digg

Facebook Connect Join Digg About

The New Network Threat: Vending Machines and Printers

zdnet.com.au — As common office items such as printers, vending machines and lifts become more advanced and run embedded operating systems, they could easily create vulnerabilities that are often overlooked by administrators.

Who dugg this? Made popular May 23, 2006

Add a friend

submitted by

digitalgopher May 22, 2006

460 diggs
digg

45 Comments

Slayback, on 10/12/2007, -0/+29At one place I worked at we had a large amount of FTP traffic going off-site and could not figure out where it was coming from. After much hunting, we traced it down to the port that only a multi-function fax/printer/scanner was connected. Disconnected it, and the traffic stopped.

Turns out, the printer had a 30GB hard drive to store scanned documents, and was also running embedded Windows. It had the same vulnerabilities as regular windows, but never got any patches, so it was a prime target for a hacker. Once the hacker pwned the scanner, he setup an FTP site for trading pirated french movies. The company had to send a tech out to update the software on the printer, which involved taking the back of it off, and loading a new version of the OS via a CD-ROM drive hidden under some covers. I wonder if the hacker ever figured out what it was....
NewEvolution, on 10/12/2007, -1/+15I control a botnet consisting entirely of compromised toasters.
scinju, on 10/12/2007, -1/+15Oh man, imagine the possibilities... Crackers from around the world will be printing out pictures of goatse on your printer, sending you to the basement, and keep giving you those low-calorie snack-packs when you put $.50 in! Oh the horror!
l33tspam, on 10/12/2007, -3/+16at my school we change the vending machine prices and get 10 cent sodas...
signal15, on 10/12/2007, -1/+8I had a client that had an HP printer on their network. Doing a routine security audit, we noticed some suspicious traffic coming from it. The web interface on it runs java, and someone who had gotten into the network had written a java app that ran on it and made a connection outside of the firewall to establish a tunnel that the attacker could get back into the network on.
titlesaysitall, on 10/12/2007, -2/+9Imagine trying to buy a soda and the screen says "All your coke are belong to us"

but why the hell would vending machines need OSes and Hard Drives and the whole bit? Its not like I'll need the power of Windows to press B3 to get some Dr. Pepper.
dbpigeon, on 10/12/2007, -1/+7I just hope vending machines don't have to pass the Windows Genuine Advantage....
inactive, on 10/12/2007, -3/+9i'm going to go hack into a vending machine now to get a nice cold soda
neko, on 10/12/2007, -1/+6DEATH TO ALL HUMANS!

... click ...

FREE SODA FOR ALL HUMANS!
gamekid, on 10/12/2007, -0/+5It'd be weird to suddenly see the coils in snack-vending machines go crazy and start dropping Snickers and Lay's all over the place.

I'd tell them 'bout the vulnerability quick (but I'd take the M&Ms first).
cyberfelon, on 10/12/2007, -1/+6(Psst. It's a Futurama reference, highlighting how this technology allows everyday objects to be controlled remotely for harmful purposes. But hey, if you don't pick up on the reference, might as well bury it so people who do understand the reference don't get to read it, right?)
Arramol, on 10/12/2007, -0/+5I'd keep the vulnerability to myself if I were you. People tend to thank you for reporting them by having you arrested these days.
Gyga, on 10/12/2007, -2/+7Who puts a elevator onto the Internet? Or even a vending machine? These should be stand alone items. A vending machine should be administrated with a locked up panel (behind the regular panel) that requires a key to reload, or get the money.nnPrinters should only recieve data, and maybe send a preprogrammed error messege/ink status but should not be able to send mass amount of data into the network.
dhughes, on 10/12/2007, -0/+4 What I don't understand is why there is Braille on the keypad numbers of vending machines. The stuff in the machines changes all the time how could a person know what to get? The Braille would only be useful if you're alone, if you were with someone they may as well push the button rather than describe each item.
jinexile, on 10/12/2007, -0/+4In College one the former student assistants (and my friend) port scanned the school, got the IPs of all the printers in the building, lo and behold, they all had unprotected webservers... tonnes of fun picking on one person in the lab by cancelling his/her and only his job half way through. The other student assistants had no clue what was happening all they could do is try turning off and on the printer and suggesting he try the other one or possibly his files were corrupt. Also great for bypassing the queue by FTPing jobs to the printe, another thing the SAs couldn't understand was how a 700 page manual was being printed but wasn't in the queue.
cgruber, on 10/12/2007, -0/+4A network vending machine would probably be pretty handy for inventory and sales tracking.
It's not so bad that they have network access as desiging your network in a way where it's segmented from everything else. Placing it on a seperate VLAN from everything would be a good start.
cyberfelon, on 10/12/2007, -11/+14I'VE GOT A BIG, BIG THIRST FOR HUMAN BLOOOD!
cgruber, on 10/12/2007, -0/+3The real threat here would be say a vending machine that's connected to an internal network. Say you have your office all NATed and you throw this machine behind the NAT and setup the port forwarding for it. Someone hacks into the machine and then has breached your firewall and then can steal company data.

