InkFiltration: Using Inkjet Printers for Acoustic Data Exfiltration from Air-Gapped Networks

Figure 1 shows the components commonly found on an inkjet printer. When printing a document, a paper sheet placed on the paper loading tray is first brought into the printer by the feed mechanism. This mechanism consists of a series of rollers connected through a gear train, whose rotation is controlled by a DC motor along with an optical angular encoder. The paper sheet is then advanced into the printer until the first graphical object to be printed is directly below the printhead. The printhead then starts sliding across a metal rail, which spans the width of the printer, by means of a timing belt linked to another DC motor. To regulate the speed and position of the sliding printhead, a transparent plastic strip with fine black bars, located parallel to the printhead’s rail, works as a linear optical encoder along with a sensor located in the printhead. Within the printhead, the ejection mechanism expels droplets of ink through each of the hundreds of nozzles that are part of it. When the last graphical object has been printed, the roller mechanism expels the paper sheet from the printer into another paper tray. Excess ink can be removed from the printhead at any time through a series of plastic brushes and two ink compartments located at one end of the printer, whose purpose is to collect the residues of black and color ink. At the other side of the printer, two pads cap the printhead nozzles when not used, so as to avoid ink drying. The printer’s actuators are activated and controlled by a microcontroller on a PCB plaque to which all electric components connect. The detailed disassembly of another inkjet printer is shown in the work of Wandel [36].

Depending on the graphical objects present on the document to be printed, the printhead will pass multiple times or just one time through their location; in particular, when dealing with images or fully colored figures, multiple printhead passes will be required to preserve the quality of the graphical objects. Indeed, modern printers implement a dynamic print mode control [20], by which they are able to decide how many passes to do at a given region based on the amount of ink to be ejected. But the exact number of passes the printer is able to do is a fixed quantity predetermined in the design of the device—that is, the printer can only decide whether to do one pass or two passes at a given region, each of which corresponds to what is called a print mode, but not more. In the work of Lee and Allebach [24], the multi-pass mechanism is described by stating that the printer employs a binary mask with a checkerboard pattern to determine in which locations to eject ink droplets in each of the passes to a particular horizontal region. After each pass, the paper feed mechanism will displace the paper by a fraction of the printhead’s length so that it then allows the printhead to fill the blank spots left behind, utilizing a new binary mask for this purpose.

The manner in which inkjet printers convert continuous tone images into dot-based images is through the use of halftoning, either by modulating the size of the dots or the frequency in which they appear. The continuous color tones can be emulated as a consequence of the human visual system low-pass filter effect, whereas the individual dots that conform the elements of the documents are blurred out [23]. As white paper is the usual printing medium for printers, bright colors will therefore contain a lower amount of dots than darker ones.

Throughout our experiments, we identified two highly correlated main sources of noise emitted from inkjet printers that could serve for the purposes of our covert channel: one corresponding to the sliding movement of the printhead and another that matched the rollers’ actuation. The noise source we were interested in was the one generated by the roller mechanism, as it proved to produce a louder noise in a pulse-like manner, thus facilitating its reception, than the one generated by the sliding printhead; this difference was consistent across all printers. Figure 2 shows the waveform and spectrum of the acoustical signal we are interested in, a signal whose pulses comprise almost the entirety of the frequency range shown. In our attack, we use these acoustic pulses to transmit data from the infected computer, bandpass filtering the resulting signal to prevent low frequency interference from other printer noise sources and to delimit high-frequency noise from the environment.

Transmission is done by using imperceptible patterns injected into the documents being printed, which as mentioned before are used to control the printing process. Through the use of a series of very light colored rectangles (imperceptible to the human eye) with different widths imposed on the white background of documents being sent to print, as shown in Figure 4, our objective is to manipulate the frequency at which the printer’s roller mechanism activates (i.e., the mechanism that displaces paper sheets inside the printer).

