Desktop scanners can be hijacked to perpetrate cyberattacks

March 28, 2017

A typical office scanner can be infiltrated and a company's network compromised using different light sources, according to a new paper by researchers from Ben-Gurion University of the Negev and the Weizmann Institute of Science.

"In the paper, "Oops! I Think I Scanned Malware," we demonstrated how to use a laser or smart bulb to establish a covert channel between an outside attacker and malware installed on a networked computer," says lead author Ben Nassi, a graduate student in the BGU Department of Software and Information Systems Engineering as well as a researcher at the BGU Cyber Security Research Center (CSRC). "A scanner with the lid left open is sensitive to changes in the surrounding light and might be used as a back door into a company's network."

The researchers conducted several demonstrations to transmit a message into computers connected to a flatbed scanner. Using direct laser light sources up to a half-mile (900 meters) away, as well as on a drone outside their office building, the researchers successfully sent a message to trigger malware through the scanner.

In another demonstration, the researchers used a Galaxy 4 Smartphone to hijack a smart lightbulb (using radio signals) in the same room as the scanner. Using a program they wrote, they manipulated the smart bulb to emit pulsating light that delivered the triggering message in only seconds. Watch a video of the smart bulb attack.

To mitigate this vulnerability, the researchers recommend organizations connect a to the network through a proxy server—a computer that acts as an intermediary—which would prevent establishing a covert channel. This might be considered an extreme solution, however, since it also limits printing and faxing remotely on all-in-one devices.

"We believe this study will increase the awareness to this threat and result in secured protocols for scanning that will prevent an attacker from establishing such a covert channel through an external source, smart bulb, TV, or other IoT (Internet of Things) device," Nassi says.

Prof. Adi Shamir of the Department of Applied Mathematics at the Weizmann Institute conceived of the project to identify new network vulnerabilities by establishing a clandestine channel in a computer .

Ben Nassi's Ph.D. research advisor is Prof. Yuval Elovici, a member of the BGU Department of Software and Information Systems Engineering and director of the Deutsche Telekom Laboratories@BGU. Prof. Elovici is also director of the CSRC.

Explore further: New technique completely protects internet pictures and videos from cyberattacks

Related Stories

Cellphones can steal data from 'air-gapped computers'

July 28, 2015

Researchers at the Ben-Gurion University of the Negev (BGU) Cyber Security Research Center have discovered that virtually any cellphone infected with a malicious code can use GSM phone frequencies to steal critical information ...

Recommended for you

Startup Pi out to slice the charging cord

September 19, 2017

Silicon Valley youngster Pi on Monday claimed it had developed the world's first wireless charger that does away with cords or mats to charge devices.

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

Cave_Man
2.5 / 5 (2) Mar 28, 2017
How about we just nix the idea of smart houses, wifi causes health problems maybe even larger porosity in blood brain barrier. Why does ANYONE still think it's a good idea to use 'smart' devices? Oh right so the mega corps of the world will literally be inside your house watching and listening 24/7 duhurrrrr....

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.