\Nit in IDA and look up on the T.30 task.
Dialogue: 0,0:28:12.36,0:28:17.80,Default,,0000,0000,0000,,And you can see that the state machine is\Nquite huge as you can see here in IDA, and
Dialogue: 0,0:28:17.80,0:28:22.98,Default,,0000,0000,0000,,actually that's a small state machine.\NBecause most of the code blocks you can
Dialogue: 0,0:28:22.98,0:28:27.31,Default,,0000,0000,0000,,see over here contain additional state\Nmachines inside them. Meaning that this is
Dialogue: 0,0:28:27.31,0:28:31.89,Default,,0000,0000,0000,,going to be a very very huge and\Ncomplicated state machine to reverse.
Dialogue: 0,0:28:31.89,0:28:36.59,Default,,0000,0000,0000,,And if that wasn't enough it turns out\Nthat HP really likes to use
Dialogue: 0,0:28:36.59,0:28:40.39,Default,,0000,0000,0000,,function pointers and global variables in \Ntheir code. Meaning that statically
Dialogue: 0,0:28:40.39,0:28:47.34,Default,,0000,0000,0000,,reverse-engineering this huge task is\Ngoing to be very complicated. Although I
Dialogue: 0,0:28:47.34,0:28:52.27,Default,,0000,0000,0000,,personally prefer to statically\Nreverse-engineer, this time we had to
Dialogue: 0,0:28:52.27,0:28:56.78,Default,,0000,0000,0000,,choose a different tactic, we'll need to\Ndynamically reverse-engineer this thing
Dialogue: 0,0:28:56.78,0:29:00.46,Default,,0000,0000,0000,,and for this we'll need to have a\Ndebugger.
Dialogue: 0,0:29:00.46,0:29:06.24,Default,,0000,0000,0000,,As Yaniv mentioned earlier, nobody knows\Nhow can we debug a printer.
Dialogue: 0,0:29:06.24,0:29:11.98,Default,,0000,0000,0000,,We already tried built-in JTAG and \Nserial port and that failed.
Dialogue: 0,0:29:11.98,0:29:16.08,Default,,0000,0000,0000,,We then searched for a builtin GDB stub we\Ncould use,
Dialogue: 0,0:29:16.08,0:29:18.96,Default,,0000,0000,0000,,but I couldn't find any such stub.
Dialogue: 0,0:29:18.96,0:29:24.22,Default,,0000,0000,0000,,At this point it's very important to\Nremember that even if we could control the
Dialogue: 0,0:29:24.22,0:29:29.43,Default,,0000,0000,0000,,execution flow, no-one can put a debugger\Nwithout controlling the execution flow,
Dialogue: 0,0:29:29.43,0:29:34.76,Default,,0000,0000,0000,,and we can't do anything, it's a black\Nbox, I can send papers and that's it.
Dialogue: 0,0:29:35.33,0:29:40.95,Default,,0000,0000,0000,,And even if I could control the execution\Nflow and load my debugger, the printer
Dialogue: 0,0:29:40.95,0:29:46.30,Default,,0000,0000,0000,,uses a hardware watchdog. And this is an\Nexternal hardware mechanism that monitors
Dialogue: 0,0:29:46.30,0:29:51.57,Default,,0000,0000,0000,,the main CPU and whenever the main CPU\Nenters an endless loop or it halts,
Dialogue: 0,0:29:51.57,0:29:59.14,Default,,0000,0000,0000,,the watchdog reboots the entire printer.\NThis means that since essentially a
Dialogue: 0,0:29:59.14,0:30:02.90,Default,,0000,0000,0000,,breakpoint halts the program,
Dialogue: 0,0:30:02.90,0:30:06.24,Default,,0000,0000,0000,,whenever we hit a breakpoint, \Nthe watchdog will kill us.
Dialogue: 0,0:30:06.24,0:30:11.09,Default,,0000,0000,0000,,So we need to find a way around this\Nthing, the easiest way we could find out
Dialogue: 0,0:30:11.09,0:30:16.78,Default,,0000,0000,0000,,was to split this enormous task into\Nchunks, if we could find any code
Dialogue: 0,0:30:16.78,0:30:21.78,Default,,0000,0000,0000,,execution vulnerability, we could try to\Nexecute code over the printer and load our
Dialogue: 0,0:30:21.78,0:30:27.07,Default,,0000,0000,0000,,own debugger. And at this stage we had\Nluck, and we believe that luck is an
Dialogue: 0,0:30:27.07,0:30:35.06,Default,,0000,0000,0000,,important part in every research project.\NOn the 19th of July, SENRIO published a
Dialogue: 0,0:30:35.06,0:30:37.54,Default,,0000,0000,0000,,vulnerability called "Devil's Ivy".
Dialogue: 0,0:30:37.69,0:30:42.88,Default,,0000,0000,0000,,Devil's Ivy is a remote code execution in\NgSOAP and many embedded devices (and our
Dialogue: 0,0:30:42.88,0:30:47.33,Default,,0000,0000,0000,,printer included) tend to implement a web\Nserver for management and configuration,
Dialogue: 0,0:30:47.33,0:30:52.60,Default,,0000,0000,0000,,and in our case this web server uses\NgSOAP, and it even uses a vulnerable
Dialogue: 0,0:30:52.60,0:30:57.81,Default,,0000,0000,0000,,version of gSOAP, so we now have our\Nvulnerability, and we'll need to exploit
Dialogue: 0,0:30:57.81,0:31:03.31,Default,,0000,0000,0000,,it. For those of you not familiar with\NDevil's Ivy, here is the code.
Dialogue: 0,0:31:03.74,0:31:05.50,Default,,0000,0000,0000,,And here is the vulnerability itself.
Dialogue: 0,0:31:06.36,0:31:10.63,Default,,0000,0000,0000,,Devil's Ivy is a signed integer underflow\Nvulnerability,
Dialogue: 0,0:31:10.63,0:31:13.20,Default,,0000,0000,0000,,meaning that we'll need to send
Dialogue: 0,0:31:13.20,0:31:19.24,Default,,0000,0000,0000,,enough data for the variable to go from\Nnegative back to positive. And that means
Dialogue: 0,0:31:19.24,0:31:22.70,Default,,0000,0000,0000,,we need to send roughly 2 Gigabytes of\Ndata to the printer.
Dialogue: 0,0:31:23.45,0:31:26.87,Default,,0000,0000,0000,,So HP really prides itself on the printing\Nspeed of the printer,
Dialogue: 0,0:31:26.87,0:31:28.82,Default,,0000,0000,0000,,but not on the network speed.
Dialogue: 0,0:31:30.36,0:31:35.38,Default,,0000,0000,0000,,After many optimization rounds we managed\Nto reduce the exploit time to roughly
Dialogue: 0,0:31:35.38,0:31:43.42,Default,,0000,0000,0000,,7 minutes. So you start the exploit, you\Nwait, and after 7 minutes you have
Dialogue: 0,0:31:43.42,0:31:50.76,Default,,0000,0000,0000,,your exploit. And here our good luck\Nended, because we had a side effect in our
Dialogue: 0,0:31:50.76,0:31:57.22,Default,,0000,0000,0000,,exploit, and after two to ten minutes the\Nprinter will crash. And this means we will
Dialogue: 0,0:31:57.22,0:32:02.60,Default,,0000,0000,0000,,need to wait an additional 7 minutes, \Nwe'll have 2 minutes to debug it,
Dialogue: 0,0:32:02.60,0:32:08.52,Default,,0000,0000,0000,,and then it will crash again. So we \Nwaited a lot of 7 minutes in our research.
Dialogue: 0,0:32:08.52,0:32:10.54,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:32:10.54,0:32:15.79,Default,,0000,0000,0000,,If you recall, we wanted a debugger so we\Ncould dynamically reverse-engineer the
Dialogue: 0,0:32:15.79,0:32:20.24,Default,,0000,0000,0000,,firmware. We wanted read memory and write\Nmemory, and now we have a debugging
Dialogue: 0,0:32:20.24,0:32:25.18,Default,,0000,0000,0000,,vulnerability, so we can load a debugger,\Nwe need to execute this debugger, so
Dialogue: 0,0:32:25.18,0:32:28.93,Default,,0000,0000,0000,,we'll need executing permissions\Nto load it.
Dialogue: 0,0:32:28.93,0:32:30.64,Default,,0000,0000,0000,,The most important thing is that we need
Dialogue: 0,0:32:30.64,0:32:35.39,Default,,0000,0000,0000,,to execute our debugger without crashing\Nthe firmware. Because we want the debugger
Dialogue: 0,0:32:35.39,0:32:41.16,Default,,0000,0000,0000,,to run and the firmware to debug and we\Nwant them to blend inside the
Dialogue: 0,0:32:41.16,0:32:44.81,Default,,0000,0000,0000,,virtual address space of the printer,\Nliving happily together.
Dialogue: 0,0:32:44.81,0:32:52.16,Default,,0000,0000,0000,,We couldn't find any debugger that achieve\Nthis goal, so I did what my mother usually
Dialogue: 0,0:32:52.16,0:32:56.60,Default,,0000,0000,0000,,tells me not to do, we actually wrote our\Nown debugger.