The rectangles we inject into documents are drawn across the horizontal space of a page and are stacked vertically on it. These rectangles are meant to activate a printer’s multi-pass mode—that is, the mode that produces the greatest number of printhead passes and roller activations over a given area, which is normally used to ensure densely colored figures keep their details when printed. It is also the mode that generates the least amount of paper displacement for each roller activation. By triggering this mode in text documents, we basically obtain control over the printhead’s operation with our injected rectangles, affecting the time the printer takes to complete each of the horizontal areas where the printhead maneuvers. Any overlying text that may be present has minimum influence over the printhead, because of its graphical sparseness, which means the printer can print those segments of text in any of the multiple passes the injected rectangles do require, and not interfere significantly with our modulation, as will be explained in the following.

The timing effect that the injected rectangles cause depends on their size, and thus we define two main spatial properties that characterize these figures, as shown in Figure 4: width and length. First of all, a specific minimum width and length are needed to activate the multi-pass print mode. After determining these minimum parameters, we can subsequently increase the rectangles’ width in different proportions to actually modulate the rate at which page displacements are made (i.e., the frequency at which acoustic pulses are produced). The rectangles’ minimum length is actually equal to, or a fraction of, the vertical length that the yellow color nozzles occupy on a given printhead. In practice, this means each rectangle will generate exactly one paper displacement if they perfectly occupy all the printable vertical area the printhead can operate at a given moment, which let us maximize the use of a paper’s space and produce reliable transitions between rectangles of different width. However, once we assure each rectangle generates a single paper displacement, the way the rectangles’ width actually modulates the printing process can be understood with the next example: given two rectangles of the same length, vertically stacked on a blank page and aligned to the margin closest to the printhead’s resting position, if one of the two is wider than the other, it is evident that the printhead will need to go farther away to print the wider rectangle. This will then increase the time period between paper displacements than when printing the rectangle that covers less width of the page.

A third and last factor that controls printheads’ speed is the lightness of a figure’s color, which affects the total number of ink droplets ejected per area, although this parameter is not that useful for the purpose of our attack, as it can compromise the stealthiness of the operation. It is important to understand that the very light yellow color we use in our rectangles is obtained by sparsely ejecting yellow ink droplets from the printhead, as part of the halftoning process that uses the white paper background to modulate the brightness of colors, an example of which can be seen in Figure 5. By using such a light color, we ensure a human cannot distinguish the patterns from the background. In fact, it is known that the human visual system relies more on luminance contrast than on the absolute levels of luminance, or than on chromatic contrast, for the interpretation of information [38], and the difference in luminance between yellow and white is indeed perceived to be small and hard for humans to see. It is evident then that a very light tint of yellow on a white background will not be detected—an effect that has been previously utilized in the context of printers [29]. If we use darker colors for our injected patterns, we are only making the printhead cover with more ink a given area, which will result in the figures being more noticeable. But the contrary is also true; there is a limit below which we cannot make lighter the color of our rectangles, as the printer stops considering those figures as densely inked, and no change to multi-pass print mode is realized. In practice, the light color utilized in our injected patterns throughout this work was close to this threshold, which in all cases resulted in these patterns being invisible to the authors’ sight. Appendix A shows a document page with both a human-visible and a true representation of the injected patterns.

The parameters just mentioned have been described in an isolated way, in the context of blank documents, without other graphical objects interfering. We are now going to explore how these graphical patterns coexist with others introduced by a user. There are two cases we may face: (1) a document with equally dense or more densely inked graphical objects that require multiple passes from the printhead, such as images, and (2) a document with sparser graphical objects, such as text, that usually require only a single pass per horizontal area. Just to be clear, documents can contain both elements, but here we study them separately to understand their effects. First of all, if other dense graphical objects are present, the attacker’s modulation may not have any effect. Both rectangles and the other densely inked objects, such as images, activate the same multi-pass print mode, but because our rectangles use a very light yellow color that requires less ink than what normal images use, and the latter may occupy the entire width of a page, images will be the ones that effectively control the printhead’s speed so that any attempt at modulation will be disrupted.

