< Return to Video

35C3 - What The Fax?!

  • 0:00 - 0:19
    35C3 preroll music
  • 0:19 - 0:30
    Herald Angel: So… Yaniv Balmas is a
    software engineer and he started tinkering
  • 0:30 - 0:36
    with Commodore's C64 when he was 8
    years old.
  • 0:36 - 0:39
    He was kind of a teenage hacker of games as well.
  • 0:39 - 0:43
    And now he's in the security field and he
    got interested in the fax machine
  • 0:43 - 0:52
    together with his friend Eyal Itkin, who
    is also a security guy and malware researcher.
  • 0:52 - 0:57
    And together they're going to tell us
    about the fax machines and What The Fax?!
  • 0:57 - 1:01
    Why still using people those machines?
  • 1:01 - 1:04
    And it's gonna be really interesting I think.
  • 1:04 - 1:08
    And the title is also
    "Hacking your network likes it's 1980 again"
  • 1:08 - 1:12
    I'm really excited. Please give a warm
    round of applause to those two guys.
  • 1:12 - 1:16
    applause
  • 1:16 - 1:25
    fax modem sounds
  • 1:31 - 1:36
    Yaniv: Thank you, thank you guys.
    Hi, CCC!
  • 1:36 - 1:39
    You probably know this sound, right?
    And now get to know us:
  • 1:39 - 1:45
    My name is Yaniv Balmas, I'm a security
    researcher. I work at Check Point Research,
  • 1:45 - 1:50
    and with me here today is Eyal Itkin, also a
    security researcher, also works at
  • 1:50 - 1:55
    Check Point Research, and let's begin
    with talking a bit about the history of fax.
  • 1:55 - 1:59
    So I guess that not many of you know
    that fax started,
  • 1:59 - 2:04
    it was first invented in 1846 by a scientist
    called Alexander Bain.
  • 2:04 - 2:09
    Fun fact, this happened 20 years before
    the invention of the light bulb.
  • 2:09 - 2:14
    And then it had some more advances to it,
    this is the actual first thing that looked
  • 2:14 - 2:17
    like a fax machine, a standard fax machine.
  • 2:17 - 2:21
    And again, this thing was invented 20
    years before the invention of the telephone.
  • 2:21 - 2:25
    So humanity was sending faxes before we
    had light or talked over the phone.
  • 2:25 - 2:30
    And then there was some more
    advancements like radio fax,
  • 2:30 - 2:35
    and an another important point in time is
    1966, where a small unknown company
  • 2:35 - 2:40
    called Xerox invented – came out with the
    first commercial fax machine.
  • 2:40 - 2:43
    This is the advertisement for it.
  • 2:43 - 2:50
    And in 1980 a strange organization
    called ITU defined the core standards for fax.
  • 2:50 - 2:56
    Namely it's T.30, T.4, T.6, and those
    standars are still the same standards
  • 2:56 - 3:00
    that we use today – basically, with just
    minor changes to them.
  • 3:00 - 3:05
    So this was all in the past.
    But what's happening today?
  • 3:05 - 3:10
    I mean today we have far better ways
    to send electronic documents
  • 3:10 - 3:12
    from one to the other, right?
  • 3:12 - 3:15
    You know, let's compare fax to just, I dunno,
    off the top of my head
  • 3:15 - 3:22
    just, you know, one method like, let's say, email.
    And just to, you know, remind you.
  • 3:22 - 3:28
    We are comparing this… to this, okay?
    So… let's look at some of the features here.
  • 3:28 - 3:36
    In terms of quality, in terms of accessibility,
    I'm pretty sure that all of you here
  • 3:36 - 3:43
    have 24/7 access to emails. Not so sure
    you're carrying around your fax machines with you.
  • 3:43 - 3:49
    In terms of reliability, well, when you
    send a fax, you don't really know
  • 3:49 - 3:53
    if it got received or not. Yes, there is
    this strange confirmation page,
  • 3:53 - 3:56
    but it doesn't really mean anything.
    I mean, if there's no paper in the
  • 3:56 - 4:02
    receiving fax, you still get it. If the
    dog ate it, you still get it.
  • 4:02 - 4:09
    There's absolutely no reliability in fax.
    Regarding authenticity, well, we can argue
  • 4:09 - 4:13
    about emails, if it's authenticated or
    not, it could be forged, of course.
  • 4:13 - 4:16
    But we do have public key cryptography
    and stuff like that, that will help us
  • 4:16 - 4:22
    when talking about emails, while we don't have…
    we don't have nothing when it comes to fax.
  • 4:22 - 4:26
    Absolutely no authenticity. So, if we're
    looking at this table, one might think to
  • 4:26 - 4:31
    himself: Okay, so… Who the hell still
    uses fax today? It's 2018.
  • 4:31 - 4:37
    I mean, it deserves a place in the museum
    of great technologies and that's it.
  • 4:37 - 4:40
    So, nobody is using fax today, right?
  • 4:40 - 4:42
    Wrong.
  • 4:42 - 4:45
    Everybody are using fax today.
  • 4:45 - 4:52
    You see, fax is used to send these very
    critical maritime maps to ships at open seas
  • 4:52 - 4:58
    90% of the japanese population uses fax –
    according to Wikipedia at least.
  • 4:58 - 5:03
    And if you google any kind of combos like
    "contact us" and "fax" or stuff like that,
  • 5:03 - 5:08
    you will come up with something like
    300 million results. 300 million published
  • 5:08 - 5:13
    fax numbers in Google. And that's not
    counting the unpublished numbers.
  • 5:13 - 5:18
    That's a huge amount of numbers. But it's
    not all about numbers. It's not "how many
  • 5:18 - 5:22
    fax machines are out there?", but it's
    also "Who is using fax?"
  • 5:22 - 5:26
    You see, if you're a small corporation, a
    medium corporation, a huge corporation,
  • 5:26 - 5:30
    you have fax. Not necessarily anybody is
    sending fax to this number, but there is a
  • 5:30 - 5:36
    fax machine sitting there waiting for a
    fax to be received. If you're a bank,
  • 5:36 - 5:41
    you simply love faxes. This is
    Bank of China, the biggest bank in the
  • 5:41 - 5:47
    world, and that's the fax number of it.
    I think most importantly, if you're a
  • 5:47 - 5:50
    government organization… you…
    laughter
  • 5:50 - 5:53
    … simply wake up in the morning and you
    want to have more fax. This is
  • 5:53 - 5:57
    Donald Trump's fax number if anybody wants
    to send him a fax. Go ahead.
  • 5:57 - 6:03
    That's it. It's not a secret, it's from
    Google… We should send him something
  • 6:03 - 6:10
    by the way. And the thing is that, you know, those
    banks and government institutions, they
  • 6:10 - 6:15
    don't only support fax, allow you to send
    fax, the funny thing is that actually most
  • 6:15 - 6:19
    of the time, it's mandatory to send fax,
    there is no other way. You can either
  • 6:19 - 6:22
    postal mail it, or fax it. They didn't
    hear about anything else.
