The compromise begins with a booby-trapped document that when printed executes malicious code on certain models of HP LaserJet printers that have not been patched against a critical vulnerability. Once compromised, the printers connect to attack servers, creating a means for outside hackers to bypass corporate firewalls. The attackers then use the printers as a proxy to enumerate and connect to other devices in the corporate network.
Once an Avaya 9608 phone is discovered, the attackers can inject code into it that infects its firmware. The compromise, which survives reboots, activates the phone's microphone without turning on any lights or otherwise giving any indication that anything is amiss. The infected phones can be set up to record conversations only after attacker-chosen keywords are detected. Recorded conversations can be sent through a corporate network onto the open Internet, but the malware also has a secondary method for exfiltration that bypasses any devices that block suspicious network traffic. In the event that such devices are detected, the malware can turn a phone's circuit board into a radio transmitter that sends the recorded conversations to a receiver that's anywhere from several inches to 50 feet away, depending on environmental variables.
The larger point is that bugs in electronics firmware are notoriously easy to exploit, as a small sample of recent stories shows. Even if a target isn't using the phones or printers featured in the demonstration, chances are good that the target is using some constellation of devices that are susceptible to remote hijacking. And besides, many organizations fail to apply firmware updates, so even if a patch has been released, there's a good chance that it will never get installed on many vulnerable devices. (more)
Security Director Alert: Make sure software patching is a priority on the IT department's list. Start with this list for HP printers.