Dialogue: 0,0:32:58.09,0:33:02.49,Default,,0000,0000,0000,,So this is Scout. Scout is an instruction\Nbased debugger that supports Intel CPUs
Dialogue: 0,0:33:02.49,0:33:07.31,Default,,0000,0000,0000,,and ARM CPUs, because we have an ARM\Nprinter. As a prototype we had a Linux
Dialogue: 0,0:33:07.31,0:33:11.49,Default,,0000,0000,0000,,kernel driver, and this time we're going\Nto use it its embedded mode.
Dialogue: 0,0:33:12.06,0:33:15.67,Default,,0000,0000,0000,,In embedded mode we compile it to be fully\Npositioned in the {\i1}unintelligible{\i0},
Dialogue: 0,0:33:15.67,0:33:19.61,Default,,0000,0000,0000,,because we essentially throw it somewhere\Ninside the firmware and expect it to
Dialogue: 0,0:33:19.61,0:33:25.23,Default,,0000,0000,0000,,execute. We pre-equip it with useful\Naddresses like:
Dialogue: 0,0:33:25.23,0:33:29.34,Default,,0000,0000,0000,,memcpy, socket, bind, listen, we\Nfind using IDA.
Dialogue: 0,0:33:29.34,0:33:33.33,Default,,0000,0000,0000,,And whenever it tries to \Ncall these functions it goes to its
Dialogue: 0,0:33:33.33,0:33:35.83,Default,,0000,0000,0000,,own GAT, finds the address and
Dialogue: 0,0:33:35.83,0:33:38.29,Default,,0000,0000,0000,,jumps to it.
Dialogue: 0,0:33:38.29,0:33:45.14,Default,,0000,0000,0000,,After we compile it, we use it in our\Nexploit, we jump into this blob, and it
Dialogue: 0,0:33:45.14,0:33:49.35,Default,,0000,0000,0000,,starts up a TCP server, we can now connect\Nto to send instructions to
Dialogue: 0,0:33:49.35,0:33:52.65,Default,,0000,0000,0000,,read memory, to write memory, \Nand whatever we want.
Dialogue: 0,0:33:53.59,0:33:59.22,Default,,0000,0000,0000,,You can find Scout in our GitHub, with the\Nexamples for Linux kernel driver and
Dialogue: 0,0:33:59.22,0:34:02.79,Default,,0000,0000,0000,,embedded mode. And we're actually using it\Nfor some CVEs now,
Dialogue: 0,0:34:02.79,0:34:06.91,Default,,0000,0000,0000,,so it's highly recommended.
Dialogue: 0,0:34:06.91,0:34:09.49,Default,,0000,0000,0000,,Now that we reach this point in our talk,
Dialogue: 0,0:34:09.49,0:34:14.81,Default,,0000,0000,0000,,we haven't yet described to you how a fax\Nactually works, so with Scout we
Dialogue: 0,0:34:14.81,0:34:18.25,Default,,0000,0000,0000,,dynamically reverse-engineered the\Nfirmware, and now we can actually
Dialogue: 0,0:34:18.25,0:34:24.67,Default,,0000,0000,0000,,describe to you how a fax actually works.\NIn order to send a fax, we need a sending
Dialogue: 0,0:34:24.67,0:34:29.69,Default,,0000,0000,0000,,machine, we need to send it to some modem,\Nthe packets from the modem will be
Dialogue: 0,0:34:29.69,0:34:35.27,Default,,0000,0000,0000,,processed in the CPU, and afterwards, the\Ndata is going to be processed and probably
Dialogue: 0,0:34:35.27,0:34:42.02,Default,,0000,0000,0000,,printed. Let's see how it starts. We start\Nwith network interaction,
Dialogue: 0,0:34:42.02,0:34:48.40,Default,,0000,0000,0000,,probing and ranging, equalizer and echo\Ncancelling, more training,
Dialogue: 0,0:34:48.40,0:34:51.74,Default,,0000,0000,0000,,and you actually need to be quite familiar\Nwith these steps,
Dialogue: 0,0:34:51.74,0:34:53.31,Default,,0000,0000,0000,,because they sound like this:
Dialogue: 0,0:34:53.31,0:34:55.33,Default,,0000,0000,0000,,{\i1}repetitive fax modem sounds{\i0}
Dialogue: 0,0:34:56.02,0:35:01.30,Default,,0000,0000,0000,,With these beeps, we actually created an\NHDLC tunnel. Through this tunnel, we're
Dialogue: 0,0:35:01.30,0:35:07.88,Default,,0000,0000,0000,,going to send our T.30 messages, to\Nthe CPU. In T.30 you have phase A,
Dialogue: 0,0:35:07.88,0:35:12.78,Default,,0000,0000,0000,,in which we send the caller ID, which is\Na string. In phase B you negotiate the
Dialogue: 0,0:35:12.78,0:35:16.100,Default,,0000,0000,0000,,capabilities, so I send my capabilities\Nand receive the printer's capabilities.