In the second case, if the graphical objects are sparse and they manage to activate lower priority print modes than the one used by the rectangles, such as normal text, the rectangles will effectively define the speed of the printhead and paper displacements. But depending on how much of a page’s width the text covers, it may still add a small offset on the printhead’s travel time within a given horizontal space, especially if the rectangle’s width is smaller than the text’s overall width. Returning to the previous example with the two vertically stacked rectangles of different width, if we now overlay some text on that same page, we can observe that if the width of the bigger rectangle is greater than the text’s overall width, then the printhead still needs to go all the way up to the other side of the rectangle, thus preserving the time delay observed in the example before. If the smaller rectangle is of less width than the text, the printhead still needs to travel until the end of the text block, but as the text does not need that much ink, the printhead will pass more rapidly than if it were part of the rectangle, resulting in a small added delay. This means that changing the rectangle’s width, even if it is smaller than the text’s overall width, will still have an effect on the printhead’s travel time.

Overall, this is the intuition behind printer modulation, although there are some caveats with particular printers, as explored in Section 5.

As our attack is only capable of modifying the differences in timing between subsequent paper displacements, such as acoustic pulses, differential pulse position modulation) was a logical choice to use for encoding bits. We defined two different time periods to establish binary transmission, an example of which can be seen in Figure 6. In our communication system, data is split into packets—the payload size of these packets being dependent on the line of printers to which the targeted device belongs. Each page can be used to transmit a single packet, and besides the payload, each packet includes a 4-bit preamble and a parity bit.

Our receiver processes the modulated acoustic signal by breaking it into overlapping segments of 1 second, but first, a matched filter is utilized to robustly detect the packet’s starting point jointly with the bit preamble. Then, for each segment, we bandpass filter the signal in a printer model dependent range, after which we compute the root mean square envelope of the filtered signal over a sliding window. The upper envelope is root mean square normalized and downsampled, and finally the peaks’ occurrence in time are calculated based on an empirically determined minimum threshold and minimum distance between peaks. Normalizing the signal before locating the signal’s peaks is particularly useful for us, as we can establish the same threshold value to detect peaks irrespective of their absolute values, which vary with the attenuating properties of the channel.

In Linux and macOS operating systems, the Common Unix Printing System (CUPS) is the current software tasked with managing the interface between the user’s computer and its printers. CUPS uses the PostScript Printer Definition file format (PPD) to describe printers’ configuration, and a series of filters translate documents being sent to the printer into a final format understandable to it. Back-end filters are the endpoints to this chain of filters whose purpose is sending the data directly to the printers and other filters performing document format conversions and rasterization. The filters that end up being used are generally determined by the document’s MIME format, a list of them defined by the configuration file mime.types, and the particular chain of filters assigned for each file format being described on the configuration file mime.convs. The CUPS standard print job transfer format passed from being PostScript to Portable Document Format (PDF) in 2006, so now all important applications send print jobs in that format [33]. Consequently, our attack is designed to inject the imperceptible patterns into PDF files. PDF became standardized as ISO 32000-1 with version 1.7 in 2008 [2]: it is a device and resolution independent file format, with a structured hierarchy of objects that organizes each pages’ content. These features make PDF files perfect for our attack, which requires injecting specific patterns at certain pages in a consistent manner.

In our attack model, the malware with necessary privileges will convert the data bits to exfiltrate into a series of patterns to be injected into the documents whenever they are sent by the user’s machine to the inkjet printer. By intercepting the documents before they are processed by the printer’s driver or subsequent filters, we can succeed in injecting the patterns. This can be done on CUPS by adding a malicious filter at the beginning of the filter chain used to process documents sent to the printer, or by creating a wrapper for one of the existing filters so that it first calls our malicious code and then executes the original intended code. For example, in the former case, to add a malicious filter at the beginning of the filter chain, one can edit the mime.types file so as to create a new MIME type paired with PDF files, removing the original pairing expression from the PDF MIME type. One can then link the malicious filter with the new MIME type by including it in the file mime.convs, specifying the malicious filter’s ending format as the original PDF MIME type so that the document continues through the normal filter chain. By having control of a CUPS filter, we cannot just inject the patterns into the document, but include a series of checks so as to ensure the document is in the appropriate format—for example, we check if images are present in the document and ignore the pages where those are.

