Ramblings of an old Doc

 

 

According to researchers at Columbia University claim they've discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.

You’ve got to know by now that printers have a hard disk and programming, as well as a record of everything you’ve used them for.

Anything with programming is subject to “modification”.

So, according to the Columbia researchers, printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com.

They also say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too  and there's no way to tell if hackers have already exploited it.

These researchers have notified the appropriate government agencies of the potential flaw, as well as HP.  HP is researching the reported vulnerability, but feels it’s too early to confirm it and generally doubts its significance.

The flaw:
The more complex printers get, giving more functionality, the more they come to resemble computers. Printers now can access the net as well. The ‘hole’ in the security comes via “Remote Firmware Update” which HP printers have and connect to the net to receive. Apparently the printers don’t discriminate as to the source of the update, and a digital signature is not used to verify the source, so anyone can ‘push’ a destructive or spyware update. Also. some printers are configured to receive print jobs from the net, and therefore can be infected remotely. Needless to say, there is no security whatsoever in cases like that.

“Rewriting the printer's firmware takes only about 30 seconds, and a virus would be virtually impossible to detect once installed. Only pulling the computer chips out of the printer and testing them would reveal an attack, Cui said. No modern antivirus software has the ability to scan, let alone fix, the software which runs on embedded chips in a printer.” Ang Cui (Columbia University)

 

“First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw. “Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact.” – Bob Sullivan (MSNBC, Red Tape)

These researchers have demonstrated the flaw, and also made a printer operate at a frequency which caused fuse overheating eventually causing the paper used to brown and smoke. The thermal safeguard cut in to prevent a fire, but not all printers are so equipped. All HP printers have this switch and should be ‘fool proof’ at least in that respect.

"(The thermal breaker) cannot be overcome by a firmware change or this proposed vulnerability," – HP (http://msnbcmedia.msn.com/i/msnbc/sections/news/gp_printersecurity.pdf)

That is reassuring, however:

“In an exclusive demonstration for msnbc.com at Columbia University’s Intrusion Detection Systems Laboratory, Cui and Stolfo revealed the kind of havoc an attacker could wreak once they gained control of a printer. After sending a virus-laced print job to a target printer, the device's small screen read, in sequence, "Erasing...Programming...Code Update Complete."

In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

A hacker who merely wanted to wreak havoc could easily disable thousands – or perhaps millions – of vulnerable printers, Cui said, as it is trivial to send the printer upgrades that would render it inoperable.” – Bob Sullivan (ibid)

The additional “ripple effect” in all this is that printers on a company network are trusted by other computers on the network.

The hijacked (reprogrammed) printer could therefore present an end run around the company’s (or your) firewall. I personally have never read in any tech publication about a system protected from attack by one of its own printers.

HP also disagreed with this assertion. They said that standard print jobs could not be used to initiate a firmware upgrade: Only specially-crafted files sent directly to the printer could do that. If that’s true, the vulnerability could only be exploited on printers left exposed to the Internet; printers behind a firewall would be safe (as well as the information in their memories). However, the Columbia researchers replied that standard print commands sent both from a Mac and a PC running Linux tricked an HP printer into reprogramming itself. HP later conceded that might be true; but the two sides disagreed on whether users in a Microsoft Windows environment were safe from the attack.

So, you’re probably saying, “What has all this to do with me?”

“Even home users with printers that are not directly connected to the Internet are at risk, Cui said. As long as the printer is connected to a computer – through a USB cable, for example – it could be used to launch attacks, or as part of a botnet. A quick scan of unprotected printers left open to Internet attack by the researchers found 40,000 devices that they said could be infected within minutes.