  • 6:22 - 6:26
    So we looked at this, state of affairs,
    strange state of affairs,
  • 6:26 - 6:31
    and said to ourselves: "This looks
    strange". I mean, it can't be true.
  • 6:31 - 6:36
    Humanity came so far and we're still using
    these old technologies, so…
  • 6:36 - 6:39
    What The Fax?!
  • 6:39 - 6:43
    And we decided and try to do something
    about it. And we started very long
  • 6:43 - 6:50
    research to try and find some security
    vulnerabilities in fax. And before we do
  • 6:50 - 6:57
    that, you need to explain how fax looks
    like today. You see, today fax doesn't
  • 6:57 - 7:02
    look like it looked 20 or 30 years ago.
    Then, it was just standalone fax machines.
  • 7:02 - 7:03
    Right?
  • 7:03 - 7:08
    Today, fax is mostly old technology
    embedded within newer technology.
  • 7:08 - 7:16
    So, we have fax to email services or email
    to fax services, we have as I said before,
  • 7:16 - 7:22
    radio fax and fax over satellite and stuff
    like that. I think most commonly, we have
  • 7:22 - 7:29
    this. These machines. All-in-one printers.
    You buy them, they scan, they print.
  • 7:29 - 7:33
    And they fax. It actually comes with a
    phone cable out of the box, so you can
  • 7:33 - 7:37
    connec… I guess most people connect it?
    I also think that is the most common
  • 7:37 - 7:42
    faxing solution today. So we decided to
    take a look at these machines.
  • 7:42 - 7:47
    These fax machines.
    If you look at these boxes
  • 7:47 - 7:52
    from a security point of view you can
    imagine them to be just black boxes.
  • 7:52 - 7:56
    And those black boxes have interfaces.
    In one side of the box we have interfaces
  • 7:56 - 8:02
    like WiFi, bluetooth, ethernet, stuff like
    that, these interfaces connect the printer
  • 8:02 - 8:06
    to the internal network, the external
    network, basically it connects it to the
  • 8:06 - 8:12
    world. And on the other side of this box,
    there's this little interface here that
  • 8:12 - 8:17
    connects this black box to somewhere
    to the 1970s I would say.
  • 8:17 - 8:18
    Laughter
  • 8:18 - 8:20
    So that's pretty funny.
  • 8:20 - 8:27
    And if you remember, at the end of the day
    these printers are basically nothing but
  • 8:27 - 8:31
    computers. They have CPUs, they have
    memories, they have operating systems,
  • 8:31 - 8:35
    they are computers. Not standard ones,
    but they are computers.
  • 8:35 - 8:40
    And we were thinking to ourselves, imagine
    this scenario: There's an attacker sitting
  • 8:40 - 8:45
    somewhere in the world. All he has is
    access to a phone line and his targets fax
  • 8:45 - 8:50
    number. What will happen if this attacker,
    this guy, would be able to send a
  • 8:50 - 8:55
    malicious fax and with this malicious fax
    he would be able to exploit the printer.
  • 8:55 - 9:01
    Then he has complete control over the
    printer, right? If he does that, he could
  • 9:01 - 9:07
    then maybe pivot through any one of those
    other interfaces, let's say the Ethernet
  • 9:07 - 9:12
    and jump from this printer to the rest of
    the network, the internal network.
  • 9:12 - 9:17
    Effectively creating a bridge between the
    external world and the internal network
  • 9:17 - 9:20
    through the phone line.
    That's 1980s again!
  • 9:20 - 9:26
    So we thought this is a really cool attack
    scenario and we decided to accept this
  • 9:26 - 9:32
    challenge and go for it. Try and actually
    show this thing happening in reality.
  • 9:32 - 9:37
    We were really excited about this.
    But then after we slept a bit and drank
  • 9:37 - 9:43
    a bit, sat down and talked about it, we
    kind of found out that there is like a lot
  • 9:43 - 9:48
    of challenges, really hard challenges in
    front of us and we're not really sure how
  • 9:48 - 9:54
    to deal with them. Let me name just a few
    of them. One of the challenges is how do
  • 9:54 - 9:58
    we obtain the firmware. The code that this
    printer runs. It's not like you have it
  • 9:58 - 10:03
    everywhere. And after we get it, how do we
    analyze this firmware?
  • 10:03 - 10:04
    After we analyze it,
  • 10:04 - 10:08
    we need to understand what operating
    system are those printers running.
  • 10:08 - 10:10
    And then we need to understand how to
    debug a printer..
  • 10:10 - 10:12
    I never debugged a printer before..
  • 10:12 - 10:15
    I need to understand how to debug
    a printer. And after we do all that,
  • 10:15 - 10:20
    we need to understand… How does fax even
    work? We only know the beeping sounds like
  • 10:20 - 10:26
    most of us I think. And after we did all
    that, we can start talking about where can
  • 10:26 - 10:29
    we find vulnerabilities inside this
    big, big, big ecosystem.
  • 10:29 - 10:34
    And today, we'll try to take you through
    these challenges, one-by-one and explain
  • 10:34 - 10:38
    how to do it until we'll be able to
    actually do the scenario that we just
  • 10:38 - 10:44
    showed you. So, let's start with the first
    challenge.
  • 10:44 - 10:49
    How do we obtain the firmware
    for the printer?
  • 10:49 - 10:53
    So, meet our nice printer.
    It's an HP inkjet printer,
  • 10:53 - 10:59
    an HP Officejet printer, we chose this
    model, first of all we chose HP because
  • 10:59 - 11:04
    it has like – I think – 40% of the market
    share so it's not that we dislike HP, we
  • 11:04 - 11:08
    really like them, but unfortunately for
    them, they are just the biggest target out
  • 11:08 - 11:12
    there. And this specific model, well we
    had a lot of reasons why we chose this
  • 11:12 - 11:17
    printer. But basically it's the cheapest
    one.
  • 11:17 - 11:19
    Laughter
  • 11:19 - 11:23
    We bought it. We didn't have a lot of
    budget. We bought it and we abused it for
  • 11:23 - 11:31
    a lot of time. And our goal was to break
    fax, but before we do that, we had to
  • 11:31 - 11:37
    break the printer. I mean literally break
    the printer. So yeah, that was the fun
  • 11:37 - 11:42
    part of the project, we broke it. And
    inside the printer we find this thing:
  • 11:42 - 11:47
    The main PCB, the brains behind the
    printer, and it looks like this.
  • 11:47 - 11:49
    Let's map the critical components of it:
  • 11:49 - 11:54
    So we have here: Flash ROM,
    SPANSION some model,
  • 11:54 - 11:59
    and then we have some more memory here,
    this might look like not a lot, because
  • 11:59 - 12:05
    the PCB has two sides to it of course,
    and on the other side of it we have the
  • 12:05 - 12:08
    more interesting components, like USB,
    WiFi, electricity, SRAM,
  • 12:08 - 12:13
    battery – probably for the memory but who
    knows – and now we have two very
  • 12:13 - 12:19
    interesting components here. One of them
    is the main CPU. It's a Marvell CPU, and
  • 12:19 - 12:24
    it's proprietarily manufactured for HP.
    So we can't tell anything about it,
  • 12:24 - 12:28
    there's no available specs, nothing.
