|
|
Subscribe / Log in / New account

Printer vulnerabilities via firmware update

By Jake Edge
November 30, 2011

Regular readers of this page will not find it surprising to hear about attacks against hardware, typically through the firmware installed on them. The recent report about a vulnerability in HP laser printers falls into that category, but there are some twists. The researchers at Columbia University certainly picked an attention-getting example when they were able to alter the printer firmware and nearly set the paper being printed on fire, but HP's reaction to the flaw, at least so far, is eye-opening as well.

The flaw is a simple one, evidently. Print jobs sent to the printers are scanned to see if they contain a firmware update, if so, the update is installed. Crucially, the update is not checked for any kind of digital signature, nor is user input requested before performing the update. In the msnbc report, HP's Keith Moore, chief technologist for the printer division, said that printers since 2009 have required signed updates, but the Columbia researchers "say they purchased one of the printers they hacked in September at a major New York City office supply store". Regardless, there are certainly millions of pre-2009 HP laser printers in service that are presumably vulnerable.

The researchers were able to rewrite the firmware so that it "would continuously heat up the printer's fuser — which is designed to dry the ink once it's applied to paper — eventually causing the paper to turn brown and smoke". Before the paper could catch fire, though, a "thermal breaker" shut down the printer—seemingly permanently. In a press release, HP said that the breaker is designed to thwart just that kind of problem. The company also said that the breaker "cannot be overcome by a firmware change or this proposed vulnerability". That's certainly a nice safety feature, but disabled printers definitely make for a painful denial-of-service attack.

There are several other interesting parts of the rather defensively worded press release. According to HP, no customers have reported suffering from these firmware-rewrite attacks, but it's unclear how those customers would know. Obviously, if their printers were emitting brown, smoking paper, there would be little question, but the researchers demonstrated other kinds of attacks that would be more difficult to detect:

In one demonstration, [Ang] Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker's machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

As might be guessed, HP tries to minimize the extent of the problem, but it's not yet clear that the company completely understands the ramifications. From the press release:

The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

Given the attack vector, submitted print jobs, it's a bit hard to believe that only Linux or Mac systems can trigger the problem. While that may be the case, it seems much more likely that there are ways to coerce Windows into submitting jobs with firmware upgrades as well. How else would customers running Windows do a firmware update? Even if Windows is somehow prevented from sending a corrupted print job, it's pretty uncommon today to find a corporate network with no Mac or Linux machines on them.

It's also rather disingenuous to suggest that printers behind firewalls (on networks with no malicious users) are somehow immune. Again, that could be the case, but it is far more likely that malware of various sorts could cause jobs to be sent to printers. A firewall doesn't necessarily prevent web or email-based attacks, for example, and anti-virus software is unlikely to be looking for malware exploiting printer vulnerabilities.

It doesn't take much imagination to come up with other attacks beyond those demonstrated. Printers could be used as part of a botnet, as bridgeheads to launch further attacks on a corporate network, and so on. Like many devices, printers are fairly capable general-purpose computers under the covers, even if they tend to have fewer resources (e.g. CPU horsepower, RAM) than desktops or servers.

HP has said that it will put out a firmware update to fix the problem, but it will be a challenge to get those patches installed on all of the affected devices. And, as pointed out in the msnbc report, any printers that are already infected—if attackers have previously discovered the hole—may well reject any further attempts to upgrade them. In addition, while the researchers found the problem in LaserJets, there is no reason to believe that other printers—or other networked devices, from HP and others—don't suffer from similar flaws. In many ways, embedded device security is in its infancy.

It is a difficult balancing act, however. If recent HP printers will only accept firmware updates that are signed using HP's keys, that solves the problem of this kind of attack, but leaves a different problem in its wake: lockdown by a manufacturer. As we have seen with TiVo, PlayStation 3, locked-down mobile phones, and other devices, manufacturers may be able to add anti-features, disable previously working features, and generally interfere with the owner's wishes when only they hold the keys to a device.

It is, in some ways, similar to the UEFI secure boot issues that have been in the news recently. In both cases, customers that want to actually own their devices are going to need a way to store their own key and have it be trusted by the device. That may be overkill for printers or other devices, so manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once, but the alternative, ceding all upgradability only to the manufacturer, has some major downsides as well.


