Bug allows HP printers to be hacked, set on fire

By Angela Moscaritolo on Dec 1, 2011 8:25 AM
Filed under Security

Could extend to others.

Researchers at Columbia University in New York have discovered a vulnerability in HP LaserJet printers that could allow attackers to steal sensitive documents, gain control of corporate networks, or even set the affected device on fire.

This can be accomplished because some HP LaserJet printers do not validate the origin of remote firmware updates before applying them, Salvatore Stolfo, a professor of computer science at Columbia who directed the research, said. That means anyone can reprogram the devices with malicious firmware.

Everytime an HP LaserJet printer accepts a print job, it checks to see if a firmware upgrade has been included, Stolfo said. The printer does not, however, look for a digital signature to verify that the firmware actually came from HP.

The researchers, funded by government and industry grants, have been investigating the vulnerability for several months, and disclosed the issue to HP last week.

“What we did is find a way to change the core firmware of the device – change it entirely,” Stolfo said. “By rewriting the firmware, we can inject any functions and features we wish.”

In lab demonstrations, the researchers even were able to leverage the vulnerability to overheat the printer's fuser – a ink-drying component –  to cause paper to turn brown and smoke. In that demonstration, a thermal switch shut the printer down before a fire was started.

An attacker could also cause a hacked device to duplicate all print jobs on a remote printer, disable the machine, or gain access to corporate networks, Stolfo said. Adversaries may already know about the bug.

Further, the flaw could be exploited by simply tricking a user into printing a file containing malware. Moreover, if the printer was configured to accept jobs via the internet, an attacker remotely could update the machine's firmware with a malicious version, without requiring any user interaction.

“Done well, it's completely stealthy,” Stolfo said. “You wouldn't know the printer has that malicious capability. The printer sitting next to you right now could be infected and you wouldn't know it.”

An HP executive told MSNBC, which first reported the news, that the firm's printers since 2009 have required digitally signed firmware upgrades. HP did not immediately respond when contacted on Tuesday.

“HPs latest printers and firmware are better protected, and the flaw is unlikely to exist in the latest models, but that doesn't account for the large number of printers deployed with the previous generation of flawed software,” Stolfo said.

Plus, the researchers believe the vulnerability extends beyond just HP printers.

“We haven't checked with other manufacturers, but the suspicion is that there are other manufacturers with the same flaw,” Stolfo said.

The researchers are withholding technical details of the glitch until later this year while they work with HP on a mitigation strategy, Stolfo said. One of the options they are exploring would essentially involve leveraging the flaw to inject security software into affected devices.

Stolfo said he hopes news of the bug will ultimately drive embedded device makers to improve security.

For many years, researchers have known that printer hacks, while not common, are certainly feasible.

And this is not the first time HP printers have been discovered to be vulnerable to cyberattack. Last September, researchers at web security firm Zscaler disclosed that certain models of HP combination printer and scanner devices contain a feature that could allow for corporate espionage. And HP, in 2006, warned customers of a recently vulnerability in two of its printer models that could make personal information accessible to hackers.

This article originally appeared at scmagazineus.com

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, US edition

Bug allows HP printers to be hacked, set on fire
Tags
 
 
 
 
 
Top Stories
Reseller pays $2.65m for telco specialist
Acquisition scene heats up as JCurve makes another buyout.
 
Kytec files for administration, new company set up
Driven by management buyout, says MD.
 
Dataflex reborn under new owners
Buyer aiming for $30m after second acquisition in six months.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Latest Comments
Polls
Are Chromebooks ready for the enterprise?

CRN Magazine

Issue: 326 | April 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.