[Cryptography] trojans in your printers

[Henry Baker]

At 04:32 PM 2/26/2015, John Denker wrote:
>It seems prudent to assume that anybody who is badass 
>enough to hack your printer will not hesitate to use a 
>stolen IP address ... and MAC address.

Soooo....

If we don't trust our printer, then we have to put it
on a wired network that (as far as it can tell) has only
one other node: the host that sends it print commands.

In other words, we might as well run it from a USB port,
except that it could be doing BADUSB stuff to us.

We also have to assume that it is storing everything
that we've ever asked it to print somewhere it its
bowels, which info may eventually be disgorged if it
ever gets a chance to talk to the Internet, or if a
USB stick is ever inserted.

Perhaps the safest configuration would be to buy a
cheap ($25) travel router & attach the printer to
this router via USB.  Reflash the router code with
OpenWRT, and have the router manage the printer.
The printer then thinks that it is a slave to a
single host, and has no access to the Internet.  Yet
the router can accept print commands from anywhere
on the network to feed to the printer.

The printer can attempt to do BADUSB stuff to the
travel router, but hopefully the printer isn't
smart enough to know how to hack every possible
OpenWRT configuration.