    We can just find bits of information
  • 12:28 - 12:35
    here and there. And then we have the fax
    modem. It's located here and it's a
  • 12:35 - 12:43
    CSP1040. What we need to understand now is
    how do these two components operate and
  • 12:43 - 12:47
    what is the relationship between them?
    If we do that, we're one step further.
  • 12:47 - 12:53
    So that's what we tried to do. And as I
    said, the first challenge is to get the
  • 12:53 - 12:57
    firmware of this thing. And when we're
    looking a bit closer into this PCB, we
  • 12:57 - 13:02
    find these 2 very interesting interfaces:
    One of them is a serial debug, the other
  • 13:02 - 13:08
    is JTAG. If you're familiar with them, you
    know that they give you debugging
  • 13:08 - 13:12
    capabilities, or at least memory read,
    memory write, exactly what we need to get
  • 13:12 - 13:15
    the firmware. So we're smiling to
    ourselves saying "Haha, this is going to
  • 13:15 - 13:20
    be really easy". But unfortunately it's
    not. Because the JTAG is, of couse,
  • 13:20 - 13:25
    disabled completely. We can't do anything
    with it. And the serial port, we managed
  • 13:25 - 13:30
    to connect to it. And we get this terminal
    that for almost every instruction we type
  • 13:30 - 13:34
    gives us this error: "I don't understand".
    Well, we don't understand either.
  • 13:34 - 13:36
    laughter
  • 13:36 - 13:40
    But it looks like this terminal is not
    going to get us very far. So we dropped
  • 13:40 - 13:45
    this path and tried and look for other
    ways to get the firmware and obviously one
  • 13:45 - 13:53
    of the most common ways is to try and grab
    the firmware upgrade and after looking a
  • 13:53 - 13:59
    bit in the internet we find this jewel,
    this FTP site by HP that contains
  • 13:59 - 14:03
    every firmware version for
    every HP product
  • 14:03 - 14:05
    ever produced in the history
    of HP and the Internet
  • 14:05 - 14:08
    and a lot of other stuff.
  • 14:08 - 14:13
    And it actually took us about, I think,
    two weeks to find our firmware within
  • 14:13 - 14:13
    Laughter
  • 14:13 - 14:18
    … this mess of firmwares. But once we
    did,
  • 14:18 - 14:21
    we had a firmware upgrade file.
    Applause
  • 14:21 - 14:25
    Yes, thank you! It's still alive so you
    can go there and look for some… there's a
  • 14:25 - 14:29
    lot of interesting stuff in there. And now
    we've got ourselves a file. And this file
  • 14:29 - 14:33
    is the firmware upgrade file. It's not an
    executable file, it's just a binary,
  • 14:33 - 14:36
    and now we kinda need to understand…
  • 14:36 - 14:39
    How do you even upgrade
    a printer firmware?
  • 14:39 - 14:43
    I never did it i before. Anybody did it?
    Anybody upgraded these firmwares? Lately?
  • 14:43 - 14:47
    Ah, good. Good for you. Good for you.
  • 14:47 - 14:52
    Anyway, the answer to this question is
    surprisingly… funny, I would say.
  • 14:52 - 14:54
    You just print it.
  • 14:54 - 14:55
    Laughter
  • 14:55 - 14:59
    That's because, you see, a printer
    receives a firmware upgrade just the same
  • 14:59 - 15:04
    way as it receives a normal print job.
    That's the thing and it's actually pretty
  • 15:04 - 15:10
    nice and it's defined in a HP protocol,
    it's called PCL XL Feature Reference
  • 15:10 - 15:14
    Protocol Class 2.1 Supplement. And if
    you're still sane after reading this like
  • 15:14 - 15:20
    300 pages of insanity you understand that
    this thing defines something called a
  • 15:20 - 15:24
    PJL – print job language. If you ever
    scanned from a printer to the network you
  • 15:24 - 15:30
    see this port I think 9100, something like
    that, open, that you send print jobs to,
  • 15:30 - 15:36
    and it's the same port that you send the
    firmware upgrade to, and that's nice.
  • 15:36 - 15:38
    So when we look at the file, it actually
    confirms this,
  • 15:38 - 15:42
    because it actually begins
    with the words: PJL – Print job language.
  • 15:42 - 15:44
    So that's nice. So now we know it's a
    print job language.
  • 15:44 - 15:48
    But unfortunately this document doesn't
    document anything about the firmware
  • 15:48 - 15:53
    upgrade protocol, or anything,
    because it's HP proprietary.
  • 15:53 - 15:56
    So unfortunately we had
    to do it ourselves
  • 15:56 - 16:02
    and analyze this thing. Now I'm not going
    to take you through the entire process of
  • 16:02 - 16:07
    unwrapping this firmware because frankly
    it's quite boring. But I'll just tell you
  • 16:07 - 16:11
    that it's composed of several layers of
    compression, one of them is called
  • 16:11 - 16:15
    NULL decoder, the other is called TIFF
    decoder, and another one called Delta Raw
  • 16:15 - 16:21
    decoder. And the thing is that these
    things do something like… If the previous
  • 16:21 - 16:26
    line was all blanks, and if this line is
    also all blanks, just write one instead of
  • 16:26 - 16:30
    the line, so that gives you some kind of
    compression, and it makes really a lot of
  • 16:30 - 16:35
    sense when you're talking about print jobs
    because paper has a lot of spaces in it,
  • 16:35 - 16:40
    but when you're talking about binary files
    it makes absolutely no sense to do it this
  • 16:40 - 16:47
    way. But still, it just works this way, so
    after we understand that, we were able to
  • 16:47 - 16:50
    decode everything, decompress everything,
    and we're talking to ourselves and
  • 16:50 - 16:53
    laughing, when you're
    a hammer everything looks like a nail,
  • 16:53 - 16:56
    and when you're a printer,
    everything looks like a print job.
  • 16:56 - 16:58
    Laughter
  • 16:58 - 17:02
    So that was nice. And now, after we did
    that, we have a big file that hopefully
  • 17:02 - 17:05
    now is our firmware.
  • 17:05 - 17:07
    So how do we analyze it?
  • 17:07 - 17:11
    Looking at this thing right at the
    beginning of the file, there's something
  • 17:11 - 17:15
    that really looks like a table. It doesn't
    only really look like a table, it is
  • 17:15 - 17:21
    a table. We define it, it looks like this.
    And what this table defines is a loading
  • 17:21 - 17:26
    address, section name and location in
    binary. So what that means is that our big
  • 17:26 - 17:31
    file is actually split into several
    sections. This table just defines those
  • 17:31 - 17:35
    sections. So now we are able to split this
    big file into several smaller chunks and
  • 17:35 - 17:41
    inspect each chunk. The most important
    chunk, the one that looks most promising
  • 17:41 - 17:47
    looks like it contains our firmware. So we
    took a closer look into that and that's
  • 17:47 - 17:52
    what we saw: It actually looks like our
    firmware. That's because you see: That's
  • 17:52 - 17:55
    one of the strings that we've seen here.