Index entries for this article
SecurityEmbedded systems


to post comments

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 5:28 UTC (Thu) by pabs (subscriber, #43278) [Link] (1 responses)

This might be a useful vulnerability if one wanted to replace the OS running on the printer with Free Software.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 9:15 UTC (Thu) by dgm (subscriber, #49227) [Link]

CUPS error: lp0 on fire

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 9:45 UTC (Thu) by james (subscriber, #1325) [Link] (7 responses)

...manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once,
but not nearly as painful as the results when malicious firmware is sent to the printer and the user who just wants a print job presses "OK" without reading the printer's display (assuming it has one), which will happen more often than not.

I'd suggest doing it through a password-protected web interface instead -- nearly all the network-enabled printers I've seen have one of these anyway.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 10:59 UTC (Thu) by intgr (subscriber, #39733) [Link] (1 responses)

> I'd suggest doing it through a password-protected web interface instead
99% of which still have the default password set.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 17:22 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> 99% of which still have the default password set.

Or the password is set but does not make much effect. On a printer we have here at work, I set the administrator password to prevent people from accidentally changing the settings. Imagine my surprise when I found out the settings had changed anyway.

It seems that, when installing the Windows driver for that printer, it has a wizard to set up the printer (configuring the fax settings and a few other things). That wizard seemed to completely ignore the administrator password I had set on the web interface.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 11:25 UTC (Thu) by epa (subscriber, #39769) [Link] (2 responses)

Yes, pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.

Printer vulnerabilities via firmware update

Posted Dec 2, 2011 18:50 UTC (Fri) by giraffedata (guest, #1954) [Link] (1 responses)

pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.

Of course, that additional hassle would reduce the likelihood the firmware would get applied, and the great majority of users, who want HP to own their printer problems, would be disserved.

Maybe a hybrid makes sense: the printer will take HP-signed updates automatically, but a difficult menu option lets you apply an unsigned update. Or change the signing key.

Printer vulnerabilities via firmware update

Posted Dec 3, 2011 0:33 UTC (Sat) by Fowl (subscriber, #65667) [Link]

Unfortunately, that menu option would never be tested, and break. Almost immediately.

Printer vulnerabilities via firmware update

Posted Dec 7, 2011 4:30 UTC (Wed) by k8to (guest, #15413) [Link]

There's an "enterprise" solution to this sort of thing.

Allow the users to load corp-specific keys onto their printers, and require a matching signature to upgrade the firmware or do other administrative tasks. Then allow upgrades to occur without "press OK to continue" when the signatures are present.

This isn't really that hard to do.

Printer vulnerabilities via firmware update

Posted Dec 8, 2011 6:07 UTC (Thu) by jamesh (guest, #1159) [Link]

One of the tools HP provides is a utility to scan for HP printers connected to the local network, determine which ones need a firmware update and flash them all at once.

Requiring the administrator to go out and hit a button on each of those printers would severely reduce the utility of that tool. I'd guess most administrators would prefer an update that let them continue to manage printers the way they always have.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 12:32 UTC (Thu) by mjthayer (guest, #39183) [Link] (5 responses)

"HP's reaction to the flaw, at least so far, is eye-opening as well."

I would say that putting the printers behind a firewall is a very sensible idea if they are going to start burning their paper.

firewalls are not magic

Posted Dec 1, 2011 13:52 UTC (Thu) by dlang (guest, #313) [Link] (2 responses)

putting a printer behind a firewall doesn't actually do you much good if the same protocol that you use to print can be used to do firmware updates (unless you have an application level firewall that can detect the firmware update and block it)

if you have a printer directly expose to the Internet, then you also are allowing anyone on the Internet to print anything they want in your office, using up paper and toner, wearing out the printer. That seems like a rather significant problem in and of itself :-)

firewalling also won't really help the identity theft example given (it may make it a smidge more complicated), because all that you need to do is to have the printer store the document and the second computer can retrieve the info later

Why a problem?

