Although computers and mobile devices seem to be at the top of cybercriminals’ hacking to-do lists nowadays, researchers from Columbia University are warning of a “devastating hack attack” targeting local printers.
Compared to the problem that mobile phones and tablets pose to corporate networks, this is small potatoes
Ed Skoudis, senior security consultant, InGuardians
A new study from Columbia University’s Department of Computer Science claims tens of millions of Hewlett-Packard printers are vulnerable to attack. According to HP, the flaws exist in its LaserJet printers made before 2009, but researchers claim other brands could possibly harbor the vulnerabilities as well.
Few details have leaked regarding the printer attack research. According to an Internet Storm Center (ISC) blog entry, before installing a firmware update, the printers in question don’t check digital signatures. The devices’ “Remote Firmware Update” feature doesn’t require authentication or even a password for the update to commence, making it easy for hackers to compromise the machines. “Long story short, for an embedded system (or any system for that matter) if you can rewrite the operating system you can control the device and make it do all sorts of unintended things,” wrote John Bambenek, one of the ISC’s blog handlers.
The researchers demonstrated an attacker theoretically could remotely set a printer on fire by overheating a fuser, penetrating computer networks and erasing code. HP, however, released a statement claiming the charges are “sensational” and the possibility of the machines catching fire is false, saying the LaserJet printers contain a “thermal breaker” is designed to prevent this from happening.
However, the company did admit it has identified a “potential security vulnerability” but only “if placed on a public Internet without a firewall.”
Organizations shouldn’t panic because the technical details haven’t yet been released, said Ed Skoudis, a SANS instructor and a founder and senior security consultant with InGuardians, a Washington, D.C.-based information security consulting firm. Skoudis said enterprises should already be monitoring their printers and ensuring they are not connected to the Internet. Keep the devices patched and set some network filtering to constrain the printer to a limited set of connections, Skoudis said.
“Compared to the problem that mobile phones and tablets pose to corporate networks, this is small potatoes,” Skoudis said. “This is interesting and unique because of the physical threat posed via cyber-means, but we need more details before we can assess the risk.”
The Columbia University researchers are also claiming there is no easy way to detect a breach. “Best practices are likely sufficient to prevent against this attack, namely, you should never have printers (or any other embedded device for that matter) exposed to the Internet,” Bambenek wrote. He added that other than firewalling the device, monitoring traffic to and from the machine for anything other than its print jobs should give users “a sign that something is awry.”
HP said it is working on a firmware upgrade to mitigate the issue, but in the meantime, users should, like Bambenek explained, secure the machines with a firewall and disable remote firmware upload on exposed printers.
Network printers, scanners and copiers have long been identified as a potential attack vector because they often store sensitive documents in their print spool. A CBS News report in 2009 highlighted the problem of digital images stored on photocopiers. The news organization pulled hundreds of student names, home addresses, cell phone and Social Security numbers stored in the copier’s hard drive.
~SearchSecurity.com News Director Robert Westervelt contributed to this report.