• Dave (unregistered)

    Putting paper in is easier than entering a serial number? Each to his own, I guess, but if I was really that worried I'd have got the techs a barcode scanner.

  • Did I just say that? (unregistered)

    It sounds like the installation app is a victim of the serial killer.

  • Gargravarr (unregistered)

    NGL, I thought from the title it was going to be a different issue - the printers were expected to be connected to an IP network, but the techs were plugging them in with RS-232 (I mean, POS terminals could be) and wondering why the configuration app didn't find it...

  • some guy (unregistered)

    I work with printers. I am not surprised at all.

  • my name is missing (unregistered)

    I guess the printer asked "Papers, Please"

  • Brian Boorman (google) in reply to Dave

    What if the serial number is not encoded in a barcode on the label - just human-readable alphanumerics? What does that barcode scanner do for you then?

  • Steve (unregistered)

    So that means that the printer drops off the network every time it runs out of paper? That kind of sucks for any sort of network monitoring...

  • MiserableOldGit (unregistered) in reply to Steve

    Maybe some really crappy way of signalling it's out of paper ... "What the bloody hell happened to the printer? it says "offline"! Someone check it's turned on ... oh, it's out of paper you say?" Still a WTF if that's the reasoning behind it.

    I have to say, it's obvious that we shouldn't be shipping stuff these days with default credentials of admin/admin, but switching to a password that is printed on the device and available with a network query is hardly fixing the issue ... IOT smell, I'd expect better from a printer manufacturer ... no, wait, what am I saying?

  • Dave (unregistered) in reply to Brian Boorman

    What if it's engraved in runes? Also unlikely these days. But if so, then an optical scanner and ocr tool. But really, a numpad and eyes is easier. It isn't like there's a problem with a typo beyond having to reenter the serial number.

  • (nodebb)

    Wish I could post a picture....

  • Brian (unregistered)

    My guess is that this TCP port was initially just a simple reporting tool - you trigger it and it prints out some status. It makes sense then that it would refuse the command when there's no paper available. Then in a later revision or newer model someone added commands to it that made it more interactive, but never bothered or knew to remove that restriction. I've seen far too many WTFs evolve along this track.

  • (nodebb)

    It's like car refusing OBD connection unless there's stuff in the trunk.

  • Foo AKA Fooo (unregistered) in reply to MiserableOldGit

    Obviously, it's far from perfect, but it seems it would actually prevent most common attacks today. IOT attacks are usually remote and in bulk. Default passwords are no protection at all, but numbers printed on the device or box are not available to remote attackers, assuming they have enough entropy to avoid guessing. Non-standard TCP ports are usually not accessible from outside either, so they'd need to get into the local router first. (Which is often not a big obstacle, I admit, but if their attack only requires network bandwith and/or IP addresses, as many do, they only need the router anyway and don't need to bother with the printer in the first place.)

  • Hal (unregistered) in reply to MiserableOldGit

    Risk reward question here. These are probably pretty dumb devices. My guess is there is no capability to do anything like recover a print job from them. Probably the whole of what you can do via network is, query 'are you out of paper?, what is your serial? , busy or idle?" and in terms of commands its probably 'here is your new IP settings, print this byte stream, reboot".

    So from a security perspective the threat is really only availability, and maybe integrity. Some miscreant could certainly offline the printers and stop work guessing admin/admin. Similarly on the integrity side if they are used for printing picking tickets etc I suppose someone could send some crafted print jobs and maybe induce some gopher to pull something off a shelf, but the whole of that scheme falls down when the stuff moves to the shipping station and there is no transaction record there to proceed with. In the case of POS maybe you can print some fake receipts for 'reasons' but than you could probably just get your own thermal printer and make them anyway.

    So if we start with the assumption you have at least some weak control over who and what is on your POS network, this is probably a strong enough additional control. Automated scanners and the like will find admin/admin as will dopes just randomly banging creds into anything that speaks http. The later might crack this scheme if they are specifically targeting the printer some reason but more than likely they will just move on when their short list of trial creds fails, the former certainly wont ever get in.

    On balance here its probably better to have this easy path for automated tooling to get into the systems. Now what would be nice if her program changed the password after the initial configuration (assuming the devices can even do that) to some client specified value, or something random and stored securely in a database or something but as far the printers go. As a security practitioner I don't have big problems with this.

  • (nodebb)

    I would love to say TRWTF is using printers in the office, but since this is POS-related and some folks still insist on a paper receipt instead of the email one, I guess the stores are stuck w/ using printers and physical paper. No matter how much the paper weighs (snarky reference to a non-WTF posted last Friday).

  • Foo AKA Fooo (unregistered) in reply to Hal

    Indeed, for local attacks, there's probably no high reward (that you can't get anyway with access to the device). In my previous comment I implicitly assumed remote attacks, e.g. use in a botnet, probably the most common (by numbers) these days.

    As I said, network-targeted attacks (DDOS etc.) can do just fine with your router already. But other attacks, such as Bitcoin mining, require computing power, and depending on the feature of the printer, it might have some (e.g. for PostScript processing, though unlikely for a receipt printer). So there may be some possible reward, but compared to the effort required (hacking the router, finding the printer and hacking it through that TCP port), it's probably not worth it to attackers.

  • Foo AKA Fooo (unregistered) in reply to cellocgw

    Or if required by law (to fight tax avoidance). Germany (possibly all EU) just this year intensified their paper receipt requirements which drew heavy criticism from a rare coalition of businesses and environmentalists (and probably anti-taxxers ;).

  • Clbuttic (unregistered)

    PC load letter

  • Brian Boorman (google) in reply to Steve
    So that means that the printer drops off the network every time it runs out of paper? That kind of sucks for any sort of network monitoring...

    It didn't say that at all. It said that the additional TCP port wasn't available if there was no paper. Clearly if the webserver page was up then the whole network stack isn't hosed by a lack of paper.

    And for all we know, this bug may have been caused by a boot-time check and didn't have this behavior if the paper ran out after it was powered on.

  • some guy (unregistered)

    The printer really shouldn't, but I would not put it beyond the insanity of printer manufacturers to have a port that dumps the print content for monitoring or debugging.

  • MiserableOldGit (unregistered) in reply to Hal

    Well, it has an embedded web server. Probably a pretty simple thing to serve up a configuration panel, but still, that's a handy thing to compromise in any network.

    These days POS environments are expecting to be able to do all sorts of things like allow sales personnel (or even customers) to use their own device to submit transactions and trigger printed receipts via apps on their personal device, sometimes with very little local infrastructure. And it's not just receipts, these sorts of printers are used to give people appointment details, provide test results in clinics, tracking information for parcels and who knows what else.

    You are correct that if you have a nicely set up office system with professionally configured router and firewall etc that (assuming this thing isn't creating it's own WiFi router independently, I have one here that does that) the risk is trivial, as once you've got past the main defences their are juicier targets. Especially because you'd know how to mistrust all that BYOD stuff and mitigate the risk.

    I'm inferring a device aimed at a lower end of the market, especially as it reads like they send someone to install it on the client site. I can foresee all sorts of mischief sniffing the data from small shops, medical clinics & labs, places giving appointment notifications out. There are plenty of websites out there that will tell you how to identify devices with vulns and what to do to exploit them, it doesn't require any kind of expert, just a web connection, a small bitcoin payment and a bad attitude. The crims don't need to learn wireshark these days, and it's surprising what (apparently) useless information can be leveraged.

  • Sole Purpose Of Visit (unregistered) in reply to MiserableOldGit

    Well, yes, but. The WTF is purely related to the secondary port, not to the embedded web-server. So, absent the serial number issue, you'd still have an embedded web-server problem.

    And you're scaring me.

    Back in the good ole days, when I worked for a Very Large Credit Card Company, I got to see an awful lot of (hardware) POS. (I'll leave the software POS for now.) We used to test them. They were, almost uniformly, massively over-priced and massively under-engineered, merely on a simple have-modem-will-talk-ISO8583 basis. And now you're telling me that they might have an embedded web-server and they're used for things like retrieving clinical data? Ugh.

    I can think of various mitigations here, such as requiring a Class C source address (then again, I'm willing to believe that routers can compromise this), requiring SSL (hardly very likely in the general case) ... but I can't think of anything much that doesn't require actual network infrastructure. And I'm willing to bet that small outfits that use these things don't have that. Maybe PPPoE would help.

    This is one of those cases where I am hoping to be told that I am an idiot. Because, if not (unusual for me, I admit), there's a whole world of POS pain waiting out there in the shadows.

  • stuart lynne (google)

    Almost willing to bet that the needed serial number is available via SNMP :-)

    That of course could lead to other WTF's!

  • MiserableOldGit (unregistered) in reply to Sole Purpose Of Visit

    Yeah, I'm a cynic, but so are you. And we're rarely proved wrong, given enough time.

  • Sole Purpose Of Visit (unregistered) in reply to MiserableOldGit

    Want to know how cynical I am, re security?

    Ten or fifteen years ago I was employed by a DSLAM manufacturer to audit and "correct" any security issues.

    I had no previous experience of doing so, unless you count watching a HPC in the previously mentioned Very Large Credit Card company spend six months learning how to create a firewall for a single system. Which promptly went off-line, the first time we fired it up, because ... he'd put all the servers on the wrong side of the firewall.

    I've also looked at the C code for various IPv6 bugs (usually things like not putting a break at the end of a case statement) and thought, WhoTF are these people?

    I passed "cynicism" way back there. To avoid depression, I'm just taking the Molly Ivins medicine. They're all hilarious morons. Just laugh at them.

  • Sole Purpose Of Visit (unregistered) in reply to stuart lynne

    That would require access to port 161 or port 162. I haven't looked, but they are typically turned off on a vanilla Linux distro. (I am assuming, with considerable confidence, that this is a vanilla Linux distro.)

    But you're probably right, now or in the future. At some stage, a PHB is going to ask for something vague like "list all the machines in our IT portfolio." At which point, port 161 and/or port 162 will be turned on again. Using SNMP v1 rather than SNMP v3, so ... no authentication required.

    Le sigh.

  • Sole Purpose Of Visit (unregistered) in reply to Sole Purpose Of Visit

    And for those of you who are thinking "thees is impossibles!": Well, obviously, no sane human being would construct an embedded web server (the purpose of which is solely to provide a GUI for needful tasks) that allows you to frig around with Well Known Ports.

    Except ... if, as stated, the User/Password combination is "admin/admin," one has to assume that there's a reason for that. Even sudo is beyond some people. (Including me. I think it's a terrible idea. And please do not prate about rings and things.)

    Nope. There may very well be an admin screen somewhere back there that allows Mr or Mrs Admin to open up Well Known Ports.

    And I feel for Annabel, because there really isn't a good way to test for this on every single dinky cheap off-brand POS out there.

  • Worf (unregistered)

    Usually the serial number has a barcode on it, so you can scan the barcode and get the serial number.

    Yes, it requires a barcode scanner, but the installers should have them for quick inventorying of what they're sending to the site anyways so it isn't a big bother to have the config app ask for a serial number either manually entered or scanned in.

    Also, if it's a POS printer, the barcode allows for the POS terminal to scan it in during set up so it can discover the printer and print to the right one. Many systems nowadays have you scan in the receipt printer so the receipt will automatically appear from that printer.

  • Dave (unregistered) in reply to Hal

    The value of the printer to an attacker is as a CPU, not as a printer. Take it over and you've got a server under your control inside the company's security perimeter. You can now sign it up to a botnet, send spam from it, use it for a DDoS, attack other servers inside the company from it, ...