Dialogue: 0,0:35:17.73,0:35:21.73,Default,,0000,0000,0000,,Phase C is the important step because here\Nwe actually send our fax data,
Dialogue: 0,0:35:21.73,0:35:26.97,Default,,0000,0000,0000,,line after line, and page after page.\NAnd in phase D, we finish. I send an ACK,
Dialogue: 0,0:35:26.97,0:35:31.52,Default,,0000,0000,0000,,I receive an ACK, and that's it.\NLet us now see how a normal black/white
Dialogue: 0,0:35:31.52,0:35:36.16,Default,,0000,0000,0000,,fax document is going to be sent through\Nthe protocol. So we have our document,
Dialogue: 0,0:35:36.16,0:35:41.43,Default,,0000,0000,0000,,it's going to be sent over the HDLC tunnel\Nusing T.30 messages, over phase C, and the
Dialogue: 0,0:35:41.43,0:35:46.69,Default,,0000,0000,0000,,receive document is actually the body of a\NTIFF file compressed in G.3 or G.4
Dialogue: 0,0:35:46.69,0:35:52.37,Default,,0000,0000,0000,,compressions. From our perspective, that's\Npartial good news, because there are
Dialogue: 0,0:35:52.37,0:35:56.87,Default,,0000,0000,0000,,many vulnerabilities when parsing TIFF\Nheaders, and we only control the data
Dialogue: 0,0:35:56.87,0:36:01.12,Default,,0000,0000,0000,,of the file. The headers themselves are\Ngoing to be constructed by the printer
Dialogue: 0,0:36:01.12,0:36:03.90,Default,,0000,0000,0000,,itself, using messages from phase A\Nand phase D.
Dialogue: 0,0:36:03.90,0:36:11.26,Default,,0000,0000,0000,,So, we partially control a TIFF file and\Nafter it's done and ready, the file
Dialogue: 0,0:36:11.26,0:36:17.14,Default,,0000,0000,0000,,is going to be printed. Like every good\Nprotocol – and here it becomes very
Dialogue: 0,0:36:17.14,0:36:22.78,Default,,0000,0000,0000,,interesting – T.30 many extensions.\NCan you guess what interesting extensions
Dialogue: 0,0:36:22.78,0:36:24.29,Default,,0000,0000,0000,,there are in the protocol?
Dialogue: 0,0:36:27.51,0:36:31.64,Default,,0000,0000,0000,,There's a security extension, but no-one\Nuses it, the other extension…
Dialogue: 0,0:36:31.75,0:36:33.74,Default,,0000,0000,0000,,is..
Dialogue: 0,0:36:33.74,0:36:34.60,Default,,0000,0000,0000,,Color Extension!
Dialogue: 0,0:36:34.82,0:36:36.96,Default,,0000,0000,0000,,Actually you can send colorful faxes and
Dialogue: 0,0:36:36.96,0:36:39.90,Default,,0000,0000,0000,,they really use it in hospitals \Nfor some reason
Dialogue: 0,0:36:41.67,0:36:44.36,Default,,0000,0000,0000,,Let's see how colorful fax works.
Dialogue: 0,0:36:44.36,0:36:47.44,Default,,0000,0000,0000,,We send a document through \Nthe HDLC tunnel,
Dialogue: 0,0:36:47.44,0:36:53.84,Default,,0000,0000,0000,,over phase C, and the received document is\Nactually a JPEG file. This time we control
Dialogue: 0,0:36:53.84,0:36:58.59,Default,,0000,0000,0000,,the header and the data of the file, and\Nwe can do whatever we want to it,
Dialogue: 0,0:36:58.59,0:37:00.48,Default,,0000,0000,0000,,and send it for printing.
Dialogue: 0,0:37:00.48,0:37:02.81,Default,,0000,0000,0000,,Now that we know how a fax\Nactually works,
Dialogue: 0,0:37:02.81,0:37:05.12,Default,,0000,0000,0000,,where should we look for \Nvulnerabilities in it?
Dialogue: 0,0:37:05.12,0:37:10.04,Default,,0000,0000,0000,,Well, we have complicated state machines, \Nwithstand strings, there are
Dialogue: 0,0:37:10.04,0:37:13.52,Default,,0000,0000,0000,,several file layers, but the most\Nconvenient layer is the applicative one,
Dialogue: 0,0:37:13.52,0:37:17.45,Default,,0000,0000,0000,,and most importantly, JPEG, because we\Ncontrol the entire file.
Dialogue: 0,0:37:18.46,0:37:22.80,Default,,0000,0000,0000,,If we look at a JPEG file, it mainly\Nconsists of markers, we have a
Dialogue: 0,0:37:22.80,0:37:26.16,Default,,0000,0000,0000,,start marker, application marker with\Nlength and data, more markers with length
Dialogue: 0,0:37:26.16,0:37:29.37,Default,,0000,0000,0000,,and data, and so and and so on.
