01:39 PM
Dot-Matrix Printers and the Sound of Security Risk
Sometimes I just run across something that makes me go, "Hmm." In this case, it was the editor's note from a sister brand's e-mail newsletter, Dr. Dobbs Update, which is produced by the makers of technology resource Dr. Dobbs.In it, editorial director Jonathan Erickson discusses the state of dot-matrix printers in today's technology world. According to a study he cited, the loud, "old fashioned" printers are still alive and kicking-especially in banking, with 30 percent of banks surveyed admitting to using the devices.
However, caution researchers from Saarland University, financial institutions and others who use these printers should be aware of a security risk unique to these kinds of output devices. In the paper "How Printers Can Breach Our Privacy: Acoustic Side-Channel Attacks On Printers," the team concluded that clever criminals can discern very sensitive information that is in the midst of being printed (account numbers, medical information, and the like.) by paying attention to the sounds coming from the printer.
According to Erickson: What the researchers discovered is that by capturing (recording) the ratta-tat-tat of dot-matrix printers, then applying feature extraction from speech-recognition (Hidden Markov Models) and music processing, you can extract valuable, private data from dot-matrix printers.
The researchers say that although dot-matrix printers are outdated for private use, they "continue to play a surprisingly prominent role in businesses where confidential information is processed, in particular in banks (for printing account statements, transcripts of transactions, etc.) and doctor's practices (for printing the patients' health records and medical prescriptions)."
Why the continued love affair with such out-dated printers? The Saarland team claims there are several reasons the printers are still present in businesses, including robustness, cheap deployment, incompatibility of modern printers with old hardware, and, overall, the lack of a compelling business case for modernizing such hardware. On the medical front, they also note that several European countries, such as Germany, Switzerland and Austria, have laws on the books mandating the use dot-matrix (carbon-copy) printers for printing prescriptions of narcotic substances.
The study is a pretty interesting read from what I saw. But it just amazes me that this kind of acoustic exploit exists out there. However, after additional follow up my colleague at Dr. Dobbs, it turns out the acoustic exploit is well-known. Erickson says there actually is a special "Tempest" certification for equipment that reduces, eliminates or obfuscates the inadvertent "signals" produced by printers. These are in use by government and military facilities, for instance.
By the way, of the 30 percent of banks that said they use dot-matrix printers, only 8.3 percent said they planned to replace them with more modern equipment. But, I suppose the industry can take heart in the fact that doctors' offices are even more guilty of using the noisy devices-58.4 percent of those surveyed, to be precise. Furthermore, fewer of them (4.7 percent) plan on upgrading any time soon.