Fixing the flaw will not be easy, Stolfo (Cui’s co-researcher) said. There is no natural path to update printer operating system software, as there is for desktop PC software. It's possible a consortium of firms could "push out a fix," once one is available, he said. He urged HP to work with companies like Microsoft to help consumers update their printers. (Msnbc.com is a joint venture of Microsoft and NBC Universal).” – Bob Sullivan (ibid)

A particularly nasty aspect of all this is that you have absolutely no way to know if your printer is infected or not (if it updates its software from the net). If it is, any updated “fix” might well not “take”. You just might end up having to give up and replace the “intelligent” parts of its system, or throw it away (after shredding the memory).

What about antimalware for printers? Mikko Hypponen (F-Secure) said that it could be developed, and that software tools that would detect booby-trapped print jobs in word processing documents or emails could be as well as ways to prevent attempts to update printers with malware, but such approaches would hardly be foolproof.

The researchers are now looking at the software on other firmware, but also cautioned that this is opening a whole new area of research: The hacking of ‘embedded’ software in various peripherals we all use.

“Until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more,” HP said. “If this turns out to be the broad (problem) that's being discussed…we will reach out to customers and get it fixed. We support our customers and value their trust.” - Bob Sullivan (ibid)

“Printers, however, are just the tip of the iceberg when it comes to vulnerable embedded devices, Stolfo warned. Columbia researchers have found that many gadgets now wired to connect to the Internet – including DVD players, telephone conference tools, even home appliances – have no security at all.” -Bob Sullivan (ibid)

I think that the take away from all this is that as I’ve mentioned in other articles (and a former policemen also wrote here in Forum response, recently), as the devices we use get more complex, they become more vulnerable. maybe simpler is better in some cases.

"Right now, very few people are thinking about the security of all these devices, so we're moving on to look at many more of them,” Stolfo said, noting that supposedly secure offices – even in sensitive government agencies – have networked teleconferencing devices, printers, even thermostats that create security risks. This is a whole area that is being ignored,” he continued. “While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There's no focus on the security of these devices we take for granted and we carry into secure environments every day.”  – Bob Sullivan (ibid)   

 

Special thanks go to Hankers who drew my attention to this article.

Sources:

http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say

http://msnbcmedia.msn.com/i/msnbc/sections/news/gp_printersecurity.pdf


Comments
on Nov 30, 2011

Wow, talk about a hole in the security wall.

on Nov 30, 2011

Here is answer I got when I posted this on another forum

Printers are always hooked up behind a router, so I don't see how they could be directly vulnerable. Maybe the "hackers" could use a compromised workstation on the network to access the printer. Or wireless printers might be vulnerable IF the "hacker" is within wireless range.

Still, this doesn't seem like something we should be overly concerned about. Just another scare article to get people riled up.

on Nov 30, 2011

Kinda "old news". Saw a report on this on '60 Minutes' a couple of years ago, about printer recycling companies not disposing of the drives properly - or actually selling them on as brand new drives, without even formatting them.

on Nov 30, 2011

They are "physical" drives?

Wouldn't new machine's use a flash type drive?

on Nov 30, 2011

OldMsgt
Here is answer I got when I posted this on another forum

Printers are always hooked up behind a router, so I don't see how they could be directly vulnerable. Maybe the "hackers" could use a compromised workstation on the network to access the printer. Or wireless printers might be vulnerable IF the "hacker" is within wireless range.

Still, this doesn't seem like something we should be overly concerned about. Just another scare article to get people riled up.

Not "Just another scare article" whatsoever. If you think it is, relay your thoughts to the researchers at Columbia University and to MSNBC (address them to Bob Sullivan). A router will give no protection at all, and antimalware will not either.