This is where proper network planning is needed, and unfortunetly most small businesses won't realize it until it's too late.
masterfoo, on 10/12/2007, -0/+3mm actually they hook a lot of vending machines up at colleges so that you can use your college ID to buy stuff. heh this could be fun.
benc, on 10/12/2007, -1/+4I'm sure that all that and more has already been done. One recent example, http://digg.com/security/_O_RLY_Virus_Is_On_The_Loose
jmcmunn, on 10/12/2007, -0/+3Same goes for CD diplicators. We had one get infected with a nasty virus that brought a couple servers down in the office for a day or two. The worst part was, the company admitted it was a potential risk, and refused to do anything about it. After 3 days of tech support and complaining they finally overnighted a new drive (with the same vulnerabilities) and told us not to put it on the network....uhhh then why is there a network port in this thing? It's terrible what these companies can get away with. If they are going to run an embedded OS, they need to have a scheme and a gameplan for combatting virus and other OS related problems.
wandog, on 10/12/2007, -1/+3Another reason for putting a vending machine on a network is so cards can be used to make purchases. At college we use our student IDs in vending machines and it deducts the balance from our account.
Slinker, on 10/12/2007, -0/+2Well, at a place where I once worked, the vending machines all had credit card slots. They had to be able to verify the cards some how.
TheKillDoctor, on 10/12/2007, -0/+1This has been a problem for years. I bet there are still business toshiba copiers out there still running NT with no patches, ports wide open.
WaterDragon, on 10/12/2007, -1/+2"...then suddenly when your vending machine starts surfing the Internet..."-------------------------------A vending machine was found surfing the internet, promising free sodas to everyone. But it was really just running a scam, getting people to invest in soda futures.-------Hey, maybe some of the stooopider digg articles are being submitted by vending machines or printers.
Burmask, on 10/12/2007, -0/+1What about those fancy networked copiers?
Nougat, on 10/12/2007, -0/+1All elevators have mechanical devices that prevent falling catastrophes. No added-on computer system can change that.
ronjohnson, on 10/12/2007, -0/+1I'm having trouble validating the vending machine/blaster worm infection story, anyone got news article on that. I just don't believe that example.
titlesaysitall, on 10/12/2007, -0/+1What if some one hacks the elevator's OS and your in it? might kill someone, up down, up, down, up down.
biffbobfred, on 10/12/2007, -0/+1Our Canon printer runs embedded NT, got hit by slammer. So did the NT2K based TV controller.
nathanrobinson, on 10/12/2007, -2/+3because of microsoft's quest for world domination.
mwace, on 10/12/2007, -0/+1[22:31] mwace05: http://digg.com/security/The_New_Network_Threat:_Vending_Machines_and_Printers_
[22:32] mwace05: if cyberfelon doesn't get modded down
[22:32] mwace05: I offically
GliTCH82, on 10/12/2007, -0/+1What brand/model printer is this?
Slayback, on 10/12/2007, -0/+1@GliTCH82 - The MFP was a Xerox.
mwace, on 10/12/2007, -0/+1Whoa, digg is tripping up on me in Opera (someone should look into that). The post was supposed to read:

[22:31] mwace05: http://digg.com/security/The_New_Network_Threat:_Vending_Machines_and_Printers_
[22:32] mwace05: if cyberfelon doesn't get modded down
[22:32] mwace05: I offically love* digg.com

And I didn't even know it was a futurama reference

*update: aha, I put a heart symbol with a 3 and a HTML bracket kinda thing; and aparently digg translated that as a HTML tag and it ended the post sooner then should have.
GliTCH82, on 10/12/2007, -0/+1It's not the vending machines that are a threat to the network, it's the naive system administrators who have no idea what's running on theirs.
SuperSloth, on 10/12/2007, -0/+1Why the hell would you put your elevators on the same network that your clients have access to? Christ, has nobody heard of a VLAN?
Otto, on 10/12/2007, -1/+1I actually hope vending machines go online.

I sure could use some free soda.
dhughes, on 10/12/2007, -1/+1 I bet you're a printer! I'm not a racist though, I welcome all printers of any colour be they cyan, magenta or yellow.
cryptodecker, on 10/12/2007, -0/+0I enjoyed this idea alot more the first time I heard about it.
Toorcon San Diego, CA 2001, and then at Defcon X.

http://members.cox.net/ltlw0lf/printers/index.html

Enjoy everyone behind the power curve.
hfilby, on 10/12/2007, -0/+0This is hilarious. The laundry room in our apartment building runs on a credit/debit card system. I bet the washing machine is browsing tide.com right now!
neko, on 10/12/2007, -1/+0@Slinker: wow, so, hack the vending machine, and suddenly you've got a free source of credit card numbers?
FullMetalMonkey, on 10/12/2007, -4/+2People have know how to hack these kind of things for a while, but I'm curious to know what kind of vending machine or elevator is hooked up to the internet?
ClockworkBanana, on 10/12/2007, -4/+0Locally, all the local bridges to the small coastal islands are linked into a wifi network.nnProbably meant for webcams or to notify in case of earthquake or other emergency.nnBut what fun to spoof a bridge? Can it cry for help?
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

Site Links: Home; Take a Tour; Search Digg; Digg Mobile; RSS Feeds; Popular Archive

Help: Frequent Questions; How Digg Works; Report a Website Bug

All About Digg: About Us; Contact Us; Community Guidelines; The Digg Blog; Digg Townhalls & Meetups; Jobs at Digg; Advertise on Digg; Diggnation Podcast

Digg Store: Get hats, shirts, hoodies, stickers, and more at the Digg Store.

Digg Tools & API: All Digg Tools; DiggBar Tools; Firefox Toolbar; Twitter Feeds; Add Digg to Google; Netvibes Widget; Integrate Digg Buttons; Digg Badges; Make a Digg Widget; API for Developers

Digg Dialogg!: Digg Dialogg lets you choose the questions.

Digg Labs: Get a real-time view beneath the surface of Digg.; Digg Labs Home; Arc, Swarm, Stack, Bigspy, Pics

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.