Printer Driver Threats

Question

In an environment where users connect their devices to printers through USB, the device will be prompted to install its driver if it's the first time. As far as I'm aware for OSX, the drivers are downloaded from Apple and you can't download without internet connection.

For example, this huge 100MB driver: http://www.support.xerox.com/support/phaser-6700/downloads/enus.html?operatingSystem=macosx1010&fileLanguage=en&x=16&y=5

1. What privileges & capabilities does the driver have on the users machine when installed?
2. How are drivers registered to this Apple repository (Equivalent for Microsoft, etc)? How are driver modifications handled & pushed?
3. Can the printer be modified so that the device is requested to download the wrong driver? (eg for a different model printer, although still from Apples repo)? Can the printer protect the integrity of which driver it requires?
4. How can someone analyze the driver and effectively reverse-engineer it to understand what it's doing?
5. Is there existing, open source printer drivers that can be installed to eliminate this threat model entirely?

Hypothetical threat: A printer is purchased, and modified to become non-existent model ABC1. A malicious driver that is then created & registered as a publicly available driver for a 'legitimate' printer model ABC1. This implanted driver is then used for ______, either on connection to the printer in future or LAN or otherwise.

Answer 1

First I'm not very familiar with details about MacOS, so I can't say anything to your 2. point.

For clarification, I assume there is an attacker who (somehow) succeeded in registering and uploading a malicious driver to the Apple repository which is assigned to the imaginary printer model ABC1. And the attacker has some real modified printers (any actual model) which tell connected computers they were of the model ABC1.

About 1. Hardware drivers, assuming the proprietary drivers are USB drivers, usually run at elevated privilege level (kernel mode), which allow them to do nearly everything with your computer, once installed and active. This includes but is not limited to accessing and modifying your whole file system content, recording your keystrokes and monitoring your network traffic. It would be a kind of Rootkit.

About 3. Yes and No, well thats more than one question. First, a USB printer can't actually request your OS to download anything. It is connected via a UBS connection (as printer) and is communicating with your OS per data packets. It's a bit like a network connection. But your printer tells the OS which model it is, and with this information the OS can download an appropriated driver for the printer. So an attacker has just to play the Man-in-the-middle in the USB connection and send a different model number to the OS.

To the second part. The nature of USB, which is exchanging small data packets, does not allow e.g. a printer to simply verify the identity of its communication parter, here the computer. This especially includes things like verifying the binary of the printer driver. There for could neither the printer nor the OS ensure that there is not a Man-in-the-middle attack as described above.

About 4. Well, I'm not an expert in revers-engineering, but you can always analyze a given binary program. However, this is usually a long, difficult and tedious work especially for bigger binaries. But beside the actual reverse engineering there alternative methods like Black-box testing which try not to understand the whole binary, but to observe what it actually does.

About 5. AFAIK. USB itself defines an primitive interface how to print with a USB printer, but it requires additional information. However, the printing system of the OS like CUPS in Linux and MacOS have some support for generic models available which could do the job. But a printer might have additional features like an integrated scanner. Those features won't work without the proprietary driver.