 So, Yannif Balmas is a software engineer and he started tinkering with a Commodore C64 when he was eight years old and he was kind of a teenage hacker of games as well and now he's in the security field and he got interested in the fax machine together with his friend Yel Itkin who is also a security guy and malware researcher and together they're gonna tell us about the fax machines and what the fax was still using people those machines and it's gonna be really interesting I think and the title is also hacking your network like it's 1980 again I'm really excited please give a warm round of applause to those two guys thank you thank you guys hi ccc you probably know this sound right and now get to know us so my name is Yannif Balmas I'm a security researcher I work at checkpoint research and with me here today is a Yel Itkin also a security researcher also it's checkpoint research and let's begin with talking a bit about the history of fax so I guess that not many of you know that fax started it was first invented in 1846 by a scientist called Alexander Bain fun fact this was this happened 20 years before the invention of the light bulb and then it had some more advances to it this is the actual first thing that looked like a fax machine like a standard fax machine and again this thing was invented 20 years before the invention of the telephone so humanity was sending faxes before we had light or talked over the phone and then there was some more advancements like radio fax and another important important point in time is 1966 where a small unknown company called Xerox invented came out with the first commercial fax machine this is the advertisement for it and in 1980 a strange organization called ITU defined the current standards for fax namely it's t34 t6 and those standards are still the same standards that we used to date basically with just minor changes to them so this was all in the past but what's happening today I mean today we have far better ways to send electronic documents from one to the other right you know let's compare fax to just I don't know off the top of my head just you know one method like let's say email and just to you know remind you we are comparing this to this okay so let's look at some of the features here in terms of quality yeah okay in terms of accessibility I'm pretty sure that all of you here have 24 by 7 access to emails not so sure you're carrying around your fax machines with you in terms of reliability well you know when you send a fax you don't really know if it got received or not yes there is this strange confirmation page but it doesn't really mean anything I mean if there's no paper in the receiving fax you still get it if the dog ate the they ate it you still get it so there's absolutely no reliability in fax and regarding authenticity well we can argue about emails if it's authenticated or not it could be forged of course but we do have public key cryptography and stuff like that that will help us when talking about emails while we don't have we don't have nothing when it comes to fax absolutely no authenticity so if we're looking at this table one might think to himself okay so who the hell still uses fax today it's 2018 I mean it deserves a place in the museum of great technologies and that's it so nobody is using fax today right yeah wrong everybody are using fax today and and you see fax is used like to send this very critical maritime maps to ships at open seas 90% of the Japanese population uses fax according to Wikipedia at least and if you Google any kind of combos like contact us and fax or stuff like that you will come up with something like 300 million results 300 million published fax numbers in Google and that's not counting the unpublished numbers right that's a huge amount of numbers but it's not all about numbers I mean it's not how many fax machines are out there but it's also who is using fax you see if you're a small corporate a medium corporate a huge corporate you have fax not necessarily anybody is sending fax to this number but there is a fax machine sitting there waiting to for a fax to be received if you're a bank you simply love faxes this is Bank of China the biggest bank of the world in the world and that's the fax number of it and I think most importantly if you're a government organization you simply wake up in the morning and you want to have more fax so this is Donald Trump's fax number if anybody wants to send him a fax go ahead that's it it's not a secret it's from Google so we should send him something by the way yeah so yeah and the thing is that you know those banks and government institutions they don't only support fax allow you to send fax the funny thing is that actually most of the time it's mandatory to send fax there is no other way you can either postal mail it or fax it they didn't hear about anything else so we looked at this state of affairs strange state of affairs and said to ourselves you know this looks strange I mean it can it can be true humanity came so far and we are still using these old technologies so what the fax and like we decided to try and do something about it and we started a very long research to try and find some security vulnerabilities in fax and before we do that let me just you need to explain how fax looks like today you see today fax doesn't look like it looked 20 or 30 years ago then it was just standalone fax machines right today fax is mostly old technology embedded within newer technologies so I mean we have fax to email services or email to fax services we have like as I said before radio fax and fax over cell light and stuff like that and I think most commonly we have these these machines all in one printers like you buy them they scan the print and they fax it actually comes with a phone cable out of the box so you can connect I guess most people connected and I also think that this is the most common faxing solution today so we decided to take a look at these machines these fax machines and if you look at these boxes from a security point of view you can imagine them to be just black boxes right and those black boxes as interfaces so in one side of the box we have interfaces like Wi-Fi Bluetooth internet stuff like that these interfaces connects the printer to the internal network the external network basically it connects it to the world right and on the other side of this box there's this little interface here that connects the this black box to somewhere to the 1970s I would say so yeah that's pretty funny and you know if you remember that at the end of the day these printers are basically nothing but computers I mean they have CPUs they have memories they have operating systems they are computers not standard ones but they are computers and we were thinking to ourselves imagine this scenario right there's an attacker sitting somewhere in the world all he has is access to a phone line and his targets number what will happen if this attacker this guy would be able to send a malicious fax and with this malicious fax he will be able to exploit the printer then he's completely as complete control over the printer right if he does that he could then maybe pivot through any one of those other interfaces let's say the internet and jump from this printer to the rest of the network that the the internal network effectively creating like a bridge between the external world and the internal network through the phone line that's 1980s again so we thought that this is a really cool at a tech scenario and we decided to accept this challenge and go for it and try and actually show this thing happening in reality we were really excited about this but then after we slept a bit and drank a bit and sat down and talked about it we kind of found out that there is like a lot of challenges really hard challenges in front of us and it's we're not really sure how to deal with them let me name just just a few of them so one of the challenges is how do we obtain the firmware the code that this printer runs it's not like you have it everywhere and after we get it how do we analyze this firmware after we analyze that we need to understand what operating system are those printers running and then we need to understand how to debug a print I never debug the printer before and I need to understand how to debug a printer and after we do all that we need to understand how does Fox even work we only know the beeping sounds like most of us I think and after we did all that we can start talking about where can we find vulnerabilities inside this big big big ecosystem and today we'll try to take you through these challenges one by one and explain how to do it until we'll be able to actually do the thing that we should just the scenario that we just showed you so let's start with the first challenge how do we obtain the firmware for the printer yeah so meet our nice printer it's an HP printer an HP office jet printer we chose this model for first of all we told we chose HP because it has like I think 40% of the market share so it's not that we dislike HP we really like them but unfortunately for them they are just the biggest target out there and this specific model well we have a lot of reasons why we chose this printer but basically it's the cheapest one yes so we bought it we didn't have a lot of budget we bought it and we abused it for a lot of time and our goal was to break the print the break facts right but before we do that we had to break the printer and I mean literally break the printer so yeah that was the fun part of the project we broke it and inside the printer we find this thing the main PCB the brains behind the printer and it looks like this let's map the critical components of it so we have here flesh from a pension some model and then we have some more memory here this might look like not a lot because the PCB has two sides to it of course and on the on the other side of it we have the more interesting components like USB Wi-Fi electricity SRAM battery probably for the memory but who knows and now we have two very interesting components here one of them is the main CPU it's a Marvel CPU and it's proprietary manufactured for HP so we can't you know tell anything about there's no available specs nothing we can just find bits of information here and there and then we have the fax modem it's located here and it's a it's a CSP 1040 and what we need to understand now is how does these two components operate and what is the relationship between them if we do that we're one step further so that's what we try to do and as I said the challenge is to the first challenge at least is to get the firmware of this thing and when we're looking a bit closer into this PCB we find these very two very interesting interfaces one of them is a serial debug the other is JTAG so if you're familiar with them so you know that they give you like debugging capabilities or at least memory read memory write exactly what we need to get the firmware so we're smiling to ourselves saying huh that's gonna be really easy but unfortunately it's not because the JTAG of course is disabled completely we can't do anything with it and the serial port well we managed to connect to it and we get this terminal that for almost every instruction we type gives us this error I don't understand well we don't understand either but it looks like this terminal is not gonna get us very far so we drop this pet and try and look for other ways to get the firmware and obviously one of the most common ways is to try and get grab the firmware upgrade and we after looking a bit in the internet we find this jewel this FTP site by HP that contains every firmware version for every HP product ever produced in the history of HP and and the internet and a lot of other stuff and it actually took us like about I think two weeks to find our firmware within this mess of filmers but once we did we had the we had the firmware upgrade file yes thank you it's still alive so you can go there and look for some that's a lot of interesting stuff in there and now we got ourselves a file and this file is a firmware upgrade file it's not an executable file it's just a binary and now we kind of need to understand how do you even upgrade the printer firmware I mean I never did it before anybody did it anybody upgraded this firmware lately good good for you good for you anyway the answer to this question is surprisingly funny I would say yeah you just print it yeah that's because you see a printer receives a firmware upgrade just the same way as it receives a normal print job that's that thing it's actually pretty nice and it's defined in a HP protocol it's called like PClxl feature reference protocol class 2.1 supplement that if you are still sane after reading this like 300 pages of insanity you understand that this thing defines something called a PJL a print job language if you ever scan the printer through the network you see this port I think 9100 something like that open that's the port that you send print jobs to and there's the same port that you send the firmware upgrade to and that's that's nice so when we look at the file it actually confirms this because it actually begins with the words PJL print job language so that's nice so now we know it's a print job language but unfortunately this document doesn't document anything about the firmware upgrade protocol or anything because kind of HP proprietary so unfortunately we had to like do it ourselves and analyze this thing now I'm not I'm not gonna take you through the entire process of unwrapping this firmware because frankly it's quite boring but I'll just tell you that it's composed of several layers of compression one of them is called NAL decoder the other is called TIFF decoder and another one called the RO decoder and the thing is that these things do something like you know if the previous line was all blanks then if this line is also all blanks just write one instead of the line so that gives you some kind of compression and it makes really a lot of sense when you're talking about print jobs because you know print paper has a lot of spaces in it but when you're talking about binary file it makes absolutely no sense to to do it this way but still you know it's just works this way so we after we understand this that we were able to decode everything decompress everything and we are talking to ourselves and laughing that you know when your hammer everything looks like a nail and when your printer everything looks like a print job so yeah that was nice and after we did that we have a big file that hopefully now it's our firmware so how do we analyze it so looking at this thing right in the beginning of the file there's something that really looks like a table and it's not doesn't really only look like a table it is a table we define it it looks like this and what this table defines is like a loading address section name and location in binary so what that means that our big file is actually split into several sections and this table just defines those sections so now we are able to split this big file into several smaller chunks and inspect each chunk and the most important chunk the most the one that looks most promising looks like it contains our firmware so we took a closer look into that and that's what we saw I mean it actually looks like our firmware that's because you see that's like one of the strings that we've seen it yeah we saw we also that before right it's error I don't understand but it's not completely error I don't understand right there's some missing bytes in here and we actually those missing bytes are pretty consistent throughout the entire chunk so although we know that we are looking at the code we can't actually see the code until we have those missing bytes filled we need to understand why aren't they there and what were they replaced with so let's try to analyze this thing together quickly now but first let's start to understand what is this thing we had a lot of things in mind everyone looked seem crazy but I think the least craziest option was that this is yet another form of compression a really bad one again because when we try to compress this thing with Zilip for example we get like 80% better compression than it currently is so and we know that the printer has illy because we see Zilip strings in there so why not use illy I don't know but still we are left with the challenge so this is one snippet of the code that you just saw and let's try to decompress this so first of all you need to understand this thing is composed of two types of characters one are ASCII characters stuff that you can read and some other are stuff that you can't read none ASCII characters and those none ASCII characters are actually those missing bytes that we have so we need to understand what they are so let's take a closer look at them and if you start this thing long enough you will start seeing some kind of pattern and I'll save you the trouble and just show you that it could it's composed of like these one single bytes and then those double bytes in there and if the distance between the single bytes looks suspiciously patternish like 8 bytes 9 bytes 9 bytes 8 bytes over and over again so what does this mean where is the pattern here if you look at this from a different angle maybe the pattern will look a bit clear you see the f7 and f7 they look the same the ff and ff they look the same something here looks really patternish and in order to understand this pattern you need to sharpen your binary view a bit and if you understand that ff is just one eight one bits and if you do this consistently for all of these chunks then you will start seeing the pattern you see the pattern is that the zero bit always falls within this two byte whole and what this means it's consistent throughout the file what this means is that the first byte is just a bitmap describing the following eight bytes after it that what it means and that's perfect because now we understand what is this single bytes but we still don't understand what are those double bytes and they were replaced with something but with what so if you know anything about compression you know there does not a lot of options here really it could be either a forward or backward pointer it could be a dictionary of some sort or it could be a sliding window now we can pretty easily confirm that it's not a forward backward pointer just because we try to follow the references in the file we see nothing that we that should be there same goes for dictionary we can't find anything that's consistent enough to be a dictionary so it leaves us with only with the option of sliding window and once we're equipped with this information we go to our favorite place to Google and try to find some similar implementations to this and luckily for us in some very dark corner of the internet we find this wiki page it defines something called a soft disk library format and I wouldn't I won't ask if anybody knows who what soft thing is soft disk is because probably somebody knows here it's ccc after all but inside this thing it defines some kind of compression algorithm that looks very similar to our two hours it looks actually really really like ours actually it's exactly our compression algorithm so so yeah that's nice and I think that the funny thing here is that this compression algorithm was used in the past somewhere and only there can you guess where yeah somebody who didn't see this presentation before yeah it was used in commander king and soft disk is the company who produced commander king so the compression algorithm from commander king made its way somehow into the HP the entire HP a line of products how I don't know you can check if there was anybody who was fired from soft disk and hired in HP probably that would be my guess but we'll never know so now we understand exactly what is this thing and how does this compression work we have the missing data that we need and these data means that those two bytes are actually composed of window location and data length and that's all we need and let me show you like really quickly how this compression works so we have an input text output text and sliding window we want to compress this string over here and let's try and do it so first byte is the bitmap I remind you so we leave it empty for now and then second byte we start with a so we place it both in the output text and in the sliding window and then we go to be same thing see same thing D again and now we get to a but a is already present in the sliding window so we don't need to write it in the output text you know we we can just write just do nothing and then go to be same thing is just the following character in the sliding window and then when we get to E we just write 0 0 0 2 that means go to the sliding window at position 0 and take the first 2 bytes that's what it means and then we continue to E F G after we did that we put our bitmap here and now we know the bitmap bitmap value and that's all there is to it that's the compression algorithm it's pretty easy looking at it this way right looking at it at reverse is a bit more difficult but yes now we can do that and now we completely open everything and yes we have our firmware we can read everything it's actual code and now we need to understand what does this code mean and basically first of all we need to understand what architecture is this what is the operating system and so on and so on so it took us quite some time to do that but let me give you a brief explanation first of all the operating system is called tradex it's a real-time operating system the CPU the processor is arm 9 big in the end and then it has like several components to it like stuff that's related to system some common libraries and tasks tasks are the common the equivalent of processes in normal operating systems so in the system stuff we have like bootloaders and some networking functionality and some other stuff common libraries we have a lot of common libraries and tasks once we are able to isolate them we can understand exactly the tasks and once we do that we now know that we all we need to do is like to focus on these tasks because they are the tasks relevant to fax protocols we can leave everything else aside it will make our work much more easy and we don't we want to start doing that but just a second before we do that look in at this we see something that looks not really I don't know it doesn't make sense a lot and this thing is spider monkey the printer every HP printer contains a spider monkey library I don't know if you know what spider monkey is but basically it's the JavaScript implementation by Mozilla it's used in Firefox for example and we were thinking to ourselves why does a printer need to render JavaScript it makes no sense I mean yeah it has a web server but it's not a web client we couldn't think of any situation in which a printer needs to render JavaScript it looked really strange to us so we decided to like try and see where is this printer exactly using JavaScript so we went back a bit and checked and we found that JavaScript is used in a feature called pack proxy auto-configuration it's apparently something no it's it's pretty common it's a common thing it's a good protocol and it like defines a proxy when you're doing a DHCP or something like that and the thing is that the top player functionality of this entire pack functionality was written by HP and when we were looking at that we see all this functionality and we see this strange thing here the printer once he does this pack functionality it tries to connect to this domain fake URL 1234.com just connect to it and do nothing with it some sort of sanity test I guess I don't really know why but the interesting thing here is that do you know who owns the domain fake URL 1234.com no it's not HP checkpoint is kind of yeah yeah I own it yeah it just wasn't registered so we registered that for five dollars and now every HP printer is connecting to my domain so if if anybody wants to buy the domain I have a very good price for you more than five dollars and now I'll hand it over to Ayal to continue okay thank you Aneev after we finished messing around with spider monkey it's time to focus back on fax or t30 t30 and it's full name it's itu t recommendation t30 he's a son of the defines the fax protocol actually it's a very very long PDF more than 300 pages but defines all of the faces and messages we need in order to send and receive a fax document it was force design very long ago in 1985 and was last updated more than a decade ago some from our perspective that's a very good idea because we want to find vulnerabilities in an old and complicated protocol we're most probably going to find some after we read through the standard we started to dynamically look at it you open it in Ida and look up on the t30 task and you can see that the state machine is quite huge as you can see here in Ida and actually that's a small state machine because most of the code blocks you can see over here contains additional state machines inside them meaning that this is going to be a very very huge and complicated state machine to reverse and if that wasn't enough it turns out that HP really likes to use a function pointers and global variables in their code meaning that statically reverse engineering this huge task is going to be very complicated although I personally prefer to statically reverse engineer this time we had to choose a different tactic we'll need to dynamically reverse engineer this thing and for this we'll need to have a debugger and as you mentioned earlier nobody knows how can we debug a printer we already tried the built-in JTAG and serial port and that failed we then searched for built-in gdb stub we could use but I couldn't find any such stub at this point it's very important to remember that even if we could control the execution flow no one can put a debugger without controlling the execution flow and we can't do anything that's a black box I can send papers and that's it and even if I could control execution flow and load my debugger the printer uses a hardware watchdog and this is an external hardware mechanism that monitors the main CPU and whenever many CPU enters an endless loop or halts the watchdog reboots the entire firmware and enter printer and this means that since essentially a breakpoint halts the program whenever we'll hit a breakpoint the watchdog will kill us so we'll need to find a way around this thing and the easiest way we could find out is to spit this enormous task into chunks if you could find any code execution vulnerability we could try to execute code over the printer and load our own debugger and at this stage we had luck and we believe that luck is an important part in every research project Henry on the 9th of the 19th of July Sanrio published a vulnerability called David Xavi David Xavi is a remote code execution in g-soap and many embedded devices and our printer included tend to implement a web server for management and configuration and in our case this web server uses g-soap and it even uses a vulnerable version of g-soap so we now have our vulnerability and we'll need to exploit it for those of you who are not familiar with devil's ivy here is the code and here's the vulnerability itself devil's ivy is an signed integer underflow vulnerability meaning that we'll need to send enough data for the variable to go from negative back to positive and that means we need to send roughly two gigabytes of data to the printer so HP really pride itself on the printing speed of the printers but not on the network speed after many optimization rounds we managed to reduce the exploit time to roughly seven minutes and so you start the exploit you wait and after seven minutes you have your exploit and here our stock of good luck ended because we had the side effect in our exploit and after two to ten minutes the printer will crash and this means we'll need to wait an additional seven minutes we'll have two minutes to debug it and then it will crash again so we're waiting a lot we waited a lot of seven minutes in our research if we recall we wanted a debugger so we could dynamically reverse engineer the firmware we wanted to read memory and write memory and now we have a debugging vulnerability so we could load a debugger we need to execute this debugger so we'll need execute permissions and to load it and the most important thing is that we need to execute our debugger without crashing the firmware because we want a debugger to run and a firmware to debug and we want them to blend inside the virtual address space of the printer leaving happily together we couldn't find any debugger but achieved these goals so I did what my brother usually tells me not to do we actually wrote our own debugger so this is cat scout is an instruction-based debugger it supports Intel CPUs and arm CPUs because we have an arm printer as a prototype we had a Linux kernel driver and this time we're going to use it in it's an embedded mode in embedded mode we compile it to be fully positioned in the pen it because we essentially throw it sour inside the firmware and we expect it to execute we're pre-equipped with useful address spaces like mem copy socket bind listen we find using Ida and whenever it tries to call these functions it goes to its own gut finds the address and jumps to it so after we compile it we use it in our exploit we jumped in we jump into this blob and it starts up a TCP server we can now connect to to send instructions to read memory to write memory and whatever we want you can find scouting a guitar with the examples for the Linux kernel driver and embedded mode and we're actually using it for some CDS now so it's highly recommended now that we read this point in our talk we haven't yet described to you how a fax actually works so we we've we've scouted with dynamically reverse engineered the firmware and now we can actually describe to you how a fax actually works in order to send effects we need a sending machine we need to send it to some modem the packets from the modem will be processed in the CPU and afterwards the data is going to be processed and probably printed let's see how it starts we start with network introduction trobing and ranging echo analyzer echo can sling more training and you actually need to be quite familiar with these steps because they sound like this with these beeps we actually created an HDLC tunnel through this tunnel we're going to send our t30 messages to the CPU in t30 you have face a which we send the caller idea which is this ring in face be you negotiate the capabilities so I send my capabilities and receive the printers capabilities face easy important step because here we actually send our fax data line after line page after page and face the we finish I send an act I receive an act and that's it let us now see how a normal black and white fax document is going to be sent for the protocol so we have our document is going to be sent over the HDLC tunnel using t30 messages over face see and the received document is actually the body of a t file compressed in g3 or g4 compressions from our perspective that's partial good news because there are many vulnerabilities when parsing tiff headers and we only control the data of the file the headers themselves are going to be constructed by the printer itself using messages from face a and face be so we partially control a tiff file and after it's done and ready the file is going to be printed like every good protocol and here's comes very interesting t30 supports many extensions can you guess what interesting extensions there are in a protocol so there was a security extension but no one uses it so the other extension is color extension actually you can send colorful faxes and the British use it in hospitals for some reason let us see how a fax document have a colorful fax works we send a document for the HDLC tunnel over face see and the received document is actually a jpeg file this time you control the header and the date of the file and we can do whatever we want with it and send it for printing now that we know how a fax actually works where should we look for vulnerabilities in it well we have complicated state machines we stand strings there are several file layers but the most convenient layer is the applicative one and most importantly jpeg because we control the entire file we can if we look on a jpeg file it mainly consists of markers we have a start of market application market we've length and data more markers with length and data and so on and so on if we zoom in on one such marker we can see that in this market we have a compression table a forward for compression matrix for the exact document we send and we have a header length field for reformatrix and the data itself if you zoom in a bit deeper we can see that here we get a matrix we sum up all of the values this matrix should be rather sparse with zeros ones and twos the accumulated value is going to be a length field in this case six bytes and six bytes are going to be copied from the data to a local small stock buffer like this so if you can see the vulnerability at this point we were like what a fax because that doesn't make sense we control the entire header if we put huge values in our matrix like so we'll have a four kilobyte length field copied into a stack buffer two hundred fifty six bytes effectively having a stack based buffer overflow in our printer it's a trivial stack buffer overflow we have no byte constraints we can use whatever we want null bytes none of ski bites whatever we want and four kilobyte of user control data that's more than enough to exploit on this point we had to bypass several operating system and security mitigations now and not exactly it's it's an RTOS fixed other spaces no canaries it's the 80s it's really simple we've got the CVS from HP 9.8 and critical you should really patch your printers now and you can see the response we received from HP after we worked with them to patch these vulnerabilities which is a good time for our demo unfortunately we couldn't bring it like that also we just filled something for you so this is our backup machine we need to do this for this script it's connected to a model that we will be like $10 from Amazon we're sending our malicious stack to this printer and yeah having call from who? Wait just a second faxes are slow yeah they are so from even a taker of course we you can forge this easily and now the printer is receiving the fax and processing it and now it's obviously a color colorful fax and now we have full control over the printer so it's ours but that's not enough because we want to show that we can propagate to another computer so our fax our malicious fax contained eternal blue in it so once any computer is connected to the network the fax now will recognize it and we try to exploit it and here you go yeah yeah yeah so so we made it after all it was a long way some conclusions we have to tell you first PSTN seems to still be a valid the tech service in 2018 fax can be used as a gateway to internal networks and all the outdated protocols probably not so good for you so try not to use them if you can what can you do to defend yourself against this catastrophe a lot of things first of all you can pet your printers as they all said this link will you know just tell you if your printer is vulnerable by the way every HP inkjet or official printer is vulnerable to this thing it's the biggest line of printers from HP over I think 200 300 300 models are vulnerable to this thing so really go and update another another thing I can tell you is if you don't need fax don't use it and also if you do need to use fax after all try and make sure your printers are kind of segregated from the rest of the network so you know even if somebody takes over the printers it will just be confined to the printers and won't be able to take over your entire network so guys these are really good suggestions all of them but really the best suggestion I have to give you today is please stop using fax thank you thank you and just just one second before we finish this was a long way a long journey and pretty journey we had some very good friends that helped us a lot along the way physically mentally technically so we must mention them these are the guys here some of them are in the crowd so they deserve some some claps and one special guy that helps us is Yanai Levne and he also deserve this and that's it basically guys so if you want to follow more of our work you can find us here follow us thank you very much we have five minutes for Q&A so please line up at the microphones if you want to believe now please do it to your right side so this side from the stage is the left side but for you it's the right side so please line up at the microphones I think I can see microphone for already so we start with microphone for please thank you for this talk it's scary to see that these things work today you talked about email to fax or fax to email services now it's is it possible that there are other entities in those as well I know for its box ruders allow fax to email could you attack those possibly so basically those services use t30 as well we didn't look at them frankly we had so much work to do with the printer that we didn't look at any other printers or any other services but I can't say for sure but if you're looking for vulnerabilities I would recommend to go look there as well great microphone number five please what can you disclose about the data that's sitting your URL what can you disclose about the machines that are knocking on your URL to fake you or one two three four there are a lot of HP printers out there that's all I can disclose so we have one question from the signal angel please did you try to activate JTAG of media printing a modified firmware we tried to use the JTAG we think it's disabled from the factory lines it was too much work so we decided to use devil's IV it's a good vulnerability once we have devil's IV and we can use scouts scout is more than enough for debugging essentially after we used the JPEG of vulnerability and we loaded up scout scout survived for weeks on the printer without any crash so that's more than enough great we go with microphone number two please yes so thank you for the nice talk and I think you're completely right you can have many problems with legacy protocols the only thing I do not really get was the part how you then can automatically successfully attack your laptop on the network my point would be my laptop is as secured as I am going to the internet cafe or something else so you would not be able with your HP printer to start the calculator on my linux or even not on my windows well your print your laptop might be secure I'm sure it is but many others are not we try to show this using the eternal blue exploit as you know wanna cry stuff like that you know this thing created a lot of and the war patches out there and still it was so we're not here to attack anyone we're just saying that theoretically if somebody wants to get into the network and he has a vulnerability that you're maybe not patched or secured facts would be a bad idea but it was not it was nothing which was part of the print sorry unfortunately we don't have more time for Q&A so thank you again very much thank you it's really nice