As mentioned in Section 4, the minimum rectangle length is one of the most important parameters needed for this attack to succeed. By applying it, we ensure that each printed rectangle produces only one printer roller activation (i.e., one acoustic pulse), thus letting us use effectively the entire space of a page. Although theoretically we could obtain the specific rectangle length by measuring the size of the yellow color nozzle columns in a printhead (which would require micrometer accuracy), it is better to use an indirect method that can easily get the exact measurement with no errors. This indirect method consists of a sequence of tests, whereby a rectangle’s length is increased in size, until a change in the total number of printer roller activations is produced. The tests are all done in a blank document, where the target rectangle is the only graphical object present. In Figure 8, we give a graphical example of this procedure, and in the next lines, we will describe in detail this simple algorithm. In summary, the steps to be taken are as follows:

In the first step, we are forcing the printer to feed in a paper sheet, make a single printhead pass on it, and then eject it immediately. Because the rectangle length is too small and does not need that much ink, the printer will be just using a single-pass mode for the covered area. It is not until the second step that the multi-pass print mode, reserved for densely inked figures, is finally activated, as the rectangle’s length will be sufficiently large enough to surpass the limit between print modes. In some printers, the transition between print modes will be reflected by two paper displacements, but in others, the transition may instead produce a greater number of paper displacements (e.g., from zero to three). We refer to the specific rectangle length that produces this transition as the transition length. Increasing the size of the rectangle by a constant value hereafter will generate only single extra paper displacements—a constant value that is different from the transition length, and which we call the modulation length. Increasing the rectangle length by this quantity n times will result in n printer roller activations.

If our goal is binary modulation, as it is in this work, we can design the rectangles such that one of them covers the entire horizontal area of a page, whereas the other one has its width reduced to cover the least amount of horizontal space possible without changing the multi-pass print mode into a single-pass print mode. Finally, the exact yellow tint to be used for the rectangles is found by iterating over brightness values until a change in the print mode is noticed, which is usually when the rectangles stop being visible. The minimum rectangle length ensures that at the border of each rectangle a new paper displacement is produced, but the behavior elicited by a rectangle’s width may not be what is expected when facing bit transitions. Specifically, a rectangle covering all of a page’s width stacked vertically with a rectangle covering only a part of it may not trigger the expected behavior—that is, the wide rectangle may dominate and the printhead will operate as if printing in both cases two wide rectangles, and thus no modulation will occur. This may be because of some small overlapping area between rectangles or some imprecision on the printing mechanism. Nevertheless, fixing this problem just requires inserting some buffering (extra rectangles with small width) when making transitions between rectangles of different width. In practice, we also make each rectangle be double the minimum length needed to produce a printer roller activation, which provides us with some robustness.

Table 2 presents some of the results we obtained with respect to the main parameters and performance metrics. It is important to note that the number of payload bits per page we define in that table is a practical estimate, not the theoretical maximum, given the constraints we found when executing the experiments. Our payload bits per page metric is limited, first by the total vertical area of a paper page, which coupled with the injected rectangle’s minimum length establish a hard limit on the total number of rectangles that may be printed. But as a matter of fact, the printer also introduces document margins beyond which the device does not operate, which further limits the total space to be exploited on a page, although to be fair these margins are normally close to the pages’ edges. The next three factors also constrain the total number of bits per page: each rectangle in our implementation occupies two times the minimum size, padding is used at the beginning and end of pages to isolate acoustic pulses from the initial and ending noises produced by the printer, and finally a part of a page’s bottom may be left unused. This last constraint is necessary because in some printers, as the page progresses through the printer and the printing process approaches its end, the amplitude of the acoustic pulses decay, as some of the printer rollers stop having contact with the page, and thus we avoid the bottom area to not compromise the communication range of the covert channel.