  • LastTimeIworkedInRetail (unregistered)

    back around 2005, the last time I worked in retail... it became very clear how long POS systems last-- said retailer had a their back office system in each store. It was written something Unix circa early 90s. The hardware printer for the backroom, and the monitor / cash drawer out front were years past their last date of manufacturing. It was amusing, annoying that the solution to any problem was to send device back to corporate or have them ship a new one-- all of which, of course were really refurbished so it was inevitable that it would break real soon. So I imagine this kind of issue would last for 20 years or until the business ceased to exist.

  • (nodebb) in reply to stuart lynne

    Maybe the port in question that wasn't responding until paper was installed was in fact the SNMP port?

  • shebang (unregistered)

    You people seem to be in love with barcode scanners. Do bar codes even usually encode the serial number? I would think it would be the part number. I would much rather throw in some paper while plugging in the printer than wait until the software is ready and scan a bar code. They're probably doing this something like 100 times a day, they just want to hook it up, hit start, and get something else done. Not to mention the expense of buying everyone a scanner, getting the scanner configured, writing documentation so that anyone could setup and use the stupid thing, and developing an interface to the scanner library. And the people doing this are probably not the most competent. Or patient. No thanks, I'll write the dozen or so lines of code to open a tcp port and read the serial number. TRWTF anyway is that paper being out would cause this, the manufacturer should fix that bug but they don't care, they sold you $10 devices for $70 a pop, they're busy working on the $5 version, and the guy who wrote the firmware is three jobs down the line by now.

  • Lee (unregistered) in reply to Sole Purpose Of Visit

    How about just making the admin password available by a SNMP walk, enabled by default...

    https://www.auscert.org.au/bulletins/ESB-2016.1338/

    Friends don't let friends control server room environmental systems with this gear.

    (It was like pulling teeth getting the manufacturer to respond, but some of you might not be surprised)

  • Sole Purpose Of Visit (unregistered) in reply to Lee

    Well, eek.

    VULNERABILITY DETAILS

    EXPLOITABILITY
    
    This vulnerability could be exploited remotely.
    
    EXISTENCE OF EXPLOIT
    
    No known public exploits specifically target this vulnerability.
    
    DIFFICULTY
    
    An attacker with low skill would be able to exploit this vulnerability.
    
    

    So, if you use the 2016 version of certain Black Box products, and you are an "authenticated user" (which presumably means that your corp sysadmin allows you basic SNMP access), you can actually trawl around using an [B}snmpwalk[/B] (or a more sophisticated scripting equivalent) and find an end leaf that tells you the admin login and password? [/CODE]

    What idiot came up with this idea? You're right. That's put me right off recommending Black Box to anybody, ever.

    (CVE-2016-2311 [b] for those of you who might be interested)

  • Simon (unregistered) in reply to Foo AKA Fooo

    It's been a requirement in Hungary that customers always get a printed receipt for years. This can actually be quite annoying - the thermal paper is not generally recyclable, and one ends up with receipts for things that are obviously short-life consumables such as cigarettes and veg from the market, so that the receipt has no value as proof of purchase (I am really not going to return a faulty potato). Add that many small business legitimately trade under names completely unrelated to their legal company name, this is really not in the interest of the consumer (especially if one pays by card and then gets one or two card transaction receipts in addition to the sales receipt). It's purely to reduce sellers' tax evasion - but how does forcing the seller give a receipt to the consumer (who immediately discards it) help that?

    There is a small leccy/electronics shop very near me where sometimes I buy small parts that might total less than a dollar. Printing me an A4 page documenting the sale of two 3.3kOhm resistors must surely form a significant part of the cost of sale. In the UK that kind of tiny one-off transaction would probably go for some loose change in the charity pot (or the "give one - take one" trays that I used to see in the US) but that's very rare here because of the strict requirement to give customers receipts, whether they want them or not.

Leave a comment on “Serial Problems”

Log In or post as a guest

Replying to comment #:

« Return to Article