Office scanners are now susceptible to attack, according to researchers. The ubiquitous office equipment’s light-sensitivity can allow passing vehicles, or laser-carrying drones to trigger malware in a network, says a research team from two Israeli universities.
The computer experts say they have been able to successfully create a test “covert channel” between a server and flatbed scanner. The proof-of-concept hack, in some experimental cases, was performed almost a kilometer away from the scanner. They used a kind of infiltrating illumination to fool the device.
Numerous light sources could be used, they say. Hijacked smart bulbs and lasers were both used for the data-grab in experiments, the Ben-Gurion University of the Negev, and Weizmann Institute of Science researchers say in their paper (PDF).
The attack vectors can range in simplicity from just surreptitiously connecting a laser to a stand near the scanner, to outfitting a remote or autonomous flying drone with lasers. One method that could be adopted too, would be to commandeer an existing, office-installed smart bulb—the kind one controls with a smartphone—from a passing car.
“In our experiments we were able to infiltrate data using different types of light sources,” the paper explains.
Scanners function through the shining of bright light onto a document. The office machine then reads the reflected light, analyzing the color and intensity of that light, thus producing the digital image. This Israel-discovered hack spoofs the light reflected, thus introducing spurious instructions that can trigger dormant malware.
Many scanners and their combined printer counterparts are networked straight into an enterprise’s system—hence the problematic hole, despite air-gapping. The scanner “serves as a gateway to the organization.”
Malware needs to be already installed on the network, the scientists say. That can be achieved through phishing.
The malware compromises the scanner and allows the scanner to receive the light-modulated commands at certain pre-defined times: Every day at 11 o’clock, is one example the researchers use. The attacker, however, remotely controls the light source creating the commands. That allows the actual attack to be run on the fly at a pre-determined day of the perpetrator’s choosing—destroying files just before a moving-target important event, like a presentation, say.
Control of the light source could be through a micro-controller, connected to the light source, and running an algorithm creating sequences of bright shades of light that fool the scanner.
The attacker does have his work cut-out for him, though. The attack will fail if the flatbed scanner lid is fully closed, and the algorithm isn’t all that easy to figure—light is influenced by distance, and other light sources, for example. The further the distance the harder the attack is.
Infrared light can be used too, though, the researchers say. That light isn’t visible to the naked eye giving the bad guy plenty of time to adjust his settings and try the attack over a period of time.
Closing the lid, or providing a computer proxy via USB cable, rather than networking the scanner, are solutions, the team says.
http://www.networkworld.com
