One consequence of the very rapid development and growth of microelectronics (Moore’s Law, and all that) has been that computing functions are no longer performed just by computers. Many other devices — cell phones, microwave ovens, automobiles, industrial control systems, and televisions, just to cite a few examples — now routinely come with included microprocessors, which run software to perform new functions, or functions that were previously performed by electro-mechanical devices. This software is no more immune to bugs, including security vulnerabilities, than any other kind; consequently, a new element of risk has been introduced in some of these systems. I’ve written here about problems with the “smart grid”, SCADA systems for industrial control, network cards, photocopiers, and automobiles. One of the reasons for concern over these risks is that they are new, not part of the traditional security world of locks, keys, credentials, and passwords.
According to a report posted on the “Red Tape Chronicles” blog at msnbc.com, we can now add at least some HP laser printers to the list. A team of security researchers from Columbia University has found a basic security vulnerability related to the printers’ handling of firmware updates, potentially affecting many devices and users.
… the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.
Specifically, the vulnerability exists because the printer can receive firmware updates via the print data stream, and some HP LaserJet models (prior to 2009, according to HP) did not check updates for digital signatures or any other proof of authenticity. Consequently, anyone able to send a print job to these printers can potentially install arbitrary firmware. If the printer is visible from the Internet, the number of potential volunteer printer admins is quite large.
The researchers have demonstrated one potential denial-of-service attack, in which the printer is sent instructions that cause the fusing roller to be heated continuously, potentially causing a fire or a shutdown by the printer’s thermal safety circuit. More sophisticated attacks are also possible.
In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.
HP estimates that it has sold ~100 million LaserJet printers since the mid-1980s, so there are a lot of potential targets out there. (HP’s InkJet printers are not vulnerable in this way.)
HP disputes some of the researchers’ conclusions, and the tone of the report is probably a bit alarmist. The SANS Internet Storm Center [ISC] diary has a good summary post on this flaw; it points out that the most serious risks associated with the flaw can be mitigated by standard good practices, such as firewalling the printers off from the Internet. Network monitoring can help, too: if you find a printer initiating an outbound TCP/IP connection, that is not a good sign.
The ISC article also points out the most important lesson:
The study is a helpful reminded that even devices we don’t think of as computers can be hacked and do things we don’t intend and compromise our security.
Consider an example I’ve used before, an old-fashioned warded lock. It is not that difficult to pick, but the attacker does need to be in physical proximity to the lock. A fancy new electronic deadbolt with network connectivity almost certainly is more resistant to “picking” — but it has vulnerabilities that didn’t exist in the old lock, and they can potentially be exploited from the other side of the world.
Ars Technica also has an article on this research.