Multi-service Threats: Attacking and Protecting Network Printers and VoIP Phones alike

TL;DR

This paper explores vulnerabilities in network printers and VoIP phones, demonstrating real-world attack methods and proposing new security measures to enable secure, peer-to-peer communication without relying on trusted third parties.

Contribution

It identifies high-impact attack families and introduces novel security prototypes for VoIP phones to facilitate secure, trustless peer-to-peer calls.

Findings

Attacks like Printjack and Phonejack are feasible from insiders.

Secure configurations are rarely adopted in practice.

Prototypes enable secure, trustless VoIP calls.

Abstract

Printing over a network and calling over VoIP technology are routine at present. This article investigates to what extent these services can be attacked using freeware in the real world if they are not configured securely. In finding out that attacks of high impact, termed the Printjack and Phonejack families, could be mounted at least from insiders, the article also observes that secure configurations do not appear to be widely adopted. Users with the necessary skills may put existing security measures in place with printers, but would need novel measures, which the article prototypes, with phones in order for a pair of peers to call each other securely and without trusting anyone else, including sysadmins.