Dialogue: 0,0:37:29.37,0:37:35.50,Default,,0000,0000,0000,,If we zoom in on one such marker, we can\Nsee that in this marker we have a
Dialogue: 0,0:37:35.50,0:37:41.37,Default,,0000,0000,0000,,compression table, a 4x4 compression\Nmatrix for the exact document we send, we
Dialogue: 0,0:37:41.37,0:37:45.51,Default,,0000,0000,0000,,have a header, length field, 4x4 matrix,\Nand the data itself.
Dialogue: 0,0:37:46.38,0:37:52.67,Default,,0000,0000,0000,,If you zoom in a bit deeper, we can see\Nthat here we get a matrix, we sum up all
Dialogue: 0,0:37:52.67,0:37:56.66,Default,,0000,0000,0000,,of the values. This matrix should be\Nrather sparse, with zeroes, ones,
Dialogue: 0,0:37:56.66,0:38:00.18,Default,,0000,0000,0000,,and twos. The accumulated value is going\Nto be our length field,
Dialogue: 0,0:38:00.18,0:38:04.88,Default,,0000,0000,0000,,in this case 6 bytes, and 6 bytes are\Ngoing to be copied from the data to
Dialogue: 0,0:38:04.88,0:38:08.58,Default,,0000,0000,0000,,a local, small, stack buffer.\NLike this.
Dialogue: 0,0:38:09.18,0:38:12.97,Default,,0000,0000,0000,,So if you consider vulnerabilities, at\Nthis point we were like "What The Fax?!"
Dialogue: 0,0:38:13.35,0:38:18.08,Default,,0000,0000,0000,,because that doesn't make sense. We\Ncontrol the entire header. If you put huge
Dialogue: 0,0:38:18.08,0:38:23.50,Default,,0000,0000,0000,,values in our matrix, like so, we have a\N4 kilobyte length field copied into
Dialogue: 0,0:38:23.50,0:38:29.23,Default,,0000,0000,0000,,a stack buffer of 256 bytes, effectively\Nhaving a stack-based buffer overflow in
Dialogue: 0,0:38:29.23,0:38:30.91,Default,,0000,0000,0000,,our printer.
Dialogue: 0,0:38:34.02,0:38:38.02,Default,,0000,0000,0000,,It's a trivial stack buffer overflow, we\Nhave no byte constraints, we can use
Dialogue: 0,0:38:38.04,0:38:43.77,Default,,0000,0000,0000,,whatever we want, null bytes, non-ASCII\Nbytes, whatever we want. And 4 kilobytes
Dialogue: 0,0:38:43.77,0:38:49.43,Default,,0000,0000,0000,,user-controlled data, that's more than enough\Nto exploit. At this point we had to bypass
Dialogue: 0,0:38:49.62,0:38:53.95,Default,,0000,0000,0000,,several operating system security\Nmitigations… Nah, not exactly.
Dialogue: 0,0:38:53.95,0:38:55.44,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:38:55.44,0:39:00.40,Default,,0000,0000,0000,,It's an …, fixed address spaces, no\Ncanaries, it's the eighties, it's really
Dialogue: 0,0:39:00.40,0:39:06.15,Default,,0000,0000,0000,,simple. We've got the CVEs from HP,\N9.10 critical, you should really patch
Dialogue: 0,0:39:06.15,0:39:11.34,Default,,0000,0000,0000,,your printers now. And here you can see\Nthe response we have seen from HP after
Dialogue: 0,0:39:11.34,0:39:14.46,Default,,0000,0000,0000,,we've worked with them to patch these\Nvulnerabilities,
Dialogue: 0,0:39:14.46,0:39:17.39,Default,,0000,0000,0000,,which is a good time for our demo!
Dialogue: 0,0:39:20.50,0:39:24.04,Default,,0000,0000,0000,,Yaniv Balmas: Unfortunately we couldn't\Nreally live-demo, so we just filmed
Dialogue: 0,0:39:24.04,0:39:27.53,Default,,0000,0000,0000,,something for you. So, this is our\Nattacker machine, all you need to do is
Dialogue: 0,0:39:27.53,0:39:31.15,Default,,0000,0000,0000,,run this script, it's connected to a modem\Nthat we bought for like 10 dollars
Dialogue: 0,0:39:31.15,0:39:38.27,Default,,0000,0000,0000,,from Amazon. We're sending our malicious\Nfax to this printer, and… yeah.
Dialogue: 0,0:39:38.27,0:39:42.55,Default,,0000,0000,0000,,Incoming call… from who?
