LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
Recent Features
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityPrinter vulnerabilities via firmware updateRegular readers of this page will not find it surprising to hear about attacks against hardware, typically through the firmware installed on them. The recent report about a vulnerability in HP laser printers falls into that category, but there are some twists. The researchers at Columbia University certainly picked an attention-getting example when they were able to alter the printer firmware and nearly set the paper being printed on fire, but HP's reaction to the flaw, at least so far, is eye-opening as well. The flaw is a simple one, evidently. Print jobs sent to the printers are scanned to see if they contain a firmware update, if so, the update is installed. Crucially, the update is not checked for any kind of digital signature, nor is user input requested before performing the update. In the msnbc report, HP's Keith Moore, chief technologist for the printer division, said that printers since 2009 have required signed updates, but the Columbia researchers "say they purchased one of the printers they hacked in September at a major New York City office supply store". Regardless, there are certainly millions of pre-2009 HP laser printers in service that are presumably vulnerable. The researchers were able to rewrite the firmware so that it "would continuously heat up the printer's fuser — which is designed to dry the ink once it's applied to paper — eventually causing the paper to turn brown and smoke". Before the paper could catch fire, though, a "thermal breaker" shut down the printer—seemingly permanently. In a press release, HP said that the breaker is designed to thwart just that kind of problem. The company also said that the breaker "cannot be overcome by a firmware change or this proposed vulnerability". That's certainly a nice safety feature, but disabled printers definitely make for a painful denial-of-service attack. There are several other interesting parts of the rather defensively worded press release. According to HP, no customers have reported suffering from these firmware-rewrite attacks, but it's unclear how those customers would know. Obviously, if their printers were emitting brown, smoking paper, there would be little question, but the researchers demonstrated other kinds of attacks that would be more difficult to detect:
In one demonstration, [Ang] Cui printed a tax return on an infected printer,
which in turn sent the tax form to a second computer playing the part of a
hacker's machine. The latter computer then scanned the document for
critical information such as Social Security numbers, and when it found
one, automatically published it on a Twitter feed.
As might be guessed, HP tries to minimize the extent of the problem, but it's not yet clear that the company completely understands the ramifications. From the press release:
The specific vulnerability exists for some HP LaserJet devices if placed on
a public internet without a firewall. In a private network, some printers
may be vulnerable if a malicious effort is made to modify the firmware of
the device by a trusted party on the network. In some Linux or Mac
environments, it may be possible for a specially formatted corrupt print
job to trigger a firmware upgrade.
Given the attack vector, submitted print jobs, it's a bit hard to believe that only Linux or Mac systems can trigger the problem. While that may be the case, it seems much more likely that there are ways to coerce Windows into submitting jobs with firmware upgrades as well. How else would customers running Windows do a firmware update? Even if Windows is somehow prevented from sending a corrupted print job, it's pretty uncommon today to find a corporate network with no Mac or Linux machines on them. It's also rather disingenuous to suggest that printers behind firewalls (on networks with no malicious users) are somehow immune. Again, that could be the case, but it is far more likely that malware of various sorts could cause jobs to be sent to printers. A firewall doesn't necessarily prevent web or email-based attacks, for example, and anti-virus software is unlikely to be looking for malware exploiting printer vulnerabilities. It doesn't take much imagination to come up with other attacks beyond those demonstrated. Printers could be used as part of a botnet, as bridgeheads to launch further attacks on a corporate network, and so on. Like many devices, printers are fairly capable general-purpose computers under the covers, even if they tend to have fewer resources (e.g. CPU horsepower, RAM) than desktops or servers. HP has said that it will put out a firmware update to fix the problem, but it will be a challenge to get those patches installed on all of the affected devices. And, as pointed out in the msnbc report, any printers that are already infected—if attackers have previously discovered the hole—may well reject any further attempts to upgrade them. In addition, while the researchers found the problem in LaserJets, there is no reason to believe that other printers—or other networked devices, from HP and others—don't suffer from similar flaws. In many ways, embedded device security is in its infancy. It is a difficult balancing act, however. If recent HP printers will only accept firmware updates that are signed using HP's keys, that solves the problem of this kind of attack, but leaves a different problem in its wake: lockdown by a manufacturer. As we have seen with TiVo, PlayStation 3, locked-down mobile phones, and other devices, manufacturers may be able to add anti-features, disable previously working features, and generally interfere with the owner's wishes when only they hold the keys to a device. It is, in some ways, similar to the UEFI secure boot issues that have been in the news recently. In both cases, customers that want to actually own their devices are going to need a way to store their own key and have it be trusted by the device. That may be overkill for printers or other devices, so manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once, but the alternative, ceding all upgradability only to the manufacturer, has some major downsides as well.
Brief items Security quotes of the week
Like the FTC on Facebook and follow us on Twitter.
-- The evidently irony-impaired US Federal Trade
Commission (FTC) announces a privacy settlement with Facebook
Will there also be "If You See Something, Say Something™" Day, with Janet Napolitano bobbleheads given to all the kids?
-- Bruce
Schneier comments on Major League Soccer's partnership with the US
Department of Homeland Security
This kind of thing only serves to ratchet up fear, and doesn't make us any safer.
I believe that smart phones are going to become the primary platform of
attack for cybercriminals in the coming years. As the phones become more
integrated into people's lives -- smart phone banking, electronic wallets
-- they're simply going to become the most valuable device for criminals to
go after. And I don't believe the iPhone will be more secure because of
Apple's rigid policies for the app store.
-- Schneier again
[Michael] Osterholm says he can't discuss details of the papers because
he's an NSABB [US National Science Advisory Board for Biosecurity]
member. But he says it should be possible to omit certain key details from
controversial papers and make them available to people who really need to
know. "We don't want to give bad guys a road map on how to make bad bugs
really bad," he says.
-- ScienceInsider
reports on disclosure policy questions in the world of virology (by way of Schneier).
New vulnerabilities apt: repository credential disclosure
glibc: multiple vulnerabilities
hardlink: multiple vulnerabilities
kernel: denial of service
kernel: multiple vulnerabilities
kernel: denial of service
net6: multiple vulnerabilities
rest, libsocialweb: multiple vulnerabilities
ReviewBoard: cross-site scripting
update-manager: multiple vulnerabilities
Page editor: Jake Edge |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||