Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.1.165

A Security Vulnerability Analysis for Printer Kiosks  

Ji, Woojoong (Department of Computer Science and Engineering, Sungkyunkwan University)
Kim, Hyoungshick (Department of Computer Science and Engineering, Sungkyunkwan University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.1, 2019 , pp. 165-174 More about this Journal
Abstract
They are frequently used today in public places such as street, subway, school or library. Since users can sometimes print documents that contain confidential data using Printer Kiosks, the devices should store and manage the documents securely. In this paper, we identify potential security threats in Printer Kiosks and suggest practical attack scenarios that can take place. To show the feasibility of suggested attack, we analyzed network traffic that were generated by the real Printer Kiosk device. As a result of our analysis, we have found that attackers can access other users' scanned files and access other users' documents from Printer Kiosk's home page. We confirmed that using our attack, we could retrieve other users' personal data.
Keywords
Printer kiosk; HTTP; URL meta data; URL guessing attack;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Smith, B. (2008). Hacking the kiosk. Retrieved from. [website] [2019. 02. 11] URL: https://pdfs.semanticscholar.org/8b4f/1b9cf984b25141f55670742816e0ea36a54c.pdf.
2 RSA CONFERENCE COMPUTERS SO FAUX SECURED. Wired Magazine. [website] [2019. 02. 11] URL: https://www.wired.com/2007/02/rsa-conference-/.
3 Built-in Keylogger Found in MantisTek. [website] [2019. 02. 11] URL:https://thehackernews.com/2017/11/mantistek-keyboard-keylogger.html.
4 In Flight Hacking System. [website] [2019. 02. 11] URL: https://ioactive.com/in-flight-hacking-system.
5 Lim, D. B., & Park, J. C. (2011). Link-E-Param: A URL Parameter Encryption Technique for Improving Web Application Security. The Journal of Korean Institute of Communications and Information Sciences, 36(9B), 1073-1081.   DOI
6 Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2010, May). State of the art: Automated black-box web application vulnerability testing. In 2010 IEEE Symposium on Security and Privacy (pp. 332-345). IEEE.
7 Berners-Lee, T., Masinter, L., & McCahill, M. (1994). Uniform resource locators (URL) (No. RFC 1738).
8 YoungJae Maeng, DaeHun Nyang. (2008). An Analysis of Replay Attack Vulnerability on Single Sign-On Solutions*. Journal of the Korea Institute of Information Security & Cryptology, 18(1), 103-114.
9 Syverson, P. (1994, June). A taxonomy of replay attacks [cryptographic protocols]. In Computer Security Foundations Workshop VII, 1994. CSFW 7. Proceedings (pp. 187-191). IEEE.
10 Jong-Phil Yang, Kyung-Hyune Rhee. (2002). The proposal of improved secure cookies system based on public-key certificate. The Journal of Korean Institute of Communications and Information Sciences, 27(11C), 1090-1096.
11 Lee, S., Kim, J., Ko, S., & Kim, H. (2016, August). A security analysis of paid subscription video-on-demand services for online learning. In Software Security and Assurance (ICSSA), 2016 International Conference on (pp. 43-48). IEEE.
12 Wireshark, [website] [2019.02.11.] UR L: https://www.wireshark.org/download.html.
13 EdithisCookie, [website] [2019.02.11.] URL: http://www.editthiscookie.com.
14 Botelho, B. A. P., Nakamura, E. T., & Uto, N. (2012, December). Implementation of tools for brute forcing touch inputted passwords. In Internet Technology And Secured Transactions, 2012 International Conference For (pp. 807-808). IEEE.