Hacking an optical scanner

Yet another frightening hack!

When I was a young programmer booting up Unix and getting the Internet going, I was taught to assume that any I/O channel can be a channel into the system. This paranoid attitude served me well, not so much as a protection against hackers, but more as a protection against hubris.

As capitalists blithely deploy sensor-laden “IoT” devices everywhere, this is a good rule to remember. It seems like every week there is yet another astonishing hack published (e.g. audio, accelerometer). And that’s not counting the back doors courtesy of advertising, “customer service” or police, nor the unpublished darkware  out there.

This week there is another entry for the “yoiks!” file. Ben Nassi, Adi Shamir, and Yuval Elovic report methods to break into a network via an optical document scanner! [1] As their title says, “Oops!…I think I scanned a malware”.

The basic idea is that the optical scanner is, of course, sensitive to light, and therefore can be targeted by light sources near by. This can be used as a covert channel to control and send data to with malware on the network, even if the network is not connected to any external network. Air gap, schmair gap!

Basically, flashing lights in the room while a document is being scanned can insert data into the output. The example show cases where the flashes yield something that looks like a bar code-streaks of different width and spacing on the scan of the document. The malware picks up the scanned image, and decodes these covert messages.

The attack can be delivered by any light source that can be controlled this way, including through a window, from a covertly located laser pointer, via a small drone, or even via programmable LED room lights. One of there demos shows how they were able to control the smart room lights with a mobile phone in the parking lot!

Naturally, there are counter measures. Leaving the scanner covered almost certainly defeats this attack. They note that personnel might be suborned to leave the cover open at certain times.

This attack is made possibly by the uncontrolled network and wireless connections on the scanner, which allows devices on the network to directly scan data. Disconnecting the scanner from the network (i.e., requiring manual data transfers) would defeat the attack, though this is undesirable for many multipurpose devices which are a printer, fax, and scanner. The authors conclude that the attack could be best defeated by fairly simple proxy software that scans the data files (and might also authenticate and log accesses to the scanner).

Very cool.

By the way, the paper notes several other jaw dropping covert channels. Audio, of course. Blinking LEDs, naturally. But I hadn’t really thought about thermal transmission between cores or collocated systems. Or the EM leaking from displays or other devices can be used to transmit to nearby radio receivers (e.g., a mobile phone). Phew! It never ends!

  1. Ben Nassi, Adi Shamir, and Yuval Elovici, Oops!…I think I scanned a malware. arXive, 2017. https://arxiv.org/abs/1703.07751

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s