Printer vulnerabilities via firmware update [LWN.net]

By Jake Edge
November 30, 2011

Regular readers of this page will not find it surprising to hear about attacks against hardware, typically through the firmware installed on them. The recent report about a vulnerability in HP laser printers falls into that category, but there are some twists. The researchers at Columbia University certainly picked an attention-getting example when they were able to alter the printer firmware and nearly set the paper being printed on fire, but HP's reaction to the flaw, at least so far, is eye-opening as well.

The flaw is a simple one, evidently. Print jobs sent to the printers are scanned to see if they contain a firmware update, if so, the update is installed. Crucially, the update is not checked for any kind of digital signature, nor is user input requested before performing the update. In the msnbc report, HP's Keith Moore, chief technologist for the printer division, said that printers since 2009 have required signed updates, but the Columbia researchers "say they purchased one of the printers they hacked in September at a major New York City office supply store". Regardless, there are certainly millions of pre-2009 HP laser printers in service that are presumably vulnerable.

The researchers were able to rewrite the firmware so that it "would continuously heat up the printer's fuser — which is designed to dry the ink once it's applied to paper — eventually causing the paper to turn brown and smoke". Before the paper could catch fire, though, a "thermal breaker" shut down the printer—seemingly permanently. In a press release, HP said that the breaker is designed to thwart just that kind of problem. The company also said that the breaker "cannot be overcome by a firmware change or this proposed vulnerability". That's certainly a nice safety feature, but disabled printers definitely make for a painful denial-of-service attack.

There are several other interesting parts of the rather defensively worded press release. According to HP, no customers have reported suffering from these firmware-rewrite attacks, but it's unclear how those customers would know. Obviously, if their printers were emitting brown, smoking paper, there would be little question, but the researchers demonstrated other kinds of attacks that would be more difficult to detect:

In one demonstration, [Ang] Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker's machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

As might be guessed, HP tries to minimize the extent of the problem, but it's not yet clear that the company completely understands the ramifications. From the press release:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

Given the attack vector, submitted print jobs, it's a bit hard to believe that only Linux or Mac systems can trigger the problem. While that may be the case, it seems much more likely that there are ways to coerce Windows into submitting jobs with firmware upgrades as well. How else would customers running Windows do a firmware update? Even if Windows is somehow prevented from sending a corrupted print job, it's pretty uncommon today to find a corporate network with no Mac or Linux machines on them.

It's also rather disingenuous to suggest that printers behind firewalls (on networks with no malicious users) are somehow immune. Again, that could be the case, but it is far more likely that malware of various sorts could cause jobs to be sent to printers. A firewall doesn't necessarily prevent web or email-based attacks, for example, and anti-virus software is unlikely to be looking for malware exploiting printer vulnerabilities.

It doesn't take much imagination to come up with other attacks beyond those demonstrated. Printers could be used as part of a botnet, as bridgeheads to launch further attacks on a corporate network, and so on. Like many devices, printers are fairly capable general-purpose computers under the covers, even if they tend to have fewer resources (e.g. CPU horsepower, RAM) than desktops or servers.

HP has said that it will put out a firmware update to fix the problem, but it will be a challenge to get those patches installed on all of the affected devices. And, as pointed out in the msnbc report, any printers that are already infected—if attackers have previously discovered the hole—may well reject any further attempts to upgrade them. In addition, while the researchers found the problem in LaserJets, there is no reason to believe that other printers—or other networked devices, from HP and others—don't suffer from similar flaws. In many ways, embedded device security is in its infancy.

It is a difficult balancing act, however. If recent HP printers will only accept firmware updates that are signed using HP's keys, that solves the problem of this kind of attack, but leaves a different problem in its wake: lockdown by a manufacturer. As we have seen with TiVo, PlayStation 3, locked-down mobile phones, and other devices, manufacturers may be able to add anti-features, disable previously working features, and generally interfere with the owner's wishes when only they hold the keys to a device.

It is, in some ways, similar to the UEFI secure boot issues that have been in the news recently. In both cases, customers that want to actually own their devices are going to need a way to store their own key and have it be trusted by the device. That may be overkill for printers or other devices, so manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once, but the alternative, ceding all upgradability only to the manufacturer, has some major downsides as well.

(Log in to post comments)

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 10:59 UTC (Thu) by intgr (subscriber, #39733) [Link]

> I'd suggest doing it through a password-protected web interface instead
99% of which still have the default password set.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 17:22 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> 99% of which still have the default password set.

Or the password is set but does not make much effect. On a printer we have here at work, I set the administrator password to prevent people from accidentally changing the settings. Imagine my surprise when I found out the settings had changed anyway.