  • 17:55 - 17:57
    Laughter
  • 17:57 - 18:01
    Yeah! We all saw that before, right? It's
    "Error: I don't understand". But it's not
  • 18:01 - 18:05
    completely "Error: I don't understand".
    There's some missing bytes in here.
  • 18:05 - 18:10
    And actually those missing bytes are
    pretty consistent throughout the entire
  • 18:10 - 18:14
    chunk. So although we know that we are
    looking at the code, we can't actually
  • 18:14 - 18:19
    see the code until we have those missing
    bytes filled. We need to understand: Why
  • 18:19 - 18:24
    are they there and what were they replaced
    with? So let's try to analyze this thing
  • 18:24 - 18:29
    together, quickly, now. But first, let's
    try to understand what is this thing.
  • 18:29 - 18:35
    We have a lot of things in mind, every one
    seemed crazy, but I think the least crazy
  • 18:35 - 18:41
    option was that this is yet another form
    of compression. A really bad one, again.
  • 18:41 - 18:44
    Because when we tried to compress this
    thing with zlib, for example, we get like
  • 18:44 - 18:49
    80% better compression than it currently
    is, and we know that the printer has zlib,
  • 18:49 - 18:54
    because we see zlib strings in there, so
    why not use zlib? I don't know.
  • 18:54 - 18:58
    But still, we are left with a challenge.
    So this is one snippet of the code that
  • 18:58 - 19:00
    you just saw,
    so let's try to decompress this.
  • 19:00 - 19:04
    First of all, you need to understand this
    thing is composed of two types of
  • 19:04 - 19:08
    characters, one are ASCII characters,
    stuff that you can read, and some other
  • 19:08 - 19:14
    are stuff that you can't read, non-ASCII
    characters. And those non-ASCII characters
  • 19:14 - 19:18
    are actually those missing bytes that we
    have. So we need to understand what they
  • 19:18 - 19:22
    are, so let's take a closer look at them.
    And if you stare at this thing long enough
  • 19:22 - 19:27
    you'll start seeing some kind of pattern.
    I'll save you the trouble and just show you.
  • 19:27 - 19:34
    It's composed of these one single bytes,
    and then those double bytes in there.
  • 19:34 - 19:38
    And if the distance between the single
    bytes looks suspiciously patterned,
  • 19:38 - 19:42
    8 bytes, 9 bytes, 9 bytes, 8 bytes, over
    and over again, so what does this mean,
  • 19:42 - 19:47
    where is the pattern here? If you look at
    this from a different angle, maybe the
  • 19:47 - 19:52
    pattern will look a bit clearer. You see
    that F7 and F7, they look the same.
  • 19:52 - 19:55
    The FF and FF, they look the same.
    Something here looks really pattern-ish.
  • 19:55 - 20:00
    In order to understand this pattern, you
    need to sharpen your binary view a bit,
  • 20:00 - 20:05
    and if you understand that FF is just
    8 one bits, and if you do that
  • 20:05 - 20:09
    consistently for all of these chunks, you
    will start seeing the pattern.
  • 20:09 - 20:14
    The pattern is that the zero bit always
    falls within this two-byte hole.
  • 20:14 - 20:18
    It's consistent throughout the file. And
    what this means is that the first byte is
  • 20:18 - 20:23
    just a bitmap describing the following
    8 bytes after it. That's what it means.
  • 20:23 - 20:27
    And that's perfect because now we
    understand what is this single bytes, but
  • 20:27 - 20:32
    we still don't understand, what are those
    double bytes? And they were replaced with
  • 20:32 - 20:38
    something, but with what? So if you know
    anything about compression, you know that
  • 20:38 - 20:42
    there's not a lot of options here really.
    It could be either a forward or backward
  • 20:42 - 20:46
    pointer, it could be a dictionary of some
    sort, or it could be a sliding window.
  • 20:46 - 20:50
    Now we can pretty easily confirm that
    it's not a forward/backward pointer just
  • 20:50 - 20:54
    because we tried to follow the references
    in the file, we see nothing that should be
  • 20:54 - 20:59
    there, same goes for dictionary. We can't
    find anything that's consistent enough to
  • 20:59 - 21:03
    be a dictionary. So it leaves us only with
    with the option of a sliding window.
  • 21:03 - 21:08
    Once we're equipped with this information,
    we go to our favorite place, to Google.
  • 21:08 - 21:13
    And try to find some similar
    implementations to this. Luckily for us,
  • 21:13 - 21:19
    in some very dark corner of the internet,
    we find this wiki page. It defines
  • 21:19 - 21:25
    something called a Softdisk Library
    Format. I won't ask if someone knows what
  • 21:25 - 21:32
    Softdisk is, because probably somebody
    knows here, it's CCC after all. But inside
  • 21:32 - 21:36
    this thing it defines some kind of
    compression algorithm that looks very
  • 21:36 - 21:42
    similar to ours. It looks actually really
    really like ours. Actually, it's exactly
  • 21:42 - 21:48
    our compression algorithm. So yeah. That's
    nice. And I think the funny thing here is
  • 21:48 - 21:54
    that this compression algorithm was used
    in the past somewhere, and only there.
  • 21:54 - 21:56
    Can you guess where?
  • 21:56 - 21:59
    Waiting for response from the audience
  • 21:59 - 22:04
    Uh, yeah, somebody who didn't see chuckles
    this presentation before?
  • 22:04 - 22:07
    Yeah! It was used in Commander Keen.
  • 22:07 - 22:09
    Softdisk is the company who produced
    Commander Keen.
  • 22:09 - 22:12
    So the compression algorithm
    from Commander Keen made its way,
  • 22:12 - 22:17
    somehow, into the entire HP line of
    products.
  • 22:17 - 22:19
    Laughter
  • 22:19 - 22:23
    Applause
  • 22:23 - 22:28
    How? I don't know! You can check if there
    was anybody who was fired from Softdisk
  • 22:28 - 22:32
    and hired in HP. Probably that would be my
    guess. But we'll never know.
  • 22:32 - 22:37
    So now we understand exactly what is this
    thing, and how does this compression work.
  • 22:37 - 22:41
    We have the missing data that we need. And
    this data means that those two bytes are
  • 22:41 - 22:45
    actually composed of window location and
    data length. And that's all we need, and
  • 22:45 - 22:48
    let me show you, like really quickly, how
    this compression works. So we have an
  • 22:48 - 22:52
    input text, output text and sliding
    window. We want to compress this string
  • 22:52 - 22:56
    over here, and let's try and do it.
    So first byte is the bitmap, so we leave
  • 22:56 - 23:01
    it empty for now. Then, second byte, we
    start with "A". So we place it both in the
  • 23:01 - 23:05
    output text and in the sliding window.
    Then we go to "B", same thing. "C", same
  • 23:05 - 23:10
    thing. "D", again, and now we get to "A".