Posted Dec 1, 2011 14:54 UTC (Thu) by NRArnot (subscriber, #3033) [Link] (1 responses)

Why is it automatically a problem to have your printer directly exposed to the internet? There's a sort of printer called a fax machine that has longtime been intended to be globally exposed to the telephone network. Before that there was the Telex machine. The worst that someone can do is to consume the printer's currently loaded supply of paper and ink, which is annoying but not catastrophic. Further, deliberately doing so is almost certainly criminal damage and may not be very hard to trace back to the perpetrator. If he knows how to cover his tracks he's hardly likely be interested in merely wasting paper and ink.

The game changes dramatically if that is NOT the worst they can do, if they can write the device firmware via the port(s) intended to be used for writing the paper. Firmware updates should access the printer through a different port, and the printer should as shipped have that port either firewalled for local subnet access only, or (much better) turned off. SOP would then be "Firmware Update Enable" -> "On" using the front panel, before running the firmware updater, which in turn should re-set the enable state to "Off" upon successfully installing the update. Paranoia should dictate re-setting to "Off" maybe 12 hours later, even if no firmware update was sent.

It's the problem of the missing hardware write-lock switch, for the umpteenth time.

Why a problem?

Posted Dec 8, 2011 6:31 UTC (Thu) by jamesh (guest, #1159) [Link]

I haven't had to manage printers in a while, but with some of the older HP printers, the only way to send data to the print engine was via print jobs.

While the printers came with fancy network interface cards with support for almost every network printing protocol you can think of, these were essentially separate devices. The NIC could be used with a number of different models of printer, and the printer would function if you removed the NIC. Without the NIC, the only methods of input were the parallel port and the buttons on the control panel.

If you wanted to upgrade the print engine's firmware (as opposed to the NIC's firmware), it needed to be as a print job. You could submit this job via the parallel port or via the NIC -- it would look the same to the print engine.

I wouldn't be surprised if they could improve things these days where networking is integrated into the printers better, but there is probably a lot of legacy code in the printers.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 13:58 UTC (Thu) by ekj (guest, #1524) [Link] (1 responses)

Indeed. I recommend brick, myself. Also, a non-flammable surface and ceiling should be installed around the printer.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 14:08 UTC (Thu) by mjthayer (guest, #39183) [Link]

> Indeed. I recommend brick, myself.

The article said the the printers were bricked at the end of the operation anyway.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 13:36 UTC (Thu) by clugstj (subscriber, #4020) [Link] (1 responses)

Which is it? Laser or inkjet? The article says "HP laser printers", but the quote says "would continuously heat up the printer's fuser — which is designed to dry the ink". I believe that "fuser"s are used in laser printers to fuse the toner to the paper.

Printer vulnerabilities via firmware update

Posted Dec 7, 2011 4:32 UTC (Wed) by k8to (guest, #15413) [Link]

Well, broadly speaking, isn't toner a kind of ink? Or no? Does ink necessarily mean a chemical which binds with the fibers, wheras toner just gets glued on?

In 'layman speak' it seemed comprehensible, anyway.

Internal threats?

Posted Dec 5, 2011 0:10 UTC (Mon) by jzbiciak (guest, #5246) [Link]

My employer has a large number of aging HP printers all about, and so far as I know, all the print queues are at least visible to all. In my area, we have two LaserJet 8100s that almost date back to the Clinton Administration. So what happens if someone decides to see what Corporate Finance is up to ahead of the quarterly earnings report, and tweaks the firmware on the beancounters' printers?

(Great, now that I've mentioned the idea on the Internet, if someone does it where I work, they'll blame me.)

Printer vulnerabilities via firmware update

Posted Dec 6, 2011 21:09 UTC (Tue) by job (guest, #670) [Link]

Can someone who works at HP Printing or similar explain how those damage control spins get so amazingly spun out of control?

I mean, blaming _Linux_? Really? Windows can't open TCP sockets now?

It's so mindblowingly stupid, I just hope people see through it.

Printer vulnerabilities via firmware update

Posted Dec 7, 2011 4:28 UTC (Wed) by k8to (guest, #15413) [Link]

Amusingly, many postscript printers are even less secure.

Many years ago my friend (unnamed here) wrote a proof of concept postscript job that simply stayed resident indefinitely and did various amusing modifications to later jobs and ongoing changes to printer behavior.

The job worked unchanged across significant numbers of printer models.

No upgrade attack needed, the primary use vector was enough to compromise.


Copyright © 2011, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds