Lexmark Employees Seek to Block Apex Acquisition, Citing Chinese-Hacking Concerns
On May 13th, Wirth Consulting received a copy of a letter sent to U.S. President Obama by a group called “Lexmark Employees for Ethical Conduct,” which urges the president to block the proposed acquisition of Lexmark International for $3.6 billion by a consortium of investors that include China-based Apex Technology and PAG Asia Capital. The group states that U.S. national security would be comprised if the acquisition – which must be approved by the U.S. Committee on Foreign Investment – is approved, stating: “The overall risk to (U.S.) national security is real, immeasurable and unpreventable unless the sale of Lexmark to a Chinese firm is disallowed.”
Apex Technology is headquartered in Zhuhai, Guangdong, China, and China-based Zhuhai Seine Technology is the largest shareholder of Apex Technology, holding approximately 70 percent of Apex Technology’s shares. Apex Technology’s acquisition of Lexmark International, which is based in Lexington, Kentucky, would include both Lexmark’s Imaging and Solutions and Enterprise Solution Services, as well as all of Lexmark’s copyrights and intellectual property.
The letter written by Lexmark Employees for Ethical Conduct is not signed by any particular individual, but is said to be written on behalf of Lexmark’s more than 13,000 employees. It asks President Obama to “intervene and block the sale of …Lexmark International to the Chinese firm Apex Tehcnology…this sale should be disallowed due to extreme national security risks.”
The Lexmark employee coalition’s letter essentially states that, unlike older analog copiers, because Lexmark copier/MFP/printers are “smart” digital copier/MFPs that are controlled by a PC operating system, they are vulnerable to hacking, noting, for instance, that they make a digital copy of every scanned document before printing it or transmitting it via fax or email; this stored information is vulnerable to being accessed by unauthorized users.
The letter states: “Apex will own hardware copyrights to Lexmark MFPs, they will have access to all device firmware source code, and have access to all source code for Lexmark workflow software.” The letter also notes that Lexmark also owns more than a dozen software companies whose workflow software is used by many thousands of companies’ document-workflow environments that include Lexmark MFPs. These software companies include Readsoft, which markets business-automation software, such as software for processing invoices.
The Lexmark employee coalition says that Lexmark MFPs are widely used in the U.S. Department of Defense (DOD), U.S. Pentagon, U.S. National Security Agency, U.S. Central Intelligence Agency (CIA), United States Federal Bureau of Investigation (FBI), U.S. Homeland Security Agency, U.S. Transportation Security Agency (TSA), and U.S. Special Operations Command (the unified command for the worldwide use U.S. Army, Navy, and Air Force special operations), as well as in U.S. state and local governments. The letter states, in bold type, that “Allowing a communist country access to Lexmark hardware and firmware allows them direct access ‘behind the firewall’ to any of these offices,” adding later that: “Should any company (or government) have access to our hardware PCBA designs or firmware source code, they could easily install malicious code, viruses, or malware into these MFPs” and that “there would be no way to detect this malicious code or prevent wide-scale digital virus infections.”
The writers also states that the acquisition would also expose private-sector companies to hacking, such as companies in banking, healthcare, education, and “most Fortune 500 companies.”
To bolster this argument, the letter also states that, because of national security concerns, the U.S. Department of Defense will not purchase Chinese-made Lenovo laptop computers, stating in bold type: “Lexmark MFPs have the same potential for harm as a determined hacker with unrestricted LAN (local area network) access that is sitting in the (U.S.) NSA (National Security Agency) offices.”
Older Lexmark MFPs ‘Particularly Susceptible’ to Hacking
According to the Lexmark employee-coalition letter, older Lexmark MFP generations that are in the field but are no longer being sold – specifically those code-named SHaFT and Homestretch – are particularly susceptible to hacking “due to their use of older LINUX-based technologies,” noting that “Lexmark’s LINUX kernel is posted publicly as is required by the LINUX community.”
New Open Android ‘Moja’ MFPs Vulnerable; Contract Programmers in India Could be ‘Coerced’ into Inserting Malicious Code in MFP Firmware
The letter states that Lexmark’s newest smart MFPs, code-named “Moja,” are built on the Android operating system, and that, because Android it is an open-system platform, it makes these MFPs particularly vulnerable:
“These Moja’ units are particularly susceptible to malicious intrusions because they are a new generation of products with known flaws and no proven track record for reliability security. There is an extremely limited programming team that programs firmware for these devices with no time to focus on things like security hardening. There is barely time for these programmers to meet basic schedules, which include creating patches for old firmware, Engineering Changes (EC’s) for current firmware and designing future device’s (sic) firmware. Lexmark has recently fired so many competent and experienced programmers that they must now rely on staff of contracted programmers in India. These contracted programmers could easily be coerced into inserting malicious routines into firmware code that would never be detected until after harm was caused.”
Six Hacking Scenarios
The letter states six possible hacking scenarios, but states that the hacking possibilities are “infinite:”
- Firmware could be loaded onto Lexmark MFPs that would write any data that passes through the MFP’s controller to be written to a hidden encrypted hard drive partition of the MFP (or to NVRAM). A hacker could then insert a flash drive into the MFP’s USB port and have all stored data written to the removable storage (flash drive). Smartphones could also be used instead of flash drives, and “Gigabytes of data could be stolen quickly.”
- Data stored on the MFP could be transmitted within an office to a user who is running an FTP (File Transfer Protocol) or Telnet daemon on their PC. If the MFP and PC user are on the same network subnet, no log file would “generally record these data transactions.” Moja devices now use NFC (Near Field Communication) technologies, which is said to make data theft easier and undetectable.
- Versions of current Lexmark MFP firmware now include LAN-protocol analyzing capabilities (said to be similar to Wireshark). The letter states that this firmware could be modified to capture “all” data traffic on a hub or switch port, store it on the MFP, and transmit that data using the same processes described in the two previous examples.
- Where user-authorization keypads, badges, or smartcards are used to log-in to a Lexmark MFP in order to use copy, scan, fax, etc., firmware could allegedly be modified to capture passwords, store this information, and transmit it letter. The letter states that in the U.S. Department of Defense, or in U.S. intelligence agencies that use CAC or Secure CAC cards (such as the U.S. Special Operations Command), “access to these passwords would immediately compromise national security.”
- MFP firmware could be modified to include malware, “worms,” or Tojan viruses. The viruses “could remain dormant until triggered externally,” with the letter stating: “Imagine an Encrypto virus or Ransomware being released to all banks, hospitals, transportation industries, military bases and intelligence agencies in the U.S.A. simultaneously.”
- Lexmark MFPs “could autonomously collaborate to build, modify, and deliver a purpose-built viral attack like the Israeli Stuxnet virus. Lexmark MFP’s (sic) can use propriety protocols to work with other MFP’s (sic) to build a virus from disparate code sources, propagate final versions of the virus and then deliver the virus vis a rootkit component to insert the undetectable virus into kernel mode memory areas of vulnerable operating. Imagine such a purpose-built virus attacking the United States Nuclear Energy facilities or Nuclear Weapons Arsenals.”
The letter ends by requesting that the U.S. Committee on Foreign Investment in the United States subpoena the following Lexmark vice president that are in charge of Lexmark hardware (MFPs), embedded solutions, and enterprise software: Ben Streepy, Tom Knight, and Reynolds Bish, as well as James Kosieniak, lead MFP firmware programmer.