Malicious firmware installed on HP LaserJet printers could result in print jobs being forwarded to a remote machine, according to Columbia University researchers.
Columbia
University researchers demonstrated a bug in common office printers that could
be used to forward documents to a remote computer or to remotely send commands
that heat up and physically damage the printers, according to a Nov. 29
MSNBC.com report.
Professor
Salvatore Stolfo and researcher Ang Cui of Columbia University's School of
Engineering and Applied Sciences showed how a remote machine can scan a
document, in this case a tax form, and post sensitive data such as Social
Security numbers to Twitter.
Malicious
perpetrators can compromise a printer just by tricking a user into printing a
booby-trapped document, according to Cui and Stolfo. There is also another way,
in which printers configured to print jobs over the Internet can be remotely
updated with malicious firmware without the printer owner's knowledge or
awareness, the researchers said.
"These
devices are completely open and available to be exploited," Stolfo said,
noting that these machines are commonly connected to the Internet.
The
idea that printers can't be compromised "is nothing new," Jonathan
Gossels, CEO and president of IT compliance and security consulting firm
SystemExperts, told
eWEEK. Modern
printers have always been vulnerable to attack because they are "sophisticated
computers in their own right," he said.
Detecting
the malicious firmware would be nearly impossible, according to Cui, since no
modern security tool has the ability to scan or repair software running on
embedded systems such as printers.
While
Cui and Stolfo used Hewlett-Packard's line of LaserJet printers and the Remote
Firmware Update process in their demonstration, they said other vendors'
printers are similarly vulnerable. HP LaserJet printers tend to check to see if
a firmware upgrade is included in the data being sent with a print job, but the
researchers claimed the machines do not check for a digital signature to verify
the firmware update is actually authentic and from HP before installing the
update.
"It's
like selling a car without selling the keys to lock it," Stolfo said.
HP
did not immediately respond to a request for comment but told MSNBC that the
printers have required digitally signed firmware updates starting in 2009, so
the researchers must have used older models. The researchers denied the claim,
saying they bought the printer at a major office supply store.
Keith
Moore, chief technologist for HP's printer division, told MSNBC that the
likelihood of such an attack is slim.
"Regardless
of whether HP is right that newer LaserJet printers are protected against the
vulnerability or not, it's clear that there may be many devices which are
potentially at risk of attack," Graham Cluley, senior technology
consultant at Sophos, wrote on the Naked Security blog.
Stolfo
and Cui also noted that a hijacked printer could be used to launch attacks on
other computers within the corporate network. HP's Moore said standard print
jobs could not be used to initiate a firmware upgrade. Only specially crafted
files sent directly to the printer from the Internet can, he said. If that's
the case, this kind of attack could be launched against printers connected to
the Internet, but printers behind a corporate firewall would be safe from
attack, Moore claimed.
The
researchers also demonstrated how sending continuous commands to a printer
could cause it to heat up and smoke. The HP printer shut down before a fire
could break out, but researchers believed other printers may not have the same
kind of thermal switch to protect the machine. This gives attackers "a
dangerous new tool that could allow simple computer code to wreak real-world
havoc," MSNBC.com reported.
A
malicious individual trying to set a printer to catch fire is "downright
unlikely," but the fact that HP has a huge market share in printers means
"a potentially large number may now be more vulnerable to ordinary
exploitation," Gossels said.
Email
Print
