Hacking Wireless Printers With Phones on Drones

Share this…

YOU MIGHT THINK that working on a secured floor in a 30-story office tower puts you out of reach of Wi-Fi hackers out to steal your confidential documents.

But researchers in Singapore have demonstrated how attackers using a drone plus a mobile phone could easily intercept documents sent to a seemingly inaccessible Wi-Fi printer. The method they devised is actually intended to help organizations determine cheaply and easily if they have vulnerable open Wi-Fi devices that can be accessed from the sky. But the same technique could also be used by corporate spies intent on economic espionage.

The drone is simply the transport used to ferry a mobile phone that contains two different apps the researchers designed. One, which they call Cybersecurity Patrol, detects open Wi-Fi printers and can be used for defensive purposes to uncover vulnerable devices and notify organizations that they’re open to attack. The second app performs the same detection activity, but for purposes of attack. Once it detects an open wireless printer, the app uses the phone to establish a fake access point that mimics the printer and intercept documents intended for the real device.

“In Singapore … there are many skyscrapers, and it would be very difficult to get to the 30th floor with your notebook [if there is no] physical access,” says Yuval Elovici, head of iTrust, a cybersecurity research center at the Singapore University of Technology and Design. “A drone can do it easily. This is the main point of the research, closing the physical gap with [a] drone in order to launch the attack or scan easily all the organization [for vulnerable devices].”

Student researchers Jinghui Toh and Hatib Muhammad developed the method under the guidance of Elovici as part of a government-sponsored cybersecurity defense project. They focused on wireless printers as their target because they say these are often an overlooked weak spot in offices. Many Wi-Fi printers come with the Wi-Fi connection open by default, and companies forget that this can be a method for outsiders to steal data.

For their demo they use a standard drone from the Chinese firm DJI and a Samsung phone. Their smartphone app searches for open printer SSIDs and company SSIDs. From the SSIDs, the app can identify the name of the company they’re scanning as well as the printer model. It then poses as the printer and forces any nearby computers to connect to it instead of the real printer. Once a document is intercepted, which takes just seconds, the app can send it to an attacker’s Dropbox account using the phone’s 3G or 4G connection, and also send it on to the real printer so a victim wouldn’t know the document had been intercepted.

The attack zone is limited to 26 meters in radius. But with dedicated hardware, an attacker could generate a signal that is significantly stronger and extend that range further, Elovici notes. Any computer inside the attack zone will opt to connect to the fake printer over the real one, even if the real printer is closer in proximity to the rogue one.

A drone hovering outside an office building isn’t likely to be missed, so using this method for an attack has obvious downsides. But the aim of their research was to show primarily that adversaries themselves don’t need to be positioned close to a Wi-Fi device to steal data. A hacker could be controlling a drone from half a mile away or, in the case of autonomous drones, be nowhere near the building at all.

As for how close the drone would need to be to do the initial scan to detect vulnerable devices in a building, that depends on the specific printer, or other device’s, Wi-Fi signal. Typically the range of a printer is about 30 meters, Elovici notes.

Turning their mobile phone into a fake printer was not trivial, however.

After purchasing an HP6830 printer, they reverse engineered the protocol the printer used to communicate with computers sending it documents. Then they rooted a Samsung phone to install the Debian operating system on it. For the app, they wrote some Python code that simulates the HP printer.

Any organizations that are more interested in uncovering vulnerable devices than attacking them can simply install the Cybersecurity Patrol app on a phone and attach it to a drone to scan their buildings for unsecured printers and other wireless devices. A drone isn’t essential for this, however. As the researchers show in their demo video (above), a phone containing their app can also be attached to a robot vacuum cleaner and set loose inside an office to scan for vulnerable devices as it cleans a company’s floors.

“The main point [of the research] was to develop a mechanism to try to patrol the perimeter of the organization and find open printers from outside the organization,” Elovici says. “It’s dramatically cheaper than a conventional pen test.”