2024-12-29 –, Saal ZIGZAG
Language: English
Remember the days when faxes were the pinnacle of office tech, and the sound of a paper getting pulled in was as satisfying as a fresh cup of coffee? Well, it's time to dust off those memories and reintroduce ourselves to the quirky world of printers and their forgotten fax interfaces – yes, those relics that make us all feel like we're in an '80ies sci-fi movie – and specifically, how they can unlock a new frontier in printer security exploits!
In this talk, we'll show you how we leveraged a printer bug that we found at Pwn2Own Ireland this year to gain remote code execution. Over its fax interface. You might think, "Who cares about faxes?" – but what if I told you that lurking within this vintage feature is a potential pathway for remote code execution? That's right, while everyone else is busy patching the latest vulnerabilities in trendy software and half the world is obsessed with cloud security, we'll be having a blast with tech that should've been retired to the attic long ago, exploiting a feature that's older than some of the attendees!
We'll explore how this vintage tech can be the gateway to some serious mischief. Think of the possibilities: municipalities, banks, courts, you pick your favorite bureaucracy. Unfortunately, we can't do any of those things -- that'd be naughty -- so we're restricted to doing the stupidest things we can think of in our live demos. In case you're wondering: of course we'll be running doom on this thing, proving that even the most outdated tech can still pack a punch, as we take control over this device in style. Expect a mix of technical insights and many moments of "why would you do that?".
So join us in this wild ride through simpler times -- who knew the key to world domination lays in a dusty fax machine?
Rick de Jager is a Master’s student at Eindhoven University of Technology (TU/e) with a strong passion for cybersecurity and competitive hacking. As an avid CTF player, Rick is an active member of the CTF teams Superflat and 0rganizers. He also represented Team Europe in the International Cybersecurity Challenge (ICC) in 2022, 2023, and 2024, and wrote the open source traffic analyzer "tulip". Rick has participated in Pwn2Own for three consecutive years, successfully demonstrating exploits in consumer hardware and automotive targets.