Because the printing process is a relatively slow procedure, the net bit rate is not that high, but it can still serve to exfiltrate small bits of sensitive information. In Table 2, maximum bandwidth refers to the theoretical maximum bit rate we could obtain if we used all the capabilities of the injected patterns (i.e., if we could mix dark yellow colored rectangles that cover all the horizontal area of a page with almost invisible rectangles that occupy a tiny fraction of that same area). By combining different quantities of color brightness levels and rectangle lengths on a blank paper to achieve multi-level modulation, ideally we could reach those maximum rates. But because we are constrained by the light yellow tint, which should be invisible to human sight, and by any overlying text that may be in place, it is difficult to achieve the theoretical maximum. Finally, the observed time differences between printer roller activations are sometimes not that consistent, which would therefore make our attempt at multi-level modulation even more error prone when coupled with the other constraints. In Table 2, we show how much of the theoretical maximum bandwidth our attacks use.

Based on our experiments, we found that printers of the same manufacturer share many characteristics such that an attacker only needs to know a printer of the same product line to exploit another. Although printers within a line are divided by specific series (e.g., HP ENVY 7800 series and 7100 series), we found that for the purposes of our attack these differences were almost insignificant. In particular, for the two printers of the HP ENVY product line (i.e., 7155 and 7855), we found no modification was needed on the modulation parameters. Thus, if an attacker characterizes one of these, the extracted parameters will work for both printers. The other pairs of printers that belong to distinct product lines do not share this convenience—first of all because they use different ink cartridge models, as can be seen in Table 1. As ink cartridges may produce different tints for the same color values on a document depending on their model, it is expected that the attacker will need some recalibration to obtain again the exact yellow tint that hides the injected rectangles. Another difference we found on the Canon Pixma and HP DeskJet printers is that the transition length is of different size, although this is not a serious problem because the attacker can select the greatest of them and use it for both printers of a specific product line. For Canon Pixma printers, we did find that besides the previously mentioned differences, the amount of buffering between bit transitions does change by a small factor.

Unfortunately, although no other parameter change was apparently needed for the HP DeskJet 2722, with respect to the 1115 model used as the baseline, the fact is that this printer model seems to apply a type of rate-limiting mechanism that directly affects the malicious modulation. In our experiments, we found that large sequences of rectangles with a small width, which should increase the rate of paper displacements, were instead printed at a slower rate, both in text and blank documents, thus making our modulation ineffective. Indeed, this particular printer model inadvertently deploys a defense against our attack by homogenizing the printing process, an effect that clearly has an impact in its overall performance. Compared with the HP DeskJet 1115 results shown in Table 3, a BER of approximately 20% (against a BER of 3.82%) was the minimum we could obtain with the HP DeskJet 2722 when printing a document with left-aligned black text at 50 cm. What we did observe is that if the rectangles are instead filled with black color, our modulation may be possible in this printer, but clearly any attempt at stealth fails immediately.

All things considered, results demonstrate that lines of printers do share modulation parameters. Whether other mechanisms are in place is another story. In particular, results obtained from the HP ENVY printers tell us that testing a printer from the same product line, and one that uses the same ink cartridge/bottle models, is enough to find the specific modulation parameters of the target printer.

To test the robustness of our covert channel with respect to distance and the orientation of our smartphone receiver, a series of tests were carried out to measure the overall BER, with the results shown in Table 3. For these tests, a 50-page document with left-aligned blocks of text and 12-point Arial font was used, except for the HP ENVY printers, where blank documents were used for convenience (i.e., to save ink), as we did not observe any significant performance difference with respect to text documents. Four different distances between the printer and receiver were considered: 50 cm, 2 m, 4 m, and 8 m. Smartphones’ MEMS microphones have been shown previously to be sensitive to the angles of incidence of the incoming acoustic signals, especially as the frequency of the signal increases [8], so two different orientations were tested when laying a smartphone flat on a table: having the microphone face the noise source and having the microphone facing 180\(^{\circ }\) away from the noise source. BER was calculated using the Hamming distance between the actual received payload and the transmitted one.

