Software packages

In the recent years, printer vendors have started to introduce the possibility to install custom software on their devices. The format of such ‘printer apps’ is proprietary and SDKs are not available to the public. The feature of writing customized software which runs on printers was intended and is reserved for resellers and contractors, not for end-users. Hereby a printer fleet can be adapted to the special needs and business processes of a company; document solution providers can easily integrate printers into their management software. One popular example is NSi AutoStore which can be installed on many MFPs and automatically uploads scanned or copied documents to predefined locations. Obviously, the feature to run custom code on a printer device is a potential security threat. Furthermore code signing of software packages is potentially harder than it is for as software is not only written by the printer manufacturer but by a broader range of developers who need to be in possession of the secret key to sign their software. Therefore it is logical to include the secret key in SDKs which are protected by being exclusively available from developer platforms. This article is an effort to systematically gather information on vendor-specific software platforms/SDKs.

Vendors

In the following a rough outline on the software platforms provided by major printer vendors to extend functionality of their devices is given.

HP (Chai/OXP)

HP introduced their ‘Chai Appliance Platform’ platform in 1999 to run Java applications on LaserJet printers. While an SDK had been open to the public at first , access was later restricted to members of HP's developer network. Chai servlets which come as .jar files which originally needed to be certified and signed by HP before they would be accepted by a printer device. discovered a flaw in the deployment process: by installing EZloader – an alternative loader software provided by HP which had already been signed – they were able to upload and run their own, unsigned Java packages. As it seems, code signing was completely dropped by HP for later Chai versions: were able to write and execute a proof-of-concept printer malware which listens on port 9100 and uploads incoming documents to an FTP server before printing them. Their code is based on who extended the device to support load-balancing and included the required SDK files and proprietary Java libraries in their demonstration. With the libraries, arbitrary Java code can be complied and executed on older HP LaserJets by uploading the .jar files to a ‘hidden’ URL: . This attack can be carried out if no password has yet been set for the embedded web server. Otherwise, the password must first be retrieved from /dev/rdsk_jdi_cfg0 with PostScript (see ) or bypassed by resetting the device to . A web attacker can upload the .jar file using if the victim is currently logged into the printer's embedded web server. For newer devices, HP uses the web services based ‘Open Extensibility Platform’ () instead of Chai for which no SDK is publicly available.

Canon (MEAP)

The ‘Multifunctional Embedded Application Platform’ () is a Java-based software platform introduced by Canon in 2003 for their imageRunner series and extended to web services in 2010. Third party developers can obtain the MEAP for a fee of $5,000 which is certainly out of scope for research purposes.

Xerox/Dell (EIP)

The ‘Extensible Interface Platform’ () was announced in 2006 by Xerox for various MFPs. The architecture – which is also supported by a few rebadged Dell devices – is based on web services technology. The is freely available for registered developers.

Brother (BSI)

The ‘Brother Solutions Interface’ () is an XML-based web architecture launched in 2012 for scanners, copiers and printers. Access to the is available to licensed developers.

Lexmark (eSF)

The ‘Embedded Solution Framework’ () was launched in 2006 for Lexmark MFPs. The SDK to develop Java applications is reserved for ‘specially qualified partners’. According to ‘these applications must be digitally signed by Lexmark before being adopted’ using 2048-bit RSA signatures.

Samsung (XOA)

Ricoh (ESA)

Kyocera/Utax (HyPAS)

Konica Minolta (bEST)

Toshiba (e-BRIDGE)

Sharp (OSA)

Oki (sXP)

Results

How to test for this attack?

Obtain an SDK and write your own proof-of-concept application or find a ‘printer app’ which already does what you want (for example, automatically upload scanned documents to FTP). Also check which protection mechanisms exist to install custom software on the device.

Who can perform this attack?

Depended on how software packages are deployed.