 

So, you’re probably saying, “What has all this to do with me?” “Even home users with printers that are not directly connected to the Internet are at risk, Cui said. As long as the printer is connected to a computer – through a USB cable, for example – it could be used to launch attacks, or as part of a botnet. A quick scan of unprotected printers left open to Internet attack by the researchers found 40,000 devices that they said could be infected within minutes. Fixing the flaw will not be easy, Stolfo (Cui’s co-researcher) said. There is no natural path to update printer operating system software, as there is for desktop PC software. It's possible a consortium of firms could "push out a fix," once one is available, he said. He urged HP to work with companies like Microsoft to help consumers update their printers. (Msnbc.com is a joint venture of Microsoft and NBC Universal).” – Bob Sullivan (ibid)

Snowy, you are right about HDD's disposed of with the machine without erasing/shredding first, hence my comment regarding that in the OP. I also relayed that expose here in Forums at the time.

The OP has to do with a rather different topic.

 

on Nov 30, 2011

DrJBHL
The OP has to do with a rather different topic.

eggsaktly

on Nov 30, 2011

Well, i have a old HP Colar Laserjet CM1015 MFP... during the last firmware update ( from pcl5 to pcl6 ), i need to push the "ok" button on the printer for accept the firmware update...

Unless a hacker go inside my home for push the button "ok", i don't see how the printer can be infected...

well, maybe the step "push ok button" was removed from hp laserjet produced in the last 6 year... now, everything become automatic without asking confirmation, a way to ease the job of the user and the job of the hacker in the same time... 

on Nov 30, 2011

Thoumsin
i need to push the "ok" button on the printer for accept the firmware update...
Unless a hacker go inside my home for push the button "ok", i don't see how the printer can be infected...

So the solution is never update your software, etc.?

Actually, the update is done through "special files" sent to the printer (per HP). Hope their printers don't go online...

on Nov 30, 2011

well, i download the update .exe firmware from Hp myself... run it... push "ok" on the printer and everything is updated...

If i see "push OK for proceed with firmware update" on my printer when i don't have initiate the process myself, i refuse it!!!

 

on Nov 30, 2011

That's always a choice...

You knew about this problem before the article came out?

on Nov 30, 2011

Well, in the past, i have know my share of various security problem... so, with time, i have learn the hard way to trust nobody and nothing... and become somehow parano about security...

By the way, similar problem is not limited to printer... by example, your processor can be hit too... some malicious software can perfectly emulate a windows update and mess up the processor microcode... these processor microcode is nothing more that some processor firmware...

Well, i have use these example because last month, one of my windows update, called KB936337-v2 was related to microcode update for my intel xeon processor ( along a few other processor )... know about it because i check every update that my system wish to make...

I am maybe a extreme case... using raid for my drive, using memory raid ( my bios allow it )... full eight bit ECC memory module, etc... same at hardware level, i try to have the more secure system... never use adobe flash and reader ( there is alternative ) , both software who are in the top5 for security risk these year... etc...

For people who really care about security, i advice to use the US-CERT site... i like very much their security report... last week report at http://www.us-cert.gov/cas/bulletins/SB11-332.html for example... being informed is the first step in securing...

on Dec 01, 2011

OldMsgt
Printers are always hooked up behind a router, so I don't see how they could be directly vulnerable.

For the most part, he is correct.  However, not all printers are (probably most in homes are at least behind the router/gateways).  So the total that are vulnerable to anyone doing it is not millions, but probably a good number.  His part 2 is the more troubling.  Once the hankers figure it out, then they can get behind firewalls with zombies.

I would not worry so much about your home printer (not many have lasers at home), but work?  Yea, I would be looking to replace them ASAP.

on Dec 01, 2011

Just read the OP. He isn't correct. Routers and antimalware will not protect, according to the msnbc quotes of the researchers.

on Dec 01, 2011

Show of hands, or give a shout out, who keeps their printer on when they aren't using it or for that matter plugged (power or connection to network or computer)

 

on Dec 19, 2011

DrJBHL
Just read the OP. He isn't correct. Routers and antimalware will not protect, according to the msnbc quotes of the researchers.

You will note I qualified my response. If a computer inside the router/gateway  is compromised, then the router/gateway is useless.  But that is just keeping your computer clean of bugs - not easy, but not impossible either.