Dialogue: 0,0:39:45.00,0:39:46.00,Default,,0000,0000,0000,,Wait just a second.
Dialogue: 0,0:39:46.78,0:39:49.46,Default,,0000,0000,0000,,Eyal Itkin: Faxes are slow.\NYaniv Balmas: Yeah, they are.
Dialogue: 0,0:39:49.100,0:39:54.59,Default,,0000,0000,0000,,Yaniv Balmas: So, from an evil attacker of\Ncourse, we forged this easily. And now,
Dialogue: 0,0:39:54.59,0:40:00.30,Default,,0000,0000,0000,,the printer is receiving the fax, and\Nprocessing it, and now it's obviously a
Dialogue: 0,0:40:00.30,0:40:04.73,Default,,0000,0000,0000,,colorful fax, and now we have full control\Nover the printer, so it's ours.
Dialogue: 0,0:40:05.80,0:40:09.65,Default,,0000,0000,0000,,But that's not enough! Because we want to\Nshow that we can propagate to another
Dialogue: 0,0:40:09.65,0:40:16.08,Default,,0000,0000,0000,,computer, so our malicious fax, contained\NEternalBlue in it, so once any computer is
Dialogue: 0,0:40:16.08,0:40:20.75,Default,,0000,0000,0000,,connected to the network, the fax now will\Nrecognize it, and will try to exploit it,
Dialogue: 0,0:40:20.75,0:40:22.67,Default,,0000,0000,0000,,and here you go!
Dialogue: 0,0:40:22.89,0:40:31.48,Default,,0000,0000,0000,,{\i1}Laughter &amp; Applause{\i0}
Dialogue: 0,0:40:31.74,0:40:36.32,Default,,0000,0000,0000,,So yeah, we made it after all.\NIt was a long way.
Dialogue: 0,0:40:36.48,0:40:40.64,Default,,0000,0000,0000,,Some conclusions we have to tell you:\NFirst, PSTN seems to still be
Dialogue: 0,0:40:40.64,0:40:45.49,Default,,0000,0000,0000,,a valid attack surface in 2018. Fax can\Nbe used as a gateway to internal networks,
Dialogue: 0,0:40:45.49,0:40:49.68,Default,,0000,0000,0000,,and old and outdated protocols… probably\Nnot so good for you, try not to use them
Dialogue: 0,0:40:49.68,0:40:54.26,Default,,0000,0000,0000,,if you can. What can you do to defend\Nyourself against this catastrophy?
Dialogue: 0,0:40:54.41,0:40:57.95,Default,,0000,0000,0000,,A lot of things. First of all, you can\Npatch your printers, as Eyal said,
Dialogue: 0,0:40:57.95,0:41:03.19,Default,,0000,0000,0000,,this link will just tell you if your\Nprinter is vulnerable, by the way, every
Dialogue: 0,0:41:03.19,0:41:08.50,Default,,0000,0000,0000,,HP Inkjet (or HP Officejet) printer is\Nvulnerable to this thing, it's the biggest
Dialogue: 0,0:41:08.50,0:41:11.36,Default,,0000,0000,0000,,line of printers from HP, over – I think –\N200 or …
Dialogue: 0,0:41:11.36,0:41:13.95,Default,,0000,0000,0000,,Eyal Itkin: 300\NYaniv Balmas: … 300 models are vulnerable
Dialogue: 0,0:41:13.95,0:41:19.45,Default,,0000,0000,0000,,to this thing, so really go and update!\NAnother thing I could tell you is:
Dialogue: 0,0:41:19.45,0:41:25.28,Default,,0000,0000,0000,,If you don't need fax, don't use it.\NAlso, if you do need to use fax after all,
Dialogue: 0,0:41:25.28,0:41:29.100,Default,,0000,0000,0000,,try and make sure your printer is\Nsegregated from the rest of the network,
Dialogue: 0,0:41:29.100,0:41:33.58,Default,,0000,0000,0000,,so even if somebody takes over the\Nprinter, he will just be confined to the
Dialogue: 0,0:41:33.58,0:41:38.99,Default,,0000,0000,0000,,printers, and won't be able to take over\Nyour entire network. These are really good
Dialogue: 0,0:41:38.99,0:41:41.56,Default,,0000,0000,0000,,suggestions, all of them, but really,
Dialogue: 0,0:41:41.56,0:41:43.86,Default,,0000,0000,0000,,the best suggestion\NI have to give you today is:
Dialogue: 0,0:41:43.87,0:41:46.37,Default,,0000,0000,0000,,Please!\NStop using fax!
Dialogue: 0,0:41:46.60,0:41:47.92,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:41:47.92,0:41:52.11,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:41:52.78,0:41:53.92,Default,,0000,0000,0000,,Thank you, thank you!