    But "A" is already present in the sliding
  • 23:10 - 23:14
    window, so we don't need to write it in
    the output text, we can just do
  • 23:14 - 23:19
    nothing and then go to "B", same thing,
    it's just the following character in the
  • 23:19 - 23:24
    sliding window, and then when we get to
    "E", we just write "00 02". That means
  • 23:24 - 23:29
    "Go to the sliding window at position 0,
    and take the first two bytes". That's what
  • 23:29 - 23:33
    it means. Then we continue to "E", "F",
    "G", after we did that, we input our
  • 23:33 - 23:38
    bitmap here, and now we know the bitmap
    value and that's all there is to it.
  • 23:38 - 23:40
    That's the compression algorithm.
  • 23:40 - 23:43
    It's pretty easy
    looking at it this way, right?
  • 23:43 - 23:49
    Looking at it in reverse is a bit more
    difficult, but yes, now we can do that.
  • 23:49 - 23:53
    And now we completely open everything, and
    yes, we have our firmware, you can read
  • 23:53 - 23:56
    everything. It's actual code. And now we
    need to understand:
  • 23:56 - 24:00
    What does this code mean? And basically,
    first of all, we need to understand what
  • 24:00 - 24:04
    architecture is this, what is the
    operating system and so on and so on.
  • 24:04 - 24:10
    So it took us quite some time to do that.
    But let me give you a brief explanation.
  • 24:10 - 24:14
    First of all, the operating system is
    called ThreadX. It's a real-time operating
  • 24:14 - 24:21
    system. The CPU, the processor, is ARM9
    big-endian, and then it has several
  • 24:21 - 24:25
    components to it, like stuff that's
    related to system, some common libraries,
  • 24:25 - 24:32
    and tasks. Tasks are the equivalent of
    processes in normal operating systems.
  • 24:32 - 24:37
    In the system stuff we have boot loaders
    and some networking functionality and some
  • 24:37 - 24:43
    other stuff, Common Libraries we have a
    lot of common libraries, and tasks, once
  • 24:43 - 24:47
    we're able to isolate them, we can
    understand exactly the tasks, and once
  • 24:47 - 24:53
    we do that, we now know that all we need
    to do is focus on these tasks, because
  • 24:53 - 24:55
    they're the tasks relevant
    to fax protocols,
  • 24:55 - 24:57
    we can leave everything else aside.
  • 24:57 - 25:02
    It will make our work much more easy. We
    want to start doing that. But,
  • 25:02 - 25:08
    just a second before we do that. Looking
    at this, we see something that looks not
  • 25:08 - 25:13
    really… I don't know, it doesn't make
    sense a lot. This thing is Spidermonkey.
  • 25:14 - 25:19
    Every HP printer contains a Spidermonkey
    library. I don't know if you know what
  • 25:19 - 25:23
    Spidermonkey is, but basically it's the
    JavaScript implementation by Mozilla.
  • 25:23 - 25:26
    It's used in Firefox for example. And we
    were thinking to ourselves:
  • 25:26 - 25:30
    Why does a printer need to render
    JavaScript? It makes no sense.
  • 25:30 - 25:35
    I mean yeah, it has a web server, but it's
    not a web client. We couldn't think of
  • 25:35 - 25:38
    any situation in which a printer needs to
    render JavaScript.
  • 25:38 - 25:43
    It looked really strange to us. So we
    decided to try and see where this printer
  • 25:43 - 25:49
    is actually using JavaScript, so we went
    back a bit and checked and we found that
  • 25:49 - 25:54
    JavaScript is used in a feature called
    PAC – Proxy Auto Configuration.
  • 25:54 - 26:05
    It's pretty common, it's a good protocol.
    It defines proxies when you're doing DHCP
  • 26:05 - 26:10
    or something like that. The thing is that
    the top layer functionality of this entire
  • 26:10 - 26:15
    PAC functionality was written by HP.
    And when we were looking at that, we see
  • 26:15 - 26:20
    all this functionality, and we see this
    strange thing here. The printer once it
  • 26:20 - 26:24
    does this PAC functionality, it tries to
    connect to this domain:
  • 26:24 - 26:27
    fakeurl1234.com. Just connect to it and
    do nothing with it.
  • 26:27 - 26:31
    Some sort of sanity test I guess? I don't
    really know why.
  • 26:31 - 26:39
    But the interesting thing here is: Do you
    know who owns the domain fakeurl1234.com?
  • 26:39 - 26:42
    Laughter mixed with murmur
  • 26:42 - 26:43
    No, it's not HP.
  • 26:43 - 26:45
    Murmur & responses from the audience
  • 26:45 - 26:48
    Ehh, Check Point is kinda… eh…, yeah.
  • 26:49 - 26:50
    I own it.
  • 26:50 - 26:52
    Laughter
  • 26:52 - 26:53
    Applause
  • 26:53 - 26:58
    It just wasn't registered.
    So, we registered it for 5 Dollars.
  • 26:58 - 27:02
    And now every HP printer is connecting to
    my domain. Chuckling
  • 27:02 - 27:06
    Laughter
  • 27:06 - 27:10
    Applause
  • 27:10 - 27:13
    So, if anybody wants to buy the domain, I
    have a very good price for you:
  • 27:13 - 27:15
    More than 5 dollars.
  • 27:15 - 27:19
    And now I'll hand it over
    to Eyal to continue.
  • 27:19 - 27:23
    Eyal Itkin: Okay, thank you Yaniv.
    After we've finished messing around with
  • 27:23 - 27:27
    Spidermonkey, it's time to focus back on
    fax, so T.30.
  • 27:27 - 27:32
    T.30 – in its full name it's
    ITU-T recommendation T.30 – is a standard
  • 27:32 - 27:38
    that defines the fax protocol. Actually
    it's a very very long PDF, more than
  • 27:38 - 27:42
    300 pages. It defines all the phases and
    messages we need in order to send and
  • 27:42 - 27:48
    receive a fax document. It was first
    defined very long ago, 1985, and was last
  • 27:48 - 27:53
    updated more than a decade ago. So from
    our perspective that's a very good idea,
  • 27:53 - 28:00
    because we want to find vulnerabilities in
    an old and complicated protocol.
  • 28:00 - 28:04
    We're most probably going to find some.
    After we read through the standard we
  • 28:04 - 28:12
    started to dynamically look at it, opened
    it in IDA and look up on the T.30 task.
  • 28:12 - 28:18
    And you can see that the state machine is
    quite huge as you can see here in IDA, and
  • 28:18 - 28:23
    actually that's a small state machine.
    Because most of the code blocks you can
  • 28:23 - 28:27
    see over here contain additional state
    machines inside them. Meaning that this is
  • 28:27 - 28:32
    going to be a very very huge and
    complicated state machine to reverse.
  • 28:32 - 28:37
    And if that wasn't enough it turns out
    that HP really likes to use
  • 28:37 - 28:40
    function pointers and global variables in
    their code. Meaning that statically
  • 28:40 - 28:47
    reverse-engineering this huge task is
    going to be very complicated. Although I
  • 28:47 - 28:52
    personally prefer to statically
    reverse-engineer, this time we had to
  • 28:52 - 28:57
    choose a different tactic, we'll need to
    dynamically reverse-engineer this thing
  • 28:57 - 29:00
    and for this we'll need to have a
    debugger.
  • 29:00 - 29:06
    As Yaniv mentioned earlier, nobody knows
    how can we debug a printer.
