Printer vulnerabilities via firmware update
Regular readers of this page will not find it surprising to hear about attacks against hardware, typically through the firmware installed on them. The recent report about a vulnerability in HP laser printers falls into that category, but there are some twists. The researchers at Columbia University certainly picked an attention-getting example when they were able to alter the printer firmware and nearly set the paper being printed on fire, but HP's reaction to the flaw, at least so far, is eye-opening as well.
The flaw is a simple one, evidently. Print jobs sent to the printers are
scanned to see if they contain a firmware update, if so, the update is
installed. Crucially, the update is not checked for any kind of digital
signature, nor is user input requested before performing the update. In
the msnbc report, HP's
Keith Moore, chief technologist for the printer division, said that
printers since 2009 have required signed updates, but the Columbia
researchers "say they purchased one of the printers they hacked in
September at a major New York City office supply
store
". Regardless, there are certainly millions of pre-2009 HP
laser printers in service that are presumably vulnerable.
The researchers were able to rewrite the firmware so that it "would
continuously heat up the printer's fuser — which is designed to dry
the ink
once it's applied to paper — eventually causing the paper to turn brown
and smoke
". Before the paper could catch fire, though, a "thermal
breaker" shut down the printer—seemingly permanently. In a press
release, HP said that the breaker is designed to thwart just that kind
of problem. The company also said that the breaker "cannot be
overcome by a firmware change or this proposed
vulnerability
". That's certainly a nice safety feature, but disabled
printers definitely make for a painful denial-of-service attack.
There are several other interesting parts of the rather defensively worded press release. According to HP, no customers have reported suffering from these firmware-rewrite attacks, but it's unclear how those customers would know. Obviously, if their printers were emitting brown, smoking paper, there would be little question, but the researchers demonstrated other kinds of attacks that would be more difficult to detect:
As might be guessed, HP tries to minimize the extent of the problem, but it's not yet clear that the company completely understands the ramifications. From the press release:
Given the attack vector, submitted print jobs, it's a bit hard to believe that only Linux or Mac systems can trigger the problem. While that may be the case, it seems much more likely that there are ways to coerce Windows into submitting jobs with firmware upgrades as well. How else would customers running Windows do a firmware update? Even if Windows is somehow prevented from sending a corrupted print job, it's pretty uncommon today to find a corporate network with no Mac or Linux machines on them.
It's also rather disingenuous to suggest that printers behind firewalls (on networks with no malicious users) are somehow immune. Again, that could be the case, but it is far more likely that malware of various sorts could cause jobs to be sent to printers. A firewall doesn't necessarily prevent web or email-based attacks, for example, and anti-virus software is unlikely to be looking for malware exploiting printer vulnerabilities.
It doesn't take much imagination to come up with other attacks beyond those demonstrated. Printers could be used as part of a botnet, as bridgeheads to launch further attacks on a corporate network, and so on. Like many devices, printers are fairly capable general-purpose computers under the covers, even if they tend to have fewer resources (e.g. CPU horsepower, RAM) than desktops or servers.
HP has said that it will put out a firmware update to fix the problem, but it will be a challenge to get those patches installed on all of the affected devices. And, as pointed out in the msnbc report, any printers that are already infected—if attackers have previously discovered the hole—may well reject any further attempts to upgrade them. In addition, while the researchers found the problem in LaserJets, there is no reason to believe that other printers—or other networked devices, from HP and others—don't suffer from similar flaws. In many ways, embedded device security is in its infancy.
It is a difficult balancing act, however. If recent HP printers will only accept firmware updates that are signed using HP's keys, that solves the problem of this kind of attack, but leaves a different problem in its wake: lockdown by a manufacturer. As we have seen with TiVo, PlayStation 3, locked-down mobile phones, and other devices, manufacturers may be able to add anti-features, disable previously working features, and generally interfere with the owner's wishes when only they hold the keys to a device.
It is, in some ways, similar to the UEFI secure boot issues that have been in the news recently. In both cases, customers that want to actually own their devices are going to need a way to store their own key and have it be trusted by the device. That may be overkill for printers or other devices, so manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once, but the alternative, ceding all upgradability only to the manufacturer, has some major downsides as well.
| Index entries for this article | |
|---|---|
| Security | Embedded systems |
Posted Dec 1, 2011 5:28 UTC (Thu)
by pabs (subscriber, #43278)
[Link] (1 responses)
Posted Dec 1, 2011 9:15 UTC (Thu)
by dgm (subscriber, #49227)
[Link]
Posted Dec 1, 2011 9:45 UTC (Thu)
by james (subscriber, #1325)
[Link] (7 responses)
I'd suggest doing it through a password-protected web interface instead -- nearly all the network-enabled printers I've seen have one of these anyway.
Posted Dec 1, 2011 10:59 UTC (Thu)
by intgr (subscriber, #39733)
[Link] (1 responses)
Posted Dec 1, 2011 17:22 UTC (Thu)
by cesarb (subscriber, #6266)
[Link]
Or the password is set but does not make much effect. On a printer we have here at work, I set the administrator password to prevent people from accidentally changing the settings. Imagine my surprise when I found out the settings had changed anyway.
It seems that, when installing the Windows driver for that printer, it has a wizard to set up the printer (configuring the fax settings and a few other things). That wizard seemed to completely ignore the administrator password I had set on the web interface.