Dialogue: 0,0:41:53.92,0:41:59.57,Default,,0000,0000,0000,,And, just one second before we finish,\Nthis was a long way, a long journey.
Dialogue: 0,0:41:59.57,0:42:04.16,Default,,0000,0000,0000,,We had some very good friends that helped\Nus a lot along the way,
Dialogue: 0,0:42:04.16,0:42:06.02,Default,,0000,0000,0000,,physically, mentally, technically,
Dialogue: 0,0:42:06.02,0:42:10.80,Default,,0000,0000,0000,,so we must mention them.\NThese are the guys here. Some of them are
Dialogue: 0,0:42:10.80,0:42:13.84,Default,,0000,0000,0000,,in the crowd, so they deserve come claps.
Dialogue: 0,0:42:13.100,0:42:16.25,Default,,0000,0000,0000,,{\i1}applause{\i0}
Dialogue: 0,0:42:16.25,0:42:21.57,Default,,0000,0000,0000,,One special guy that helped us is\NYannay Livneh, he also deserves this, and…
Dialogue: 0,0:42:21.57,0:42:25.100,Default,,0000,0000,0000,,… that's it basically, guys!\NSo if you want to follow more of our work,
Dialogue: 0,0:42:25.100,0:42:30.39,Default,,0000,0000,0000,,you can find us here. Follow us.\NThank you very much!
Dialogue: 0,0:42:30.39,0:42:41.67,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:42:41.67,0:42:45.10,Default,,0000,0000,0000,,Herald Angel: Thank you very much.\NWe have 5 minutes for Q&amp;A.
Dialogue: 0,0:42:45.10,0:42:48.08,Default,,0000,0000,0000,,So please line up at the microphones.\NIf you want to leave now,
Dialogue: 0,0:42:48.08,0:42:52.71,Default,,0000,0000,0000,,please do it to your right side, so this\Nside. From the stage it's the left side,
Dialogue: 0,0:42:52.71,0:42:56.94,Default,,0000,0000,0000,,but for you it's the right side.\NSo please line up at the microphones.
Dialogue: 0,0:42:56.94,0:43:05.68,Default,,0000,0000,0000,,I think I can see microphone 4 already,\Nso we'll start with microphone 4.
Dialogue: 0,0:43:06.78,0:43:12.61,Default,,0000,0000,0000,,Question: First, thank you for this talk.\NIt's scary to see that these can be
Dialogue: 0,0:43:12.61,0:43:18.76,Default,,0000,0000,0000,,exploited today. You talked about\Nemail-to-fax or fax-to-email services,
Dialogue: 0,0:43:18.76,0:43:26.37,Default,,0000,0000,0000,,and I wondered: Is it possible that there\Nare vulnerabilities in those as well?
Dialogue: 0,0:43:26.37,0:43:33.62,Default,,0000,0000,0000,,I know Fritz!Box routers allow\Nfax-to-email, could you attack those,
Dialogue: 0,0:43:33.62,0:43:34.56,Default,,0000,0000,0000,,possibly?
Dialogue: 0,0:43:35.35,0:43:39.100,Default,,0000,0000,0000,,Yaniv Balmas: So basically, those services\Nuse T.30 as well. We didn't look at them,
Dialogue: 0,0:43:39.100,0:43:44.36,Default,,0000,0000,0000,,frankly. We had so much work to do with\Nthe printer, that we didn't look at any
Dialogue: 0,0:43:44.36,0:43:50.79,Default,,0000,0000,0000,,other printers, or any other services.\NI can't say for sure, but if you're
Dialogue: 0,0:43:50.79,0:43:54.48,Default,,0000,0000,0000,,looking for vulnerabilities, I would\Nrecommend to go look there as well.
Dialogue: 0,0:43:56.13,0:43:58.19,Default,,0000,0000,0000,,Herald Angel: Great, microphone number 5\Nplease.
Dialogue: 0,0:43:59.40,0:44:04.21,Default,,0000,0000,0000,,Question: What can you disclose about the\Ndata that's hitting your URL?
Dialogue: 0,0:44:05.42,0:44:06.25,Default,,0000,0000,0000,,Yaniv Balmas: The…? Uh!
Dialogue: 0,0:44:06.47,0:44:10.19,Default,,0000,0000,0000,,Question: What can you disclose about the\Nmachines that are knocking on your URL,
Dialogue: 0,0:44:10.19,0:44:12.65,Default,,0000,0000,0000,,the fakeurl1234.
Dialogue: 0,0:44:13.06,0:44:15.06,Default,,0000,0000,0000,,Yaniv Balmas: There are a lot of HP printers\Nout there.
Dialogue: 0,0:44:15.06,0:44:17.24,Default,,0000,0000,0000,,{\i1}Laughter{\i0}
Dialogue: 0,0:44:17.46,0:44:23.28,Default,,0000,0000,0000,,That's all I can disclose. Sorry.
