You are on page 1of 8

Exclusive: Millions of printers open to

devastating hack attack, researchers


say
Columbia University
This time-lapsed image of a screen on an HP LaserJet shows the
impact of a rogue print job used to reprogram the device.
By Bob Sullivan
Could a hacker from half-way around the planet control your printer and give it instructions
so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for
criminals, making it easy to commit identity theft or even take control of entire networks
that would otherwise be secure?
Its not only possible, but likely, say researchers at Columbia University, who claim they've
discovered a new class of computer security flaws that could impact millions of businesses,
consumers, and even government agencies.
Printers can be remotely controlled by computer criminals over the Internet, with the
potential to steal personal information, attack otherwise secure networks and even cause
physical damage, the researchers argue in a vulnerability warning first reported by
msnbc.com. They say there's no easy fix for the flaw theyve identified in some Hewlett-
Packard LaserJet printer lines and perhaps on other firms printers, too and there's no
way to tell if hackers have already exploited it.
The researchers, who have working quietly for months in an electronics lab under a series of
government and industry grants, described the flaw in a private briefing for federal agencies
two weeks ago. They told Hewlett-Packard about it last week.
HP said Monday that it is still reviewing details of the vulnerability, and is unable to confirm
or deny many of the researchers claims, but generally disputes the researchers
characterization of the flaw as widespread. Keith Moore, chief technologist for HP's printer
division, said the firm "takes this very seriously, but his initial research suggests the
likelihood that the vulnerability can be exploited in the real world is low in most cases.
Until we verify the security issue, it is difficult to comment, he said, adding that the firm
cannot say yet what printer models are impacted.
But the Columbia researchers say the security vulnerability is so fundamental that it may
impact tens of millions of printers and other hardware that use hard-to-update firmware
thats flawed.
'Crystal clear'
The flaw involves firmware that runs so-called "embedded systems" such as computer
printers, which increasingly are packed with functions that make them operate more like full-
fledged computers. They also are commonly connected to the Internet.
Bob Sullivan
Like 16,433