  • 29:06 - 29:12
    We already tried built-in JTAG and
    serial port and that failed.
  • 29:12 - 29:16
    We then searched for a builtin GDB stub we
    could use,
  • 29:16 - 29:19
    but I couldn't find any such stub.
  • 29:19 - 29:24
    At this point it's very important to
    remember that even if we could control the
  • 29:24 - 29:29
    execution flow, no-one can put a debugger
    without controlling the execution flow,
  • 29:29 - 29:35
    and we can't do anything, it's a black
    box, I can send papers and that's it.
  • 29:35 - 29:41
    And even if I could control the execution
    flow and load my debugger, the printer
  • 29:41 - 29:46
    uses a hardware watchdog. And this is an
    external hardware mechanism that monitors
  • 29:46 - 29:52
    the main CPU and whenever the main CPU
    enters an endless loop or it halts,
  • 29:52 - 29:59
    the watchdog reboots the entire printer.
    This means that since essentially a
  • 29:59 - 30:03
    breakpoint halts the program,
  • 30:03 - 30:06
    whenever we hit a breakpoint,
    the watchdog will kill us.
  • 30:06 - 30:11
    So we need to find a way around this
    thing, the easiest way we could find out
  • 30:11 - 30:17
    was to split this enormous task into
    chunks, if we could find any code
  • 30:17 - 30:22
    execution vulnerability, we could try to
    execute code over the printer and load our
  • 30:22 - 30:27
    own debugger. And at this stage we had
    luck, and we believe that luck is an
  • 30:27 - 30:35
    important part in every research project.
    On the 19th of July, SENRIO published a
  • 30:35 - 30:38
    vulnerability called "Devil's Ivy".
  • 30:38 - 30:43
    Devil's Ivy is a remote code execution in
    gSOAP and many embedded devices (and our
  • 30:43 - 30:47
    printer included) tend to implement a web
    server for management and configuration,
  • 30:47 - 30:53
    and in our case this web server uses
    gSOAP, and it even uses a vulnerable
  • 30:53 - 30:58
    version of gSOAP, so we now have our
    vulnerability, and we'll need to exploit
  • 30:58 - 31:03
    it. For those of you not familiar with
    Devil's Ivy, here is the code.
  • 31:04 - 31:05
    And here is the vulnerability itself.
  • 31:06 - 31:11
    Devil's Ivy is a signed integer underflow
    vulnerability,
  • 31:11 - 31:13
    meaning that we'll need to send
  • 31:13 - 31:19
    enough data for the variable to go from
    negative back to positive. And that means
  • 31:19 - 31:23
    we need to send roughly 2 Gigabytes of
    data to the printer.
  • 31:23 - 31:27
    So HP really prides itself on the printing
    speed of the printer,
  • 31:27 - 31:29
    but not on the network speed.
  • 31:30 - 31:35
    After many optimization rounds we managed
    to reduce the exploit time to roughly
  • 31:35 - 31:43
    7 minutes. So you start the exploit, you
    wait, and after 7 minutes you have
  • 31:43 - 31:51
    your exploit. And here our good luck
    ended, because we had a side effect in our
  • 31:51 - 31:57
    exploit, and after two to ten minutes the
    printer will crash. And this means we will
  • 31:57 - 32:03
    need to wait an additional 7 minutes,
    we'll have 2 minutes to debug it,
  • 32:03 - 32:09
    and then it will crash again. So we
    waited a lot of 7 minutes in our research.
  • 32:09 - 32:11
    Laughter
  • 32:11 - 32:16
    If you recall, we wanted a debugger so we
    could dynamically reverse-engineer the
  • 32:16 - 32:20
    firmware. We wanted read memory and write
    memory, and now we have a debugging
  • 32:20 - 32:25
    vulnerability, so we can load a debugger,
    we need to execute this debugger, so
  • 32:25 - 32:29
    we'll need executing permissions
    to load it.
  • 32:29 - 32:31
    The most important thing is that we need
  • 32:31 - 32:35
    to execute our debugger without crashing
    the firmware. Because we want the debugger
  • 32:35 - 32:41
    to run and the firmware to debug and we
    want them to blend inside the
  • 32:41 - 32:45
    virtual address space of the printer,
    living happily together.
  • 32:45 - 32:52
    We couldn't find any debugger that achieve
    this goal, so I did what my mother usually
  • 32:52 - 32:57
    tells me not to do, we actually wrote our
    own debugger.
  • 32:58 - 33:02
    So this is Scout. Scout is an instruction
    based debugger that supports Intel CPUs
  • 33:02 - 33:07
    and ARM CPUs, because we have an ARM
    printer. As a prototype we had a Linux
  • 33:07 - 33:11
    kernel driver, and this time we're going
    to use it its embedded mode.
  • 33:12 - 33:16
    In embedded mode we compile it to be fully
    positioned in the unintelligible,
  • 33:16 - 33:20
    because we essentially throw it somewhere
    inside the firmware and expect it to
  • 33:20 - 33:25
    execute. We pre-equip it with useful
    addresses like:
  • 33:25 - 33:29
    memcpy, socket, bind, listen, we
    find using IDA.
  • 33:29 - 33:33
    And whenever it tries to
    call these functions it goes to its
  • 33:33 - 33:36
    own GAT, finds the address and
  • 33:36 - 33:38
    jumps to it.
  • 33:38 - 33:45
    After we compile it, we use it in our
    exploit, we jump into this blob, and it
  • 33:45 - 33:49
    starts up a TCP server, we can now connect
    to to send instructions to
  • 33:49 - 33:53
    read memory, to write memory,
    and whatever we want.
  • 33:54 - 33:59
    You can find Scout in our GitHub, with the
    examples for Linux kernel driver and
  • 33:59 - 34:03
    embedded mode. And we're actually using it
    for some CVEs now,
  • 34:03 - 34:07
    so it's highly recommended.
  • 34:07 - 34:09
    Now that we reach this point in our talk,
  • 34:09 - 34:15
    we haven't yet described to you how a fax
    actually works, so with Scout we
  • 34:15 - 34:18
    dynamically reverse-engineered the
    firmware, and now we can actually
  • 34:18 - 34:25
    describe to you how a fax actually works.
    In order to send a fax, we need a sending
  • 34:25 - 34:30
    machine, we need to send it to some modem,
    the packets from the modem will be
  • 34:30 - 34:35
    processed in the CPU, and afterwards, the
    data is going to be processed and probably
  • 34:35 - 34:42
    printed. Let's see how it starts. We start
    with network interaction,
  • 34:42 - 34:48
    probing and ranging, equalizer and echo
    cancelling, more training,
  • 34:48 - 34:52
    and you actually need to be quite familiar
    with these steps,
  • 34:52 - 34:53
    because they sound like this:
  • 34:53 - 34:55
    repetitive fax modem sounds
  • 34:56 - 35:01
    With these beeps, we actually created an
    HDLC tunnel. Through this tunnel, we're
  • 35:01 - 35:08
    going to send our T.30 messages, to
    the CPU. In T.30 you have phase A,
  • 35:08 - 35:13
    in which we send the caller ID, which is
    a string. In phase B you negotiate the
  • 35:13 - 35:17
    capabilities, so I send my capabilities
    and receive the printer's capabilities.
  • 35:18 - 35:22
    Phase C is the important step because here
    we actually send our fax data,
  • 35:22 - 35:27
    line after line, and page after page.
    And in phase D, we finish. I send an ACK,
  • 35:27 - 35:32
    I receive an ACK, and that's it.
    Let us now see how a normal black/white
  • 35:32 - 35:36
    fax document is going to be sent through
    the protocol. So we have our document,
  • 35:36 - 35:41
    it's going to be sent over the HDLC tunnel
    using T.30 messages, over phase C, and the
  • 35:41 - 35:47
    receive document is actually the body of a
    TIFF file compressed in G.3 or G.4
  • 35:47 - 35:52
    compressions. From our perspective, that's
    partial good news, because there are
  • 35:52 - 35:57
    many vulnerabilities when parsing TIFF
    headers, and we only control the data
  • 35:57 - 36:01
    of the file. The headers themselves are
    going to be constructed by the printer
  • 36:01 - 36:04
    itself, using messages from phase A
    and phase D.
  • 36:04 - 36:11
    So, we partially control a TIFF file and
    after it's done and ready, the file
  • 36:11 - 36:17
    is going to be printed. Like every good
    protocol – and here it becomes very
  • 36:17 - 36:23
    interesting – T.30 many extensions.
    Can you guess what interesting extensions
  • 36:23 - 36:24
    there are in the protocol?
  • 36:28 - 36:32
    There's a security extension, but no-one
    uses it, the other extension…
  • 36:32 - 36:34
    is..
  • 36:34 - 36:35
    Color Extension!
  • 36:35 - 36:37
    Actually you can send colorful faxes and
  • 36:37 - 36:40
    they really use it in hospitals
    for some reason
  • 36:42 - 36:44
    Let's see how colorful fax works.
  • 36:44 - 36:47
    We send a document through
    the HDLC tunnel,
  • 36:47 - 36:54
    over phase C, and the received document is
    actually a JPEG file. This time we control
  • 36:54 - 36:59
    the header and the data of the file, and
    we can do whatever we want to it,
  • 36:59 - 37:00
    and send it for printing.
  • 37:00 - 37:03
    Now that we know how a fax
    actually works,
  • 37:03 - 37:05
    where should we look for
    vulnerabilities in it?
  • 37:05 - 37:10
    Well, we have complicated state machines,
    withstand strings, there are
  • 37:10 - 37:14
    several file layers, but the most
    convenient layer is the applicative one,
  • 37:14 - 37:17
    and most importantly, JPEG, because we
    control the entire file.
  • 37:18 - 37:23
    If we look at a JPEG file, it mainly
    consists of markers, we have a
  • 37:23 - 37:26
    start marker, application marker with
    length and data, more markers with length
  • 37:26 - 37:29
    and data, and so and and so on.
  • 37:29 - 37:36
    If we zoom in on one such marker, we can
    see that in this marker we have a
  • 37:36 - 37:41
    compression table, a 4x4 compression
    matrix for the exact document we send, we
  • 37:41 - 37:46
    have a header, length field, 4x4 matrix,
    and the data itself.
  • 37:46 - 37:53
    If you zoom in a bit deeper, we can see
    that here we get a matrix, we sum up all
  • 37:53 - 37:57
    of the values. This matrix should be
    rather sparse, with zeroes, ones,
  • 37:57 - 38:00
    and twos. The accumulated value is going
    to be our length field,
  • 38:00 - 38:05
    in this case 6 bytes, and 6 bytes are
    going to be copied from the data to
  • 38:05 - 38:09
    a local, small, stack buffer.
    Like this.
  • 38:09 - 38:13
    So if you consider vulnerabilities, at
    this point we were like "What The Fax?!"
  • 38:13 - 38:18
    because that doesn't make sense. We
    control the entire header. If you put huge
  • 38:18 - 38:24
    values in our matrix, like so, we have a
    4 kilobyte length field copied into
  • 38:24 - 38:29
    a stack buffer of 256 bytes, effectively
    having a stack-based buffer overflow in
  • 38:29 - 38:31
    our printer.
  • 38:34 - 38:38
    It's a trivial stack buffer overflow, we
    have no byte constraints, we can use
  • 38:38 - 38:44
    whatever we want, null bytes, non-ASCII
    bytes, whatever we want. And 4 kilobytes
  • 38:44 - 38:49
    user-controlled data, that's more than enough
    to exploit. At this point we had to bypass
  • 38:50 - 38:54
    several operating system security
    mitigations… Nah, not exactly.
  • 38:54 - 38:55
    Laughter
  • 38:55 - 39:00
    It's an …, fixed address spaces, no
    canaries, it's the eighties, it's really
  • 39:00 - 39:06
    simple. We've got the CVEs from HP,
    9.10 critical, you should really patch
  • 39:06 - 39:11
    your printers now. And here you can see
    the response we have seen from HP after
  • 39:11 - 39:14
    we've worked with them to patch these
    vulnerabilities,
  • 39:14 - 39:17
    which is a good time for our demo!
  • 39:21 - 39:24
    Yaniv Balmas: Unfortunately we couldn't
    really live-demo, so we just filmed
  • 39:24 - 39:28
    something for you. So, this is our
    attacker machine, all you need to do is
  • 39:28 - 39:31
    run this script, it's connected to a modem
    that we bought for like 10 dollars
  • 39:31 - 39:38
    from Amazon. We're sending our malicious
    fax to this printer, and… yeah.
  • 39:38 - 39:43
    Incoming call… from who?
  • 39:45 - 39:46
    Wait just a second.
  • 39:47 - 39:49
    Eyal Itkin: Faxes are slow.
    Yaniv Balmas: Yeah, they are.
  • 39:50 - 39:55
    Yaniv Balmas: So, from an evil attacker of
    course, we forged this easily. And now,
  • 39:55 - 40:00
    the printer is receiving the fax, and
    processing it, and now it's obviously a
  • 40:00 - 40:05
    colorful fax, and now we have full control
    over the printer, so it's ours.
  • 40:06 - 40:10
    But that's not enough! Because we want to
    show that we can propagate to another
  • 40:10 - 40:16
    computer, so our malicious fax, contained
    EternalBlue in it, so once any computer is
  • 40:16 - 40:21
    connected to the network, the fax now will
    recognize it, and will try to exploit it,
  • 40:21 - 40:23
    and here you go!
  • 40:23 - 40:31
    Laughter & Applause
  • 40:32 - 40:36
    So yeah, we made it after all.
    It was a long way.
  • 40:36 - 40:41
    Some conclusions we have to tell you:
    First, PSTN seems to still be
  • 40:41 - 40:45
    a valid attack surface in 2018. Fax can
    be used as a gateway to internal networks,
  • 40:45 - 40:50
    and old and outdated protocols… probably
    not so good for you, try not to use them
  • 40:50 - 40:54
    if you can. What can you do to defend
    yourself against this catastrophy?