Dialogue: 0,0:44:25.84,0:44:27.63,Default,,0000,0000,0000,,Herald Angel: We have one question from\Nthe Signal Angel, please.
Dialogue: 0,0:44:28.77,0:44:33.30,Default,,0000,0000,0000,,Signal Angel: Did you try to activate JTAG\Nby upgrading to a modified firmware?
Dialogue: 0,0:44:33.30,0:44:38.68,Default,,0000,0000,0000,,Eyal Itkin: We tried to use the JTAG, we\Nthink it's disabled from the factory
Dialogue: 0,0:44:38.68,0:44:45.01,Default,,0000,0000,0000,,lines, it was too much work. So we decided\Nto use Devil's Ivy, it's a good
Dialogue: 0,0:44:45.01,0:44:50.30,Default,,0000,0000,0000,,vulnerability. Once we have Devil's Ivy\Nand we can use Scout, Scout is more than
Dialogue: 0,0:44:50.30,0:44:51.41,Default,,0000,0000,0000,,enough for debugging.
Dialogue: 0,0:44:52.50,0:44:59.16,Default,,0000,0000,0000,,Essentially, after we used the JPEG\Nvulnerability and we loaded up Scout,
Dialogue: 0,0:44:59.16,0:45:03.14,Default,,0000,0000,0000,,Scout survived for weeks on a printer\Nwithout any crash.
Dialogue: 0,0:45:03.69,0:45:05.01,Default,,0000,0000,0000,,So that's more than enough.
Dialogue: 0,0:45:06.74,0:45:09.64,Default,,0000,0000,0000,,Herald Angel: Great, we'll go with\Nmicrophone number 2 please.
Dialogue: 0,0:45:09.64,0:45:13.49,Default,,0000,0000,0000,,Question: Yes, thank you for the nice\Ntalk, and I think you're completely right
Dialogue: 0,0:45:13.49,0:45:19.05,Default,,0000,0000,0000,,you can have many problems with legacy\Nprotocols, the only thing I do not really
Dialogue: 0,0:45:19.05,0:45:25.53,Default,,0000,0000,0000,,get was the part how you then can\Nautomatically successfully attack your
Dialogue: 0,0:45:25.53,0:45:31.58,Default,,0000,0000,0000,,laptop on the network. My point would be:\NMy laptop is as secured as I'm going to
Dialogue: 0,0:45:31.58,0:45:35.77,Default,,0000,0000,0000,,the internet cafe or something else, so\Nyou would not be able – with your HP
Dialogue: 0,0:45:35.77,0:45:40.23,Default,,0000,0000,0000,,printer – to start the calculator on my\NLinux or even on my Windows.
Dialogue: 0,0:45:41.50,0:45:46.89,Default,,0000,0000,0000,,Yaniv Balmas: Your laptop might be secure,\NI'm sure it is, but many others are not.
Dialogue: 0,0:45:46.89,0:45:52.44,Default,,0000,0000,0000,,We tried to show it using the EternalBlue\Nexploit, as you know, WannaCry, stuff like
Dialogue: 0,0:45:52.44,0:45:56.18,Default,,0000,0000,0000,,that. This thing created a lot of…\N– and there were patches out there –
Dialogue: 0,0:45:56.18,0:46:01.84,Default,,0000,0000,0000,,…and still it was… So… we're not here to\Nattack anyone. We're just saying that
Dialogue: 0,0:46:01.84,0:46:05.19,Default,,0000,0000,0000,,theoretically, if somebody wants to get\Ninto the network and he has a
Dialogue: 0,0:46:05.19,0:46:08.89,Default,,0000,0000,0000,,vulnerability that you have may have not\Npatched or secured, fax would be a bad
Dialogue: 0,0:46:08.89,0:46:10.13,Default,,0000,0000,0000,,idea to have.
Dialogue: 0,0:46:10.83,0:46:14.44,Default,,0000,0000,0000,,Question: But it was nothing which was\Npart of the printer…
Dialogue: 0,0:46:14.44,0:46:20.55,Default,,0000,0000,0000,,Herald Angel: Sorry, unfortunately we do\Nnot have more time for Q&amp;A, so thank you
Dialogue: 0,0:46:20.55,0:46:22.75,Default,,0000,0000,0000,,again very much.
Dialogue: 0,0:46:22.99,0:46:24.19,Default,,0000,0000,0000,,Yaniv Balmas: Thank you!
Dialogue: 0,0:46:24.51,0:46:32.69,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:46:32.69,0:46:36.76,Default,,0000,0000,0000,,{\i1}Music{\i0}
Dialogue: 0,0:46:36.76,0:46:55.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2019. Join, and help us!