http://news.xinhuanet.com/tech/2011-11/30/c_122357967.htm
研究称部分惠普激光打印机可遭黑客控制起火
2011年11月30日 15:03:39
来源: 新华网
新华微博
分享到腾讯微博
分享到QQ空间
【字号:大 中 小】【打印】
新华网旧金山11月29日电(记者李宓)美国研究人员29日在一项最新研究中称,黑客有可能通过具备联网功能的惠普激光打印机的一个漏洞在机器上安装恶意软件,盗取有关信息甚至控制打印机起火。惠普公司随后发表声明予以否认,称报道有失准确且耸人听闻。
美国著名调查报道记者鲍勃·沙利文当天在其博客中说,哥伦比亚大学研究人员发现,部分惠普激光打印机上一个名为“远程固件更新”的功能可以让黑客在机器上安装恶意软件后完全控制打印机,将打印文件传回黑客电脑、使打印机停止工作甚至让打印机上对碳粉进行加热加压的定影仪不断加热至起火。
研究人员表示,他们相信这一安全漏洞并不局限于惠普激光打印机,为此已开始着手调查其他品牌具有类似功能的产品。他们指出,防病毒软件不能查杀打印机,目前也没有什么简单的修复方法,存在安全隐患的打印机可能达数千万甚至上亿部。
惠普随后就此发表声明说,惠普激光打印机有一个“热断路器”部件,专门为防止定影仪过热或起火而设计。此外,打印机只有在与公共互联网相连且没有防火墙的情况下才存在风险,目前惠普没有收到任何黑客入侵打印机的报告。
同时,惠普承认通过苹果Mac电脑和运行Linux操作系统电脑发送的恶意打印指令可能导致打印机出现固件更新,并表示正在着手解决这一问题。该公司建议消费者要为打印机添加防火墙,未受保护的打印机最好关闭远程固件更新功能。
打印机安全不是一个新话题。在2006年的黑帽安全会议上,就有安全专家展示黑客几分钟内就可以控制一台施乐打印机,并由此获得一家机构的局域网结构及先前打印的文件等。与会专家当时就告诫说,打印机是网络安全的一个薄弱环节,应该像服务器或工作站一样对待它们。
http://www.infobarrel.com/New_Virus_Sets_Printers_on_Fire_Is_Your_Computer_Secure
New Virus Sets Printers on Fire: Is Your Computer Secure?
By adancingfool | 0 Comments | Rating: 0 | |
According to a new study by researchers at Columbia University, it is possible for hackers to exploit Internet-enabled printers in such a way that they could catch fire. In the experiments, researchers observed that a virus infecting the printer could send power to the ink drying mechanism (called the fuser) continuously. Usually the fuser is used only briefly on each part of the paper, but researchers were able to activate the device repeatedly on the same section of paper, causing it to start to smolder.
This is a worrying development in computer security. Most of us are already aware of many of the hidden dangers of Internet viruses and have gotten into habits that protect us from viruses. However this virus has the potential to not only disable a computer but cause a fire in a home or office. The printer also becomes infected independently of the computer, meaning that the virus cannot be uninstalled with regular anti-virus software. The Columbia team only was able to “clean” the virus by physically removing certain parts of the printer and replacing them with new ones. Even detecting that there is a virus would be impossible without removing components and subjecting them to tests and examination
The virus infects printers when the owner unknowingly prints a document that has been embedded with a hidden virus. It rewrites the firmware of the printer, which doesn’t have security measures. n addition to causing fires, this virus can use printers to steal information from attached computers, create “botnets,” groups of hacked computers under the control of criminal hackers. Hackers could do anything from rendering printers inoperable, to simultaneously setting fire to thousands of printers. The team discovered the flaw on Hewlett-Packard LaserJet printer, but it is believed that it could affect millions of newer printers all over the world.
