Way back in 1991, InfoWorld reported on an advanced threat hitchhiking inside printers shipped to Iraq. The virus, known as AF/91 and implanted by the U.S. government, reportedly shut down Iraqi radar installations before escaping to spread among Windows computers.
The article, published on April 1, was a spoof. But it spawned an urban myth that has been reported as fact in many circles.
Now the incident has come full circle. Inspired by the story, at least one group of security professionals is using Trojan horse access points cloaked in printers and other office equipment to infiltrate clients who want their defenses tested.
"We have been toying with a variety different ways of getting hardware onto the network," says Steve Stasiukonis, managing partner of security services firm Secure Network Technologies. "You can put your box inside a printer tray and glue it shut, and who will notice if there are one or two or three power cables coming out?"
In many cases, attackers can dress in the uniform of an IT supplier and drop off a printer for a company to test-drive, Stasiukonis says. Once the device is connected to the network, the penetration testers have a platform behind any perimeter defenses from which to attack.
>Turning printers into beachheads to attack networks is not a new idea. For more than three years, researchers have shown that the controllers embedded in printers -- in many cases, small computers that run Windows or Linux -- can be compromised. Since those first reports, however, printer manufacturers have paid more attention to the security of their products.
A variant of the attack, presented by Errata Security at the Defcon hacking convention, uses an attack-tool-laden iPhone mailed to a target company to get inside the firm's network defenses.
Cloaking attack hardware inside printers trades requirements: Rather than compromising the embedded system remotely, attackers will have to have some physical presence. While both attacks are fairly uncommon, attackers move to strategies that work. For that reason, information security managers should make sure they know what is on their networks, says Stasiukonis.