User: Password:
Subscribe / Log in / New account

Why a problem?

Why a problem?

Posted Dec 1, 2011 14:54 UTC (Thu) by NRArnot (subscriber, #3033)
In reply to: firewalls are not magic by dlang
Parent article: Printer vulnerabilities via firmware update

Why is it automatically a problem to have your printer directly exposed to the internet? There's a sort of printer called a fax machine that has longtime been intended to be globally exposed to the telephone network. Before that there was the Telex machine. The worst that someone can do is to consume the printer's currently loaded supply of paper and ink, which is annoying but not catastrophic. Further, deliberately doing so is almost certainly criminal damage and may not be very hard to trace back to the perpetrator. If he knows how to cover his tracks he's hardly likely be interested in merely wasting paper and ink.

The game changes dramatically if that is NOT the worst they can do, if they can write the device firmware via the port(s) intended to be used for writing the paper. Firmware updates should access the printer through a different port, and the printer should as shipped have that port either firewalled for local subnet access only, or (much better) turned off. SOP would then be "Firmware Update Enable" -> "On" using the front panel, before running the firmware updater, which in turn should re-set the enable state to "Off" upon successfully installing the update. Paranoia should dictate re-setting to "Off" maybe 12 hours later, even if no firmware update was sent.

It's the problem of the missing hardware write-lock switch, for the umpteenth time.

(Log in to post comments)

Why a problem?

Posted Dec 8, 2011 6:31 UTC (Thu) by jamesh (guest, #1159) [Link]

I haven't had to manage printers in a while, but with some of the older HP printers, the only way to send data to the print engine was via print jobs.

While the printers came with fancy network interface cards with support for almost every network printing protocol you can think of, these were essentially separate devices. The NIC could be used with a number of different models of printer, and the printer would function if you removed the NIC. Without the NIC, the only methods of input were the parallel port and the buttons on the control panel.

If you wanted to upgrade the print engine's firmware (as opposed to the NIC's firmware), it needed to be as a print job. You could submit this job via the parallel port or via the NIC -- it would look the same to the print engine.

I wouldn't be surprised if they could improve things these days where networking is integrated into the printers better, but there is probably a lot of legacy code in the printers.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds