Two Tandon students from the Offensive Security, Incident Response and Internet Security Laboratory have discovered a vulnerability in the NYU Print Service that would allow black hats — individuals who use their extensive computer knowledge to breach internet security — to take full control of any computer, as long as it is connected to the same Wi-Fi service as the printer, according to one of the two students.
Tandon sophomore Nick Gregory, one of the two students responsible for discovering the vulnerability, said that fellow OSIRIS member and Tandon freshman Kent Ma accidentally discovered the vulnerability when he was bored one day.
“[Ma] basically decided to see what was running on his laptop, just as a sort of self-scan,” Gregory said. “Then he realized that there was a service that [was] listening to anything out there, and we started looking at it, and within the night we [noticed] it crashing.”
Gregory said that he and Tandon senior Christopher Thompson investigated the vulnerability and wrote an exploit — a method hackers use to access computers — with the help of Tandon graduate student Tyler Bohan.
“The print service on your computer is constantly listening for connections from the outside world, so it is supposed to just be listening to connections from NYU’s main print server,” Gregory said. “However, it is not filtered enough, so anybody can be connected to your computer. We found a certain exploit where if you sent it a maliciously crafted packet, you can redirect the flow of the program instead of just doing what it’s supposed to [do].”
Gregory said that from there, the flow can be hijacked and pointed to another code elsewhere. A hacker’s own code could be running on the computer.
Gregory said that once hackers could run their codes on the targeted computer, they could, in theory, take complete control of the computer’s functions and software. He said that hackers can put people’s personal information at risk by ransom-waring a computer, turn it into a bitcoin mining machine or use it as part of a botnet, which is a network of machines with viruses.
He also that those who use the NYU Print Service could easily remedy the issue by going to the NYU Print Service website and updating their software, but those who fail to do so could have their computers compromised. According to Gregory, the vulnerability was fixed in the last version of the NYU Print Service released in March, but all previous versions of the service contain this vulnerability.
“[The NYU Print Service] does not automatically update, which is one of the reasons why this is such a problem,” Gregory said. “[Students] have to manually go and update it into the most recent version. It does not auto-update.”
NYUIT said that they alerted NYU students to the vulnerability on their website. They said that upon discovering the vulnerability, NYU posted an alert on its security page urging clients to install necessary updates.
“As was the case with the remote printing software, vulnerabilities are frequently undetectable by users,” NYUIT said. “We urge students to install software updates on their personal devices as soon as they become available.”
To prevent future incidents NYUIT said that everyone in the NYU community should sign up to get security alerts delivered to their inboxes.
Tandon sophomore Momopranto Amin, the head of OSIRIS, said that vulnerabilities like these were to be expected, so people have to stay vigilant. He said that these vulnerabilities are usually discovered either by accident or through searching for them, like Google’s Project Zero does.
“This isn’t something antivirus can protect you against and it’s impossible to know about all the vulnerabilities in all the programs you have installed on your computer,” Amin said. “The only countermeasure is to try to keep your operating system and programs up to date.”
Amin also said that more white hats — computer hackers who aim to improve security — are needed to identify and remedy vulnerabilities before too much damage is done.
“We and security researchers around the world are always looking for these vulnerabilities in the programs we use every day, but currently there’s just not enough eyes looking at these problems,” Amin said. “The world needs more white hat hackers to keep us all safe. If you’re worried about your cyber safety, there’s plenty of ways for anyone to get involved.”
A version of this article appeared in the Monday, May 1 print edition.
Email Herman Lee at [email protected]