It seems that, when installing the Windows driver for that printer, it has a wizard to set up the printer (configuring the fax settings and a few other things). That wizard seemed to completely ignore the administrator password I had set on the web interface.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 11:25 UTC (Thu) by epa (subscriber, #39769) [Link]

Yes, pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.

Printer vulnerabilities via firmware update

Posted Dec 2, 2011 18:50 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.

Of course, that additional hassle would reduce the likelihood the firmware would get applied, and the great majority of users, who want HP to own their printer problems, would be disserved.

Maybe a hybrid makes sense: the printer will take HP-signed updates automatically, but a difficult menu option lets you apply an unsigned update. Or change the signing key.

Printer vulnerabilities via firmware update

Posted Dec 3, 2011 0:33 UTC (Sat) by Fowl (subscriber, #65667) [Link]

Unfortunately, that menu option would never be tested, and break. Almost immediately.

Printer vulnerabilities via firmware update

Posted Dec 7, 2011 4:30 UTC (Wed) by k8to (subscriber, #15413) [Link]

There's an "enterprise" solution to this sort of thing.

Allow the users to load corp-specific keys onto their printers, and require a matching signature to upgrade the firmware or do other administrative tasks. Then allow upgrades to occur without "press OK to continue" when the signatures are present.

This isn't really that hard to do.

Printer vulnerabilities via firmware update

Posted Dec 8, 2011 6:07 UTC (Thu) by jamesh (guest, #1159) [Link]

One of the tools HP provides is a utility to scan for HP printers connected to the local network, determine which ones need a firmware update and flash them all at once.

Requiring the administrator to go out and hit a button on each of those printers would severely reduce the utility of that tool. I'd guess most administrators would prefer an update that let them continue to manage printers the way they always have.

firewalls are not magic

Posted Dec 1, 2011 13:52 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

putting a printer behind a firewall doesn't actually do you much good if the same protocol that you use to print can be used to do firmware updates (unless you have an application level firewall that can detect the firmware update and block it)

if you have a printer directly expose to the Internet, then you also are allowing anyone on the Internet to print anything they want in your office, using up paper and toner, wearing out the printer. That seems like a rather significant problem in and of itself :-)

firewalling also won't really help the identity theft example given (it may make it a smidge more complicated), because all that you need to do is to have the printer store the document and the second computer can retrieve the info later

Why a problem?

Posted Dec 1, 2011 14:54 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

Why is it automatically a problem to have your printer directly exposed to the internet? There's a sort of printer called a fax machine that has longtime been intended to be globally exposed to the telephone network. Before that there was the Telex machine. The worst that someone can do is to consume the printer's currently loaded supply of paper and ink, which is annoying but not catastrophic. Further, deliberately doing so is almost certainly criminal damage and may not be very hard to trace back to the perpetrator. If he knows how to cover his tracks he's hardly likely be interested in merely wasting paper and ink.

The game changes dramatically if that is NOT the worst they can do, if they can write the device firmware via the port(s) intended to be used for writing the paper. Firmware updates should access the printer through a different port, and the printer should as shipped have that port either firewalled for local subnet access only, or (much better) turned off. SOP would then be "Firmware Update Enable" -> "On" using the front panel, before running the firmware updater, which in turn should re-set the enable state to "Off" upon successfully installing the update. Paranoia should dictate re-setting to "Off" maybe 12 hours later, even if no firmware update was sent.

It's the problem of the missing hardware write-lock switch, for the umpteenth time.

Why a problem?

Posted Dec 8, 2011 6:31 UTC (Thu) by jamesh (guest, #1159) [Link]

I haven't had to manage printers in a while, but with some of the older HP printers, the only way to send data to the print engine was via print jobs.

While the printers came with fancy network interface cards with support for almost every network printing protocol you can think of, these were essentially separate devices. The NIC could be used with a number of different models of printer, and the printer would function if you removed the NIC. Without the NIC, the only methods of input were the parallel port and the buttons on the control panel.

If you wanted to upgrade the print engine's firmware (as opposed to the NIC's firmware), it needed to be as a print job. You could submit this job via the parallel port or via the NIC -- it would look the same to the print engine.

I wouldn't be surprised if they could improve things these days where networking is integrated into the printers better, but there is probably a lot of legacy code in the printers.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 13:58 UTC (Thu) by ekj (guest, #1524) [Link]

Indeed. I recommend brick, myself. Also, a non-flammable surface and ceiling should be installed around the printer.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 14:08 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> Indeed. I recommend brick, myself.

The article said the the printers were bricked at the end of the operation anyway.