Pen-testing drone searches for unsecured devices

Get a copy of the upcoming book "Secure Operations Technology"

You’re sitting in an office, and you send a print job to the main office printer. You see or hear a drone flying outside your window. Next thing you know, the printer buzzes to life and, after spitting out your print job, it continues to work and presents you with more filled pages than you expected.

They contain instructions on how to encrypt the printer’s wireless access, so that malicious attackers can’t intercept print jobs and glean potentially sensitive business information from them.

With cyber security often being neglected in corporate offices, this type of demonstration – an early warning of potential dangers – could force users to make much needed security changes.

The approach has been thought out by a group of researchers from from iTrust, a Center for Research in Cyber Security at the Singapore University of Technology and Design, who equipped a flying drone with an Android smartphone, and the latter with a special app dubbed “Cybersecurity Patrol”.

The app looks for unsecured wireless printers in the target organization, takes photos of them (if the drone can manage to get close enough), and sends the organization’s CIO an email detailing the danger and/or sends the aforementioned print job with the instructions to the printers, which they identify by their SSIDs.

In the same way, the researchers showed the danger that these unsecured devices posed for businesses by creating another app that, instead of sending in a warning, simply slurped the print job and sent it to a cloud storage account that can easily be used by attackers. They app then forwarded intercepted the print job to the printer, so that employees might not become suspicious (click on the screenshot to enlarge it):

They tried the same approach by fixing the smartphone to an autonomous vacuum cleaner, to demonstrate the versatility of this attack, and again it worked.

Of course, the attack can just as easily be perpetrated by a person going through the office and carrying the phone in their pockets, but it’s possible that an attacker can’t gain such direct physical access to the offices in question, so the drone or vacuum cleaner approach is needed.

“In this research, the open wireless printer was chosen as the tool for demonstration for two reasons: it was a common weak link; and it was relatively easy to print specific instructions to secure different brands of printers based on their SSIDs,” the researchers noted.

“The same approach can be used for detecting other unsecured wireless connections in the organization,” they pointed out, and added that the recent advent of cheap personal drones can enable an attacker to access wireless networks unobtrusively via a somewhat less expected attack vector.

But the main thing to note is that even if an attacker has to be close physical proximity to the printer for the attack to work, there are ways to achieve this without raising suspicion.

This type of penetration testing that zooms in on a particular problem and offers direct solutions for it is perhaps what’s needed to raise security awareness and make some quick low-level changes.

Here’s a video demonstration of the attack: