Rolling Attack: An Efficient Way to Reduce Armors of Office Automation Devices

Firmware security is always a focus of IoT security in recent years. The security of office automation device’s firmware also attracts widespread attention. Previous work on attacking office automation devices mainly focused on code flaws in firmware. However, we noticed that to find these vulnerabilities and apply them in office automation devices requires rich experience and long-term research of specific devices, which is a big cost. In this work, we designed an easy but efficient attack, Rolling Attack, which rolls back firmware to perform attacks on the office automation device, even if the firmware is up-to-date. By rolling back firmware, attackers can use Rolling Attack to exploit vulnerabilities that have been fixed by the latest firmware on office automation devices covering personal computers, network printers, network projectors and servers. We also proposed a system called Rolling Attack Pentest System to test the device by Rolling Attack. By crawling the firmware on the Internet, we have collected 99,120 models of devices’ firmware packages in the past 2 years. We also collected firmware’s vulnerabilities. We verified Rolling Attack on popular office automation devices covering 45 vendors, including Lenovo, HP, Samsung, Canon, Brother, Sony, Dell and so on. We performed Rolling Attack on 104 different office automation devices covering 4 types (personal computer, network printer, network projector, server) with the collected historical versions of firmware. 50.00% of the total models of devices we tested can be rolled back. 88.46% of the devices that have been rolled back are vulnerable to public vulnerabilities. We concluded that 44.23% of the devices we tested were affected by the Rolling Attack. Finally, we give some suggestions on how to mitigate Rolling Attack.