"Print Me?" Why, Thank You!
by StankDawg (StankDawg@stankdawg.com)
While traveling, I ran across an interesting service that is offered by many hotels.
It is called PrintMe and comes from a company called Electronics for Imaging (EFI). PrintMe is offered by hotels and other places to allow customers to print from their rooms (or anywhere, for that matter) to pre-determined printers provided by the location. While this can be a handy service to many people, it really should be locked down by strict policies on the client-side to prevent abuse.
The way that the system works is that the location that you are at (in my case, a major hotel in Las Vegas) usually has a splash page for the site that includes a link to the domain printme.com.
This is accessible (at least at my hotel) without paying for Internet access. It will automatically search for PrintMe eligible printers on the network. This is accomplished by looking for a piece of hardware called a PrintMe Station, which is apparently how the communication between the Interweb and the printer takes place. Unfortunately, I was not able to physically access this device so I can only guess as to the details of how it worked by trial and error. Reading the convenient help files and FAQ also helps.
The first interesting opening is that it doesn't lock you to your local hotel, it only defaults to the local network discovered printers. If a local printer is not detected, the web site will present you with a list to choose from by selecting the country, the state, the city and finally, the specific location.
This means that you can print to any PrintMe eligible location from literally anywhere in the world. As I write this, I am printing a test page to a hotel in another state.
Most places charge a per-page fee, while others are free. This sets up a "no harm in trying" environment that hackers love, especially since, as I mentioned earlier, it is accessible without paying for Wi-Fi access. They do ask for a name and an email address, but this is simply to send a confirmation that the print job was received and is not actually verified.
The printing itself is not handled like a normal print job. Nothing gets queued but, instead, you upload your file to the web server and it gets relayed down to the PrintMe device that you chose earlier. The list of file types that it supports is predictable and includes several graphics formats, document formats, and some HTML formats. Apple and Linux formats were noticeably absent (EFI, if you are reading this, please add Pages, ODF, and other formats).
While this seems like a fine way to limit people from uploading files to be used for something like a rogue FTP server from the printer's hard drive, it does not stop a DoS type of attack by filling up the hard drive with renamed files. I was able to upload a 250 MB video file by renaming it to PDF. Obviously, there must be some sort of limit to drive space.
When you upload a file, it assigns you a unique "DocID" that you may need to pick up your print file.
This is usually at the front desk of the hotel or the business center, but not all places wait until they get confirmation to print the document. When you submit the document, you have the option to have the item printed and delivered to your room.
I assume that this pre-authorization means that the printing cost is billed to your room. Obviously, this is not a good situation because there is nothing stopping me from printing something using someone else's room number and having them pay for it. Adding insult to injury, what you print may be more insulting than the cost to print it. I wonder if they would deliver something called tubgirl.jpg or a copy of this very article? I would love to see the look on the recipient's face if they did.
Also, a little social engineering goes a long way as well. You could print something and bill it to someone else's room and, before it gets delivered, walk down and intercept the delivery. You have the DocID, and you know which room you billed it to, so the odds are that if you act like you are in a huge rush and have to run to a meeting or a presentation, they will not bother checking very closely and you will get a free print-out billed to someone else. I am not condoning this dick move, just pointing out the possibility.
There are some good parts of the system.
EFI does encrypt all transfers to its devices via 128-bit SSL and an activation code is used to verify that the device is who it claims to be. This will protect your document in transit over the Interweb from "man-in-the-middle" attacks.
You are, of course, still at the mercy of the human employees and the local network at the facility that you are printing to. This is not EFI's fault, but just a fact of printing to a location that you do not control.
The system itself is not only handy, but pretty secure in the areas where it is controlled.
The true weaknesses, as always, are found in the human factor.
Shoutz: Aghaster, Seal, Ohm, Nick84, mirrorshades, Enigma, plexi, icetoad, rbcp, decoder, and everyone supporting the Binary Revolution.