Duration: 1 Feb 15 to 31 Jul 16
PI: Prof Yuval Elovici
Project manager: Priscilla Pang
Researchers: Jinghui Toh, Hatib Muhammad
Funding agency: Ministry of Defence

How Attackers Can Use a Drone Carrying a Smartphone to Gain Access to Unsecured Wireless Printers

In most cyber-attack scenarios nowadays it is difficult and risky to require physical proximity between an attacker and a target. Consequently, cyber-attacks usually rely on some direct connectivity to the target network in order to launch and interact with their attack. The recent advent of cheap personal drones, however, enables an attacker to access wireless networks unobtrusively via a somewhat less expected attack vector.

A group of researchers – Jinghui Toh and Hatib Muhammad, led by Professor Yuval Elovici – from iTrust, a Center for Research in Cyber Security at the Singapore University of Technology and Design, has demonstrated the feasibility of launching a cyber-attack using just a drone and an application running on an Android smartphone. They zoomed in, literally, on an overlooked weak link that is ubiquitous in every office – the wireless printer. They exploited the defenders’ typical assumption that attackers need to be in relative close physical proximity (within the local network) to access the printer, and since the office space was physically confined, there was no need to secure/encrypt the printer’s wireless access that is unsecured by default.

 

Flying a drone equipped with an Android smartphone and special app the team has developed, enabled remote scanning and access to unencrypted wireless office printers. After identifying an open printer’s wireless network, the app established a similar wireless access point on the cellphone residing on the drone hovering within WiFi reception range of the office building. The app tricked the office staff to assume they had sent a print job to the departmental printer while in reality they had “printed a document into the smartphone”, so to speak. The smartphone later sent the print job to the cloud via its 3G/4G connectivity and placed it in the attacker’s Dropbox. To cover their tracks, the attacker’s app could resend the print job back to the printer so that the office staff would be able to collect the printout, albeit with some reasonable delay that should not draw suspicion.

csp

To mitigate this vulnerability, the researchers developed a second app they called “Cybersecurity Patrol”. Similar to the first app, it looked for unsecured printers in the target organization accessible via the drone, but rather launching the attack, it took photos of the compromised printers and sent them to the organization’s CIO. It also sent a print job detailing instructions on how to secure the specific printers that were identified based on their SSIDs.

The researchers also demonstrated the feasibility of this attack from within the building, by hiding the cellphone inside an autonomous vacuum cleaner and having it continuously and autonomously scan the organization’s network for printers with unsecured wireless connections.
3

In this research, open wireless printer was chosen as the tool for demonstration for two reasons: it was a common weak link; and it was relatively easy to print specific instructions to secure different brands of printers based on their SSIDs. The same approach can be used for detecting other unsecured wireless connections in the organization.