Multi-service Threats: Attacking and Protecting Network Printers and VoIP Phones alike
This addresses security vulnerabilities in widely used network services (printers and VoIP phones) for organizations and users, though it is incremental in proposing specific countermeasures.
The article investigates real-world attacks on network printers and VoIP phones using freeware, finding that high-impact attacks (Printjack and Phonejack) can be mounted by insiders due to poor secure configuration adoption. It prototypes novel security measures for phones to enable secure peer-to-peer calls without trusting third parties.
Printing over a network and calling over VoIP technology are routine at present. This article investigates to what extent these services can be attacked using freeware in the real world if they are not configured securely. In finding out that attacks of high impact, termed the Printjack and Phonejack families, could be mounted at least from insiders, the article also observes that secure configurations do not appear to be widely adopted. Users with the necessary skills may put existing security measures in place with printers, but would need novel measures, which the article prototypes, with phones in order for a pair of peers to call each other securely and without trusting anyone else, including sysadmins.