According to researchers at Columbia University claim they've discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.

You’ve got to know by now that printers have a hard disk and programming, as well as a record of everything you’ve used them for.

Anything with programming is subject to “modification”.

So, according to the Columbia researchers, printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com.

They also say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too  and there's no way to tell if hackers have already exploited it.

These researchers have notified the appropriate government agencies of the potential flaw, as well as HP.  HP is researching the reported vulnerability, but feels it’s too early to confirm it and generally doubts its significance.

The flaw:
The more complex printers get, giving more functionality, the more they come to resemble computers. Printers now can access the net as well. The ‘hole’ in the security comes via “Remote Firmware Update” which HP printers have and connect to the net to receive. Apparently the printers don’t discriminate as to the source of the update, and a digital signature is not used to verify the source, so anyone can ‘push’ a destructive or spyware update. Also. some printers are configured to receive print jobs from the net, and therefore can be infected remotely. Needless to say, there is no security whatsoever in cases like that.

“Rewriting the printer's firmware takes only about 30 seconds, and a virus would be virtually impossible to detect once installed. Only pulling the computer chips out of the printer and testing them would reveal an attack, Cui said. No modern antivirus software has the ability to scan, let alone fix, the software which runs on embedded chips in a printer.” Ang Cui (Columbia University)

 

“First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw. “Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact.” – Bob Sullivan (MSNBC, Red Tape)

These researchers have demonstrated the flaw, and also made a printer operate at a frequency which caused fuse overheating eventually causing the paper used to brown and smoke. The thermal safeguard cut in to prevent a fire, but not all printers are so equipped. All HP printers have this switch and should be ‘fool proof’ at least in that respect.

"(The thermal breaker) cannot be overcome by a firmware change or this proposed vulnerability," – HP (http://msnbcmedia.msn.com/i/msnbc/sections/news/gp_printersecurity.pdf)

That is reassuring, however:

“In an exclusive demonstration for msnbc.com at Columbia University’s Intrusion Detection Systems Laboratory, Cui and Stolfo revealed the kind of havoc an attacker could wreak once they gained control of a printer. After sending a virus-laced print job to a target printer, the device's small screen read, in sequence, "Erasing...Programming...Code Update Complete."

In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

A hacker who merely wanted to wreak havoc could easily disable thousands – or perhaps millions – of vulnerable printers, Cui said, as it is trivial to send the printer upgrades that would render it inoperable.” – Bob Sullivan (ibid)

The additional “ripple effect” in all this is that printers on a company network are trusted by other computers on the network.

The hijacked (reprogrammed) printer could therefore present an end run around the company’s (or your) firewall. I personally have never read in any tech publication about a system protected from attack by one of its own printers.

HP also disagreed with this assertion. They said that standard print jobs could not be used to initiate a firmware upgrade: Only specially-crafted files sent directly to the printer could do that. If that’s true, the vulnerability could only be exploited on printers left exposed to the Internet; printers behind a firewall would be safe (as well as the information in their memories). However, the Columbia researchers replied that standard print commands sent both from a Mac and a PC running Linux tricked an HP printer into reprogramming itself. HP later conceded that might be true; but the two sides disagreed on whether users in a Microsoft Windows environment were safe from the attack.

So, you’re probably saying, “What has all this to do with me?”

“Even home users with printers that are not directly connected to the Internet are at risk, Cui said. As long as the printer is connected to a computer – through a USB cable, for example – it could be used to launch attacks, or as part of a botnet. A quick scan of unprotected printers left open to Internet attack by the researchers found 40,000 devices that they said could be infected within minutes.

Fixing the flaw will not be easy, Stolfo (Cui’s co-researcher) said. There is no natural path to update printer operating system software, as there is for desktop PC software. It's possible a consortium of firms could "push out a fix," once one is available, he said. He urged HP to work with companies like Microsoft to help consumers update their printers. (Msnbc.com is a joint venture of Microsoft and NBC Universal).” – Bob Sullivan (ibid)

A particularly nasty aspect of all this is that you have absolutely no way to know if your printer is infected or not (if it updates its software from the net). If it is, any updated “fix” might well not “take”. You just might end up having to give up and replace the “intelligent” parts of its system, or throw it away (after shredding the memory).

What about antimalware for printers? Mikko Hypponen (F-Secure) said that it could be developed, and that software tools that would detect booby-trapped print jobs in word processing documents or emails could be as well as ways to prevent attempts to update printers with malware, but such approaches would hardly be foolproof.

The researchers are now looking at the software on other firmware, but also cautioned that this is opening a whole new area of research: The hacking of ‘embedded’ software in various peripherals we all use.

“Until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more,” HP said. “If this turns out to be the broad (problem) that's being discussed…we will reach out to customers and get it fixed. We support our customers and value their trust.” - Bob Sullivan (ibid)

“Printers, however, are just the tip of the iceberg when it comes to vulnerable embedded devices, Stolfo warned. Columbia researchers have found that many gadgets now wired to connect to the Internet – including DVD players, telephone conference tools, even home appliances – have no security at all.” -Bob Sullivan (ibid)

I think that the take away from all this is that as I’ve mentioned in other articles (and a former policemen also wrote here in Forum response, recently), as the devices we use get more complex, they become more vulnerable. maybe simpler is better in some cases.

"Right now, very few people are thinking about the security of all these devices, so we're moving on to look at many more of them,” Stolfo said, noting that supposedly secure offices – even in sensitive government agencies – have networked teleconferencing devices, printers, even thermostats that create security risks. This is a whole area that is being ignored,” he continued. “While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There's no focus on the security of these devices we take for granted and we carry into secure environments every day.”  – Bob Sullivan (ibid)   

Special thanks go to Hankers who drew my attention to this article.

Sources:

http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say

http://msnbcmedia.msn.com/i/msnbc/sections/news/gp_printersecurity.pdf