"The problem is, technology companies aren't really looking into this corner of the Internet.
But we are," said Columbia professor Salvatore Stolfo, who directed the research in the
Computer Science Department of Columbia Universitys School of Engineering and Applied
Science. The research on this is crystal clear. The impact of this is very large. These devices
are completely open and available to be exploited.
advertisement
Printer security flaws have long been theorized, but the Columbia researchers say they've
discovered the first-ever doorway into millions of printers worldwide. In one demonstration
of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked
computer could be given instructions that would continuously heat up the printers fuser
which is designed to dry the ink once its applied to paper eventually causing the paper to
turn brown and smoke.
In that demonstration, a thermal switch shut the printer down basically, causing it to self-
destruct before a fire started, but the researchers believe other printers might be used as
fire starters, giving computer hackers a dangerous new tool that could allow simple computer
code to wreak real-world havoc.
Hewlett Packard, in a statement, said all its printers include such thermal switches, and these
would prevent a printer fire in all cases.
"(The thermal breaker) cannot be overcome by a firmware change or this proposed
vulnerability," it said.
Click here to read H-P's full statement issued in response to this story.
Cui and Stolfo say they've reverse engineered software that controls common Hewlett-
Packard LaserJet printers. Those printers allow firmware upgrades through a process called
"Remote Firmware Update." Every time the printer accepts a job, it checks to see if a
software update is included in that job. But they say printers they examined don't
discriminate the source of the update software a typical digital signature is not used to
verify the upgrade softwares authenticity so anyone can instruct the printer to erase its
operating software and install a booby-trapped version.
In all cases, the Columbia researchers claim, duping a would-be target into printing a virus-
laden document is enough to take control of that person's printer; but in some cases, printers
are configured to accept print jobs via the Internet, meaning the virus can be installed
remotely, without any interaction by the printer's owner.
It's like selling a car without selling the keys to lock it, Stolfo said. Its totally insecure.
Columbia University
Columbia researcher Ang Cui explains how he was able to infect an HP printer
with malicious code.
Rewriting the printer's firmware takes only about 30 seconds, and a virus would be virtually
impossible to detect once installed. Only pulling the computer chips out of the printer and
testing them would reveal an attack, Cui said. No modern antivirus software has the ability
to scan, let alone fix, the software which runs on embedded chips in a printer.
First of all, how the hell doesn't HP have a signature or certificate indicating that new
firmware is real firmware from HP? said Mikko Hypponen, head of research at security firm
F-Secure, when told of the flaw. Printers have been a weak spot for many corporate
networks. Many people dont realize that a printer is just another computer on a network
with exactly the same problems and, if compromised, the same impact.
advertisement
There are plenty of points of contention between HP and the researchers, however. Moore,
the HP executive, said the firms newer printers do require digitally signed firmware
upgrades, and have since 2009. The printers tested by the researchers are older models,
Moore said.
In contrast, the Columbia researchers say they purchased one of the printers they hacked in
September at a major New York City office supply store.
Moore also said that the impact of any potential vulnerability is limited because most home
users have InkJet printers not LaserJet printers and they do not permit remote
firmware upgrade, he said.
Still, a widespread flaw in LaserJet printers would raise serious issues. Hewlett Packard
dominates the printer market; the firm says it's sold 100 million LaserJet printers since
1984, meaning millions of computers could be vulnerable. HP, by far the dominant printer
seller worldwide with 42 percent of the market, sells about 50 million printers of all kinds
annually, according to IDC.
In an exclusive demonstration for msnbc.com at Columbia Universitys Intrusion Detection
Systems Laboratory, Cui and Stolfo revealed the kind of havoc an attacker could wreak once
they gained control of a printer. After sending a virus-laced print job to a target printer, the
device's small screen read, in sequence, "Erasing...Programming...Code Update Complete."
In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the
tax form to a second computer playing the part of a hackers machine. The latter computer
then scanned the document for critical information such as Social Security numbers, and
when it found one, automatically published it on a Twitter feed.
A hacker who merely wanted to wreak havoc could easily disable thousands or perhaps
millions of vulnerable printers, Cui said, as it is trivial to send the printer upgrades that
would render it inoperable.
Beachhead?
But the researchers say the possibilities created by hijacked printers go far beyond pranks or
identity theft. Printers on a company network are nearly always trusted by other computers.
A hijacked printer could act as a beachhead to attack a company's network that was
otherwise protected by a firewall. Few companies are prepared to protect themselves from
an attack by their own printer.
Moore also disagreed with this assertion. He said standard print jobs could not be used to
initiate a firmware upgrade; only specially-crafted files sent directly to the printer can do
that. Were that true, the vulnerability could only be exploited on printers left exposed to the
Internet; printers behind a firewall would be safe.
This (vulnerability) is probably not as broad as what I had heard in their first
announcement, Moore said. It sounds like we disagree on what the exposure might be.
advertisement
But the Columbia researchers say standard print commands sent both from a Macintosh
computer and a PC running Linux tricked an HP printer into reprogramming itself. Moore
later conceded that might be true; but the two sides disagreed on whether users in a
Microsoft Windows environment were safe from the attack.
Even home users with printers that are not directly connected to the Internet are at risk, Cui
said. As long as the printer is connected to a computer through a USB cable, for example
it could be used to launch attacks, or as part of a botnet.
A quick scan of unprotected printers left open to Internet attack by the researchers found
40,000 devices that they said could be infected within minutes.
Cui discovered the lack of authentication by physically disassembling the printer, and
painstakingly reading output from its chipset, one character at a time. The chips run off-the-
shelf operating systems like VxWorks and Linx, a scaled-down version of the Linux operating
system designed for embedded devices. Reprogramming the chip was relatively easy, he
said and now that the concept has been proven, he thinks others could reproduce his work
in a day or two.
"In fact, it's almost impossible to think that someone else hasn't already done this," he said.
Fixing the flaw will not be easy, Stolfo said. There is no natural path to update printer
operating system software, as there is for desktop PC software. It's possible a consortium of
firms could "push out a fix," once one is available, he said. He urged HP to work with
companies like Microsoft to help consumers update their printers. (Msnbc.com is a joint
venture of Microsoft and NBC Universal.)
One particularly vexing part of the fix: Printers that are already compromised by rogue
software likely cannot be fixed. An attacker could easily shut down the pathway for future
updates that would cure an infected printer.
If and when HP rolls out a fix, if a printer is already compromised, the fix would be
completely ineffective. Once you own the firmware, you own it forever. Thats why this
problem is so serious, and so different, Cui said. This is nothing like fixing a virus on your
PC.
Such inability to help consumers manually secure their printers could ultimately have
disastrous consequences, Stolfo said.
It may ultimately lead to telling everyone they just have to throw their printers out and
start over, he said. "Fixing this is going to require a very coordinated effort by the industry,"
Stolfo said.
Rogue software
Hypponen said that the anti-virus industry could develop software tools that would detect
booby-trapped print jobs in word processing documents or emails, and thwart attempts to
update printers with rogue software that way. But such an approach would hardly be
foolproof.
advertisement
The Columbia researchers are just beginning to sample printers sold by other manufacturers;
the research is inconclusive so far, but Stolfo and Cui believe the problem is not limited to
Hewlett-Packard machines.
I think it is very wise to broadcast the problem as soon as possible so all of the printer
manufacturers start looking at their security architectures more seriously, Stolfo said. It is
conceivable that all printers are vulnerable. Printers that are 3-, 4-, 5-years-old and older,
Id think, all used unsigned software. The question is, How many of those printers are out
there? It could be much more than 100 million.
Thats why Stolfo and Cui decided to go public with the vulnerability: They believe the sheer
scope of the flaw requires immediate attention and cooperation from multiple elements of the
tech industry. The two are currently helping HP devise a mitigation strategy.
HP continues to research the potential flaw, but its too early for the firm to announce which
products might be impacted, or what consumers should do.
Until we know things like whether Windows users are affected, whether this is a class or
specific product issue, it is frankly irresponsible to say more, Moore said. If this turns out
to be the broad (problem) that's being discussedwe will reach out to customers and get it
fixed. We support our customers and value their trust.
Printers, however, are just the tip of the iceberg when it comes to vulnerable embedded
devices, Stolfo warned. Columbia researchers have found that many gadgets now wired to
connect to the Internet including DVD players, telephone conference tools, even home
appliances have no security at all.
"Right now, very few people are thinking about the security of all these devices, so we're
moving on to look at many more of them, Stolfo said, noting that supposedly secure offices
even in sensitive government agencies have networked teleconferencing devices, printers,
even thermostats that create security risks.
This is a whole area that is being ignored, he continued. While most folks are focused on
applications, there is a comfort level with (embedded systems) that is nonsensical. There's no
focus on the security of these devices we take for granted and we carry into secure
environments every day.
Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter.
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

You might also like