From the results shown in Table 3, we can note that at 50 cm and until 4 m we can achieve in all cases a BER lower than 5%, when the smartphone’s microphone is facing the noise source. When the smartphone is not facing the printer, at 4 m we find that printers from the HP DeskJet product line, and to a small degree from the HP ENVY line, may start suffering in performance. At 8 m, only the HP ENVY and Canon Pixma printers still maintain a low BER. Results show that the smartphone’s orientation does affect performance, but it is only really apparent after a certain distance from the printer. The variation in BER with distance seems to be roughly correlated to the power of the noise produced by the printers, and similar results can be obtained when testing the robustness of the covert channel to noise. By adding Gaussian noise to the original recordings at 50 cm from the printer, and varying the signal-to-noise ratio, we can obtain a better characterization of the communication system, with the results shown in Figure 9. It is clear that the HP DeskJet printer is the one that suffers the most in performance with increasing noise and increasing distance. Qualitatively speaking, it is also the printer whose rollers produce the faintest sounds. With respect to the other printers, it is important to note that a factor that influences their robustness toward noise is related to the receiver parameters—that is, receiver frequency range, amplitude threshold, and smoothing window, all of which differ with respect to the product line.

Five different layouts were utilized to test the impact of the overlying text on the printing process. Figure 10 shows the results that were obtained at 50 cm from the source. Although we are aware that the number of layouts found on existing documents can be infinitely large, we selected the layouts shown in Figure 7 to test particular attributes found on documents that could affect the attacker’s modulation. The chosen layouts were the following: a document with left-aligned 12-point black Arial text, another one with the same type of text but with justified alignment, and a third one exactly the same as the first one but with red as the text’s color; we also included a spreadsheet-type document with a table covering all the pages and, finally, a blank document. The left-aligned text document served as the baseline. This document had the particularity of including lines of text that covered a different amount of the width of a page, which we thought could affect the modulation. This is because, as we described in Section 4, when text overlays our injected rectangles and these rectangles cover less horizontal space than the text width, a small time offset may appear on the time measurements that depends on that same text width. The document with justified text was used to test if any improvement could be seen by making the width of the text constant. The document with a table was used just to test whether lines instead of text could affect the modulation, especially the vertical lines that leave no space between contiguous rows of a page. The document with red-colored text was used to test whether utilizing the same yellow color for the text (as red is a combination of yellow and magenta) would somehow interfere with the modulation. Finally, a blank document was used to test the modulation when facing considerable blank spaces on text documents.

The layout had no significant effect on the acoustic modulation except for a few cases, as can be observed in Figure 10. In particular, when using the colored text layout with HP DeskJet and HP ENVY printers, the BER increases considerably. This was discovered to be a consequence of the fact that these lines of printers introduce an intermediate print mode between the single-pass mode used for black text and the multi-pass mode used for images, which interferes with our modulation. This intermediate print mode is used specifically for sparsely colored graphical objects, which is what the colored text represents. As this type of text requires greater detail than normal black text and it encompasses the width of a page, the narrower injected rectangles will stop producing the fast printhead travel times, and modulation will be disrupted. This effect is not only seen in colored layouts but also when including any text that is not perfectly black, as shades of gray are in practice done with colored input.

A second point of interest with these layouts is with respect to blank documents. As blank documents do not include any text, this means that rectangles with a small width will produce an even faster printer roller activation (paper displacement) than would occur in text documents, because now the printhead does not need to always travel through all the width of a page. For the Epson, Canon, and HP ENVY printers this is not an issue, but for the HP DeskJet printers, the problem is that both wide rectangles and rectangles with smaller width produce a faster response in the printhead travel time that enters into conflict with the original receiver parameters. This means that if the receiver uses the same parameters as those used for text documents (i.e., the time period ranges associated with a 1-bit or 0-bit), the attacker will find that an overlap occurs with the actual time periods produced by the wide and narrow rectangles in the blank documents. A separate set of receiver parameters for blank and text documents is needed in this case, which means that for HP DeskJet printers, there may be problems when combining text with large spaces unless proper action in the receiver is taken.