Posted Dec 1, 2011 11:25 UTC (Thu)
by epa (subscriber, #39769)
[Link] (2 responses)
Posted Dec 2, 2011 18:50 UTC (Fri)
by giraffedata (guest, #1954)
[Link] (1 responses)
Of course, that additional hassle would reduce the likelihood the firmware would get applied, and the great majority of users, who want HP to own their printer problems, would be disserved.
Maybe a hybrid makes sense: the printer will take HP-signed updates automatically, but a difficult menu option lets you apply an unsigned update. Or change the signing key.
Posted Dec 3, 2011 0:33 UTC (Sat)
by Fowl (subscriber, #65667)
[Link]
Posted Dec 7, 2011 4:30 UTC (Wed)
by k8to (guest, #15413)
[Link]
Allow the users to load corp-specific keys onto their printers, and require a matching signature to upgrade the firmware or do other administrative tasks. Then allow upgrades to occur without "press OK to continue" when the signatures are present.
This isn't really that hard to do.
Posted Dec 8, 2011 6:07 UTC (Thu)
by jamesh (guest, #1159)
[Link]
Requiring the administrator to go out and hit a button on each of those printers would severely reduce the utility of that tool. I'd guess most administrators would prefer an update that let them continue to manage printers the way they always have.
Posted Dec 1, 2011 12:32 UTC (Thu)
by mjthayer (guest, #39183)
[Link] (5 responses)
I would say that putting the printers behind a firewall is a very sensible idea if they are going to start burning their paper.
Posted Dec 1, 2011 13:52 UTC (Thu)
by dlang (guest, #313)
[Link] (2 responses)
if you have a printer directly expose to the Internet, then you also are allowing anyone on the Internet to print anything they want in your office, using up paper and toner, wearing out the printer. That seems like a rather significant problem in and of itself :-)
firewalling also won't really help the identity theft example given (it may make it a smidge more complicated), because all that you need to do is to have the printer store the document and the second computer can retrieve the info later
Posted Dec 1, 2011 14:54 UTC (Thu)
by NRArnot (subscriber, #3033)
[Link] (1 responses)
The game changes dramatically if that is NOT the worst they can do, if they can write the device firmware via the port(s) intended to be used for writing the paper. Firmware updates should access the printer through a different port, and the printer should as shipped have that port either firewalled for local subnet access only, or (much better) turned off. SOP would then be "Firmware Update Enable" -> "On" using the front panel, before running the firmware updater, which in turn should re-set the enable state to "Off" upon successfully installing the update. Paranoia should dictate re-setting to "Off" maybe 12 hours later, even if no firmware update was sent.
It's the problem of the missing hardware write-lock switch, for the umpteenth time.
Posted Dec 8, 2011 6:31 UTC (Thu)
by jamesh (guest, #1159)
[Link]
While the printers came with fancy network interface cards with support for almost every network printing protocol you can think of, these were essentially separate devices. The NIC could be used with a number of different models of printer, and the printer would function if you removed the NIC. Without the NIC, the only methods of input were the parallel port and the buttons on the control panel.
If you wanted to upgrade the print engine's firmware (as opposed to the NIC's firmware), it needed to be as a print job. You could submit this job via the parallel port or via the NIC -- it would look the same to the print engine.
I wouldn't be surprised if they could improve things these days where networking is integrated into the printers better, but there is probably a lot of legacy code in the printers.
Posted Dec 1, 2011 13:58 UTC (Thu)
by ekj (guest, #1524)
[Link] (1 responses)
Posted Dec 1, 2011 14:08 UTC (Thu)
by mjthayer (guest, #39183)
[Link]
The article said the the printers were bricked at the end of the operation anyway.
Posted Dec 1, 2011 13:36 UTC (Thu)
by clugstj (subscriber, #4020)
[Link] (1 responses)
Posted Dec 7, 2011 4:32 UTC (Wed)
by k8to (guest, #15413)
[Link]
In 'layman speak' it seemed comprehensible, anyway.
Posted Dec 5, 2011 0:10 UTC (Mon)
by jzbiciak (guest, #5246)
[Link]
My employer has a large number of aging HP printers all about, and so far as I know, all the print queues are at least visible to all. In my area, we have two LaserJet 8100s that almost date back to the Clinton Administration. So what happens if someone decides to see what Corporate Finance is up to ahead of the quarterly earnings report, and tweaks the firmware on the beancounters' printers? (Great, now that I've mentioned the idea on the Internet, if someone does it where I work, they'll blame me.)
Posted Dec 6, 2011 21:09 UTC (Tue)
by job (guest, #670)
[Link]
I mean, blaming _Linux_? Really? Windows can't open TCP sockets now?
It's so mindblowingly stupid, I just hope people see through it.
Posted Dec 7, 2011 4:28 UTC (Wed)
by k8to (guest, #15413)
[Link]
Many years ago my friend (unnamed here) wrote a proof of concept postscript job that simply stayed resident indefinitely and did various amusing modifications to later jobs and ongoing changes to printer behavior.
The job worked unchanged across significant numbers of printer models.
No upgrade attack needed, the primary use vector was enough to compromise.
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
...manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once,
but not nearly as painful as the results when malicious firmware is sent to the printer and the user who just wants a print job presses "OK" without reading the printer's display (assuming it has one), which will happen more often than not.
Printer vulnerabilities via firmware update
99% of which still have the default password set.
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.
Unfortunately, that menu option would never be tested, and break. Almost immediately.
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
firewalls are not magic
Why a problem?
Why a problem?
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update
Internal threats?
Printer vulnerabilities via firmware update
Printer vulnerabilities via firmware update