Robo printers Not Fit for use in Schools

[steveruss]

My 14 year old son discovered this issue and brought it to my attention. He is a sophomore in high school, has become somewhat of a Linux guru and is sysAdmin of our networks here at the ranch.

It all started with him coming to me and saying "dad...with all the lectures you have given me on network security, i.e. keep the network passwords secure, why would you purchase and install a device on OUR network that within a couple of keystrokes gives anyone with access to the touch pad EVERYTHING they need to hack this printer...let alone everything else on our networks?

Yes my 14 year old son just brought it to my attention how STUPID I was to purchase this printer...if I had only known!

His next comment was "Just wait until these are installed in schools. It'll be a hackers "Dream Come True".

We are both story tellers and agreed that the best way to bring this to Robo's attention was to create a story that couldn't fail to impress on the company how important this is...

So the story begins...

SafeSpace high school is located in a suburb of San Diego, California. Robo has decided...instead of refurbishing their returned printers and selling them at a loss, to donate them to the local schools for both a 100% tax write off AND get the great PR that would ensue.

SafeSpace high now has 3 robo printers installed in 3d printing labs and one in administration that they primarily use (so far) to print door signs for the teachers rooms.

Meet hacker-Hairy...a sophomore who lives in a trailer with his alcoholic mom and dad. Hairy isn't very sociable and doesn't have many friends...so spends most of his time in the terminal on his laptop running Ubuntu.

Hairy recognized almost immediately that these robo printers give him everything he needs to "raise hell" at his school and get back at both the students and teachers that consistently give him a hard time.

He plans to gather everything he needs and practices how to be quick and stealth.

One by one, armed with a cellphone camera in one hand and his pointing finger in the other he approaches the first R2 printer and with just three keystrokes (utilities, networks, network status) snaps this photo:

Two more keystrokes gets him to the wiFi connections screen with the passwords displayed in plain text. Snap:

Back, next, click, snap:

Last thing...on the way out "activate the wiFi hotspot". He already has the password for that from the first photo.

He turns and walks away and now has EVERYTHING he needs to start having fun...and it only took him 8 seconds to do so!

Systematically...Harry gathers the same information from the two remaining labs. Last one is in administration. This takes Hairy a bit more time because it's next to the desk of the principals AA and he has to wait for her to walk away for just a minute. And here it is, his golden opportunity...an angry parent. 8 seconds later...he's got access to this one too.

Hairy goes home and while "rubbing his hands together" comes up with his first hack...administration!

He proceeds the next day to hang out on the sidelines of admin reception and when the principle's AA is not paying attention sends this print job to the R2.

author: If I was a teacher at safeSpace high and the print was actually good quality I'd probably hang it on my door. Most students think I come across this way...I'm neither proud nor ashamed of it but I've learned to live with it.

The principle is alerted, immediately calls their net team to get to the bottom...but they can't.

A couple of weeks go by and during that time Hairy has learned that he can totally screw up anyone's print job remotely while it is printing...is now in possession of "The Keys to the Kingdom" (Thank you Robo) and can do what ever he wants.

Another week goes by and Hairy's parents have been unable to afford his allowance (the price of booze has gone up), so he devises THE plan to both pad his piggy bank while at the same time get back at that teacher who has given him so much grief for two years now and just happens to have been recently assigned to administer 3d printing lab #3. And the best part...she has NO technical expertise...so she won't have a clue.

So Hairy waits down the hall...far enough that he doesn't look suspicious but still within wiFi range. In just a few more minutes the "schools out" bell will ring and the classroom will empty out.

Hairy is smart enough to know that if he uses one of the school's wiFi networks (that are administered and guarded by the net group responsible for the lans at the school) that they are probably tracking everyone through the router logs. Besides...chances are good that the company which allowed him to get this far in the first place has even less info in the on-board logs to catch him and hey...that R2 wifi hotspot is still alive (because Hairy knew there was no way to turn it off once activated).

The bell has rang...the students have left and Hairy is in, has his print job uploaded and presses print.

In minutes the deed has been done!

Shocked and scared the teacher summons the principle who after seeing the print immediately calls the police. Shortly after the police arrive and see the print, and because this teacher just happens to be "black" they immediately contact the FBI. It looks like it could be both extortion AND a hate crime.

Somewhere in this process...someone leaks it to the press and it spreads like wildfire.

Within 15 minutes the street outside Robo headquarters is choked with satellite vans setting up to go live on national news about this "breaking story".

It doesn't take long for the reporters to arrive and crowd the reception area at Robo. Thronged...the receptionist goes to get Braydon and when she finds him exclaims... "you had better come out front immediately".

When he arrives in the lobby he is greeted by this crowd:

Immediately...a microphone is thrust into Braydon's face and the first question is asked.

reporter: Braydon...you are one of the Founders of Robo, is that right? braydon: Yes I am. reporter: Can you make a statement? braydon: A statement about what? reporter: Haven't you heard that a student at SafeSpace High School used one of your 3d printers to deliver a extortion note to a teacher and the FBI is investigating. braydon: Oh No!

Then another reporter butts in line with another microphone and asks...

reporter: Does robo actively market their products to schools? It looks like it does on your website. braydon: Yes we do. reporter: Before doing so, did you contract with an educational security firm to do a security audit of you products so this couldn't happen? braydon: Aaaaa...I don't believe so. reporter: Wouldn't that be considered negligence on the part of your company? braydon: Aaaaa...no comment. That's all I have to say right now.

------End of Story ------

What? You are probably thinking...wait just one minute...that cant be how this story ends.

I leave it up to each and every one of you to take just a moment to digest what you have read and come up with your own ending...just for fun :-)

If you are now thinking "this couldn't happen" think again.

IT IS INEVITABLE.

Hope you enjoyed this story. Was it impressionable? Did you "get it"?

Good...then I haven't wasted my valuable time bringing this to your attention.

Steve

[victorevector]

@steveruss Thank you for the entertaining AND pertinent story. We are actively investigating the proper solution. Also, we really appreciate all the effort you put into these issues :D

[victorevector]

@steveruss your son sounds very bright! We could use someone like him!

[AllenMcAfee]

@steveruss thank you for the insight on the security issues you described. We do handle sales to schools differently than standard online sales. The printers that are sold into schools are generally password protected, and students can only interact with them via the Lani plugin that is already installed (lanilabs.com).

In the spirit of making everyone comfortable as well as allowing us to quickly digest issues and the workflows that caused them, I would ask that we keep issue posts to just the facts. This particular post did cause some concern on our side, as it went really dark really fast. Context is great, but we request we keep it light and professional.

[steveruss]

Edit - by steve. I realized that my comment was derogatory, un-professional and uncalled for.

[OutsourcedGuru]

Having been an I.T. manager for several decades now, I would imagine that it's the receiving school's own responsibility to learn any new computers/servers/devices that they now have in their possession and to own the responsibility of such.

As a consumer of a product, I don't love it when the manufacturer decides to build too much security into it. Educate me and let me configure as necessary to meet my own needs.

[peries]

@steveruss thank you for your feedback. we've added some new security features in the latest update - including the ability to configure remote access control settings through the web dashboard and displaying saved wi-fi passwords as asterisks on the printer touchscreen.