  • 40:54 - 40:58
    A lot of things. First of all, you can
    patch your printers, as Eyal said,
  • 40:58 - 41:03
    this link will just tell you if your
    printer is vulnerable, by the way, every
  • 41:03 - 41:08
    HP Inkjet (or HP Officejet) printer is
    vulnerable to this thing, it's the biggest
  • 41:08 - 41:11
    line of printers from HP, over – I think –
    200 or …
  • 41:11 - 41:14
    Eyal Itkin: 300
    Yaniv Balmas: … 300 models are vulnerable
  • 41:14 - 41:19
    to this thing, so really go and update!
    Another thing I could tell you is:
  • 41:19 - 41:25
    If you don't need fax, don't use it.
    Also, if you do need to use fax after all,
  • 41:25 - 41:30
    try and make sure your printer is
    segregated from the rest of the network,
  • 41:30 - 41:34
    so even if somebody takes over the
    printer, he will just be confined to the
  • 41:34 - 41:39
    printers, and won't be able to take over
    your entire network. These are really good
  • 41:39 - 41:42
    suggestions, all of them, but really,
  • 41:42 - 41:44
    the best suggestion
    I have to give you today is:
  • 41:44 - 41:46
    Please!
    Stop using fax!
  • 41:47 - 41:48
    Laughter
  • 41:48 - 41:52
    Applause
  • 41:53 - 41:54
    Thank you, thank you!
  • 41:54 - 42:00
    And, just one second before we finish,
    this was a long way, a long journey.
  • 42:00 - 42:04
    We had some very good friends that helped
    us a lot along the way,
  • 42:04 - 42:06
    physically, mentally, technically,
  • 42:06 - 42:11
    so we must mention them.
    These are the guys here. Some of them are
  • 42:11 - 42:14
    in the crowd, so they deserve come claps.
  • 42:14 - 42:16
    applause
  • 42:16 - 42:22
    One special guy that helped us is
    Yannay Livneh, he also deserves this, and…
  • 42:22 - 42:26
    … that's it basically, guys!
    So if you want to follow more of our work,
  • 42:26 - 42:30
    you can find us here. Follow us.
    Thank you very much!
  • 42:30 - 42:42
    Applause
  • 42:42 - 42:45
    Herald Angel: Thank you very much.
    We have 5 minutes for Q&A.
  • 42:45 - 42:48
    So please line up at the microphones.
    If you want to leave now,
  • 42:48 - 42:53
    please do it to your right side, so this
    side. From the stage it's the left side,
  • 42:53 - 42:57
    but for you it's the right side.
    So please line up at the microphones.
  • 42:57 - 43:06
    I think I can see microphone 4 already,
    so we'll start with microphone 4.
  • 43:07 - 43:13
    Question: First, thank you for this talk.
    It's scary to see that these can be
  • 43:13 - 43:19
    exploited today. You talked about
    email-to-fax or fax-to-email services,
  • 43:19 - 43:26
    and I wondered: Is it possible that there
    are vulnerabilities in those as well?
  • 43:26 - 43:34
    I know Fritz!Box routers allow
    fax-to-email, could you attack those,
  • 43:34 - 43:35
    possibly?
  • 43:35 - 43:40
    Yaniv Balmas: So basically, those services
    use T.30 as well. We didn't look at them,
  • 43:40 - 43:44
    frankly. We had so much work to do with
    the printer, that we didn't look at any
  • 43:44 - 43:51
    other printers, or any other services.
    I can't say for sure, but if you're
  • 43:51 - 43:54
    looking for vulnerabilities, I would
    recommend to go look there as well.
  • 43:56 - 43:58
    Herald Angel: Great, microphone number 5
    please.
  • 43:59 - 44:04
    Question: What can you disclose about the
    data that's hitting your URL?
  • 44:05 - 44:06
    Yaniv Balmas: The…? Uh!
  • 44:06 - 44:10
    Question: What can you disclose about the
    machines that are knocking on your URL,
  • 44:10 - 44:13
    the fakeurl1234.
  • 44:13 - 44:15
    Yaniv Balmas: There are a lot of HP printers
    out there.
  • 44:15 - 44:17
    Laughter
  • 44:17 - 44:23
    That's all I can disclose. Sorry.
  • 44:26 - 44:28
    Herald Angel: We have one question from
    the Signal Angel, please.
  • 44:29 - 44:33
    Signal Angel: Did you try to activate JTAG
    by upgrading to a modified firmware?
  • 44:33 - 44:39
    Eyal Itkin: We tried to use the JTAG, we
    think it's disabled from the factory
  • 44:39 - 44:45
    lines, it was too much work. So we decided
    to use Devil's Ivy, it's a good
  • 44:45 - 44:50
    vulnerability. Once we have Devil's Ivy
    and we can use Scout, Scout is more than
  • 44:50 - 44:51
    enough for debugging.
  • 44:53 - 44:59
    Essentially, after we used the JPEG
    vulnerability and we loaded up Scout,
  • 44:59 - 45:03
    Scout survived for weeks on a printer
    without any crash.
  • 45:04 - 45:05
    So that's more than enough.
  • 45:07 - 45:10
    Herald Angel: Great, we'll go with
    microphone number 2 please.
  • 45:10 - 45:13
    Question: Yes, thank you for the nice
    talk, and I think you're completely right
  • 45:13 - 45:19
    you can have many problems with legacy
    protocols, the only thing I do not really
  • 45:19 - 45:26
    get was the part how you then can
    automatically successfully attack your
  • 45:26 - 45:32
    laptop on the network. My point would be:
    My laptop is as secured as I'm going to
  • 45:32 - 45:36
    the internet cafe or something else, so
    you would not be able – with your HP
  • 45:36 - 45:40
    printer – to start the calculator on my
    Linux or even on my Windows.
  • 45:42 - 45:47
    Yaniv Balmas: Your laptop might be secure,
    I'm sure it is, but many others are not.
  • 45:47 - 45:52
    We tried to show it using the EternalBlue
    exploit, as you know, WannaCry, stuff like
  • 45:52 - 45:56
    that. This thing created a lot of…
    – and there were patches out there –
  • 45:56 - 46:02
    …and still it was… So… we're not here to
    attack anyone. We're just saying that
  • 46:02 - 46:05
    theoretically, if somebody wants to get
    into the network and he has a
  • 46:05 - 46:09
    vulnerability that you have may have not
    patched or secured, fax would be a bad
  • 46:09 - 46:10
    idea to have.
  • 46:11 - 46:14
    Question: But it was nothing which was
    part of the printer…
  • 46:14 - 46:21
    Herald Angel: Sorry, unfortunately we do
    not have more time for Q&A, so thank you
  • 46:21 - 46:23
    again very much.
  • 46:23 - 46:24
    Yaniv Balmas: Thank you!
  • 46:25 - 46:33
    Applause
  • 46:33 - 46:37
    Music
  • 46:37 - 46:55
    subtitles created by c3subtitles.de
    in the year 2019. Join, and help us!
Title:
35C3 - What The Fax?!
Description:

more » « less
Video Language:
English
Duration:
46:55

English subtitles

Revisions