Researchers Hijack Printer Using Malicious Firmware Update

Malicious firmware installed on HP LaserJet printers could result in print jobs being forwarded to a remote machine, according to Columbia University researchers.

Columbia University researchers demonstrated a bug in common office printers that could be used to forward documents to a remote computer or to remotely send commands that heat up and physically damage the printers, according to a Nov. 29 report.

Professor Salvatore Stolfo and researcher Ang Cui of Columbia University's School of Engineering and Applied Sciences showed how a remote machine can scan a document, in this case a tax form, and post sensitive data such as Social Security numbers to Twitter.

Malicious perpetrators can compromise a printer just by tricking a user into printing a booby-trapped document, according to Cui and Stolfo. There is also another way, in which printers configured to print jobs over the Internet can be remotely updated with malicious firmware without the printer owner's knowledge or awareness, the researchers said.

"These devices are completely open and available to be exploited," Stolfo said, noting that these machines are commonly connected to the Internet.

The idea that printers can't be compromised "is nothing new," Jonathan Gossels, CEO and president of IT compliance and security consulting firm SystemExperts, told eWEEK. Modern printers have always been vulnerable to attack because they are "sophisticated computers in their own right," he said.

Detecting the malicious firmware would be nearly impossible, according to Cui, since no modern security tool has the ability to scan or repair software running on embedded systems such as printers.

While Cui and Stolfo used Hewlett-Packard's line of LaserJet printers and the Remote Firmware Update process in their demonstration, they said other vendors' printers are similarly vulnerable. HP LaserJet printers tend to check to see if a firmware upgrade is included in the data being sent with a print job, but the researchers claimed the machines do not check for a digital signature to verify the firmware update is actually authentic and from HP before installing the update.

"It's like selling a car without selling the keys to lock it," Stolfo said.

HP did not immediately respond to a request for comment but told MSNBC that the printers have required digitally signed firmware updates starting in 2009, so the researchers must have used older models. The researchers denied the claim, saying they bought the printer at a major office supply store.

Keith Moore, chief technologist for HP's printer division, told MSNBC that the likelihood of such an attack is slim.

"Regardless of whether HP is right that newer LaserJet printers are protected against the vulnerability or not, it's clear that there may be many devices which are potentially at risk of attack," Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.

Stolfo and Cui also noted that a hijacked printer could be used to launch attacks on other computers within the corporate network. HP's Moore said standard print jobs could not be used to initiate a firmware upgrade. Only specially crafted files sent directly to the printer from the Internet can, he said. If that's the case, this kind of attack could be launched against printers connected to the Internet, but printers behind a corporate firewall would be safe from attack, Moore claimed.

The researchers also demonstrated how sending continuous commands to a printer could cause it to heat up and smoke. The HP printer shut down before a fire could break out, but researchers believed other printers may not have the same kind of thermal switch to protect the machine. This gives attackers "a dangerous new tool that could allow simple computer code to wreak real-world havoc," reported.

A malicious individual trying to set a printer to catch fire is "downright unlikely," but the fact that HP has a huge market share in printers means "a potentially large number may now be more vulnerable to ordinary exploitation," Gossels said.