This discovery demonstrates one of the problems with printers that now have more computer-like components; with increased capability comes the risk of criminals exploiting that hardware. Older printers that had fewer computational components are less at risk than newer printers, the highest risk falling on printers that can connect to the Internet without a computer. These printers could potentially be infected with this virus even without the user printing anything.
HP claims that their newer printers are now equipped with security programs to prevent this exploitation, and hopes to work towards solving the problem.
http://nakedsecurity.sophos.com/2011/11/30/flaming-retort-putting-out-the-hp-printer-fires/
FLAMING RETORT: Putting out the HP printer fires
Manila AT&T hackers tied to terrorist attack in Mumbai
LEO - the world's first business software ran 60 years ago today
FLAMING RETORT: Putting out the HP printer fires
by Paul Ducklin on November 30, 2011 | 8 Comments
Filed Under: Data loss, Featured, Malware, Vulnerability
Yesterday, Naked Security wrote about a flaming war of words that seemed to have broken out between Columbia University and HP.
As MSNBC rather breathlessly asked, "Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire?"
[Update. As made clear in the comment below by An Cui, one of the Columbia researchers, there is no war of words between the University and HP. It just seemed that way.]
-
Smoke and fire certainly make good hacking headlines.
Charlie Miller got advance publicity by the wheelbarrowful for his 2011 Black Hat talk - he showed how the embedded microcontroller in Macbook batteries works - by sneaking the words overcharging or fire into his abstract.
And recent claims that a hacker broke into a US water treatment plant and burned out a pump by repeatedly turning it on and off made headlines worldwide.
So where does that leave your HP printer? Is it ready to combust at a remote hacker's whim?
The truth is: almost certainly not.
With health and safety regulations being what they are in most developed countries - especially HP's home turf, the USA - it would be surprising indeed if your printer could be tricked through software alone into malfunctioning in this way.
The facts are much more mundane that the headlines.
Macbook batteries have a physical safety fuse; the burned-out pump immediately raised an alarm (and may simply have been a burned out pump after all); HP printers have a thermal cutout which cannot be overridden in software.
As HP stated in a no-punches-pulled press release earlier today:
HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or [the researchers' claimed] vulnerability.
That's that for the fire, then. But is there anything more we can learn from this heated narrative?
Yes.
Firstly, security researchers should be more circumspect about how they position their research in the media, and what conclusions they allow hacks to reach when their work is publicised.
I'm sure The Columbia University Intrustion [sic] Detection Systems Lab (that's the spelling they use in the title of their web page) are delighted at the coverage they've had. But they might have better served the public if they'd objected to the author rather glibly adding a rider to his report saying, "the researchers believe other printers might be used as fire starters."
[Update: the 'Intrustion' typo is now fixed!]
Secondly, technology writers should be more circumspect about the conclusions they invite the public to reach.
If the researchers genuinely are of the opinion - a word, incidentally, better suited to scientific reports than belief - that other printers on the market could become fireballs, then they will have supporting evidence, and the writer ought to have seen it, surveyed it, and mentioned it.
Thirdly, companies caught in security cross-fire - as HP was in this case, since the story actually makes it clear that HP's overheating safeguard performed correctly in the demonstration - ought to aim for greater clarity in their media releases.
HP responded quickly, which is commendable, but the company's PR statement is vague and dismissive about the underlying vulnerability - which is much more of a story than the unlikelihood of printers going up in flames.
Apparently, older HP printers allow unsigned firmware upgrades to be embedded into print jobs and accepted over the network. This does represent a risk, and it isn't a good idea to allow firmware updates to be deployed so easily. But HP's release only talks about "the potential security vulnerability," without any suggestion of what sort of vulnerability is meant.
In many ways, HP has made things worse with its strongly-worded release.
Security observers with an overall interest in this issue must now be asking themselves, "Is there something else in there that we don't know about?" That leaves them well short of being able to reach a final conclusion.
I've said it before, when RSA was breached earlier this year, so I may as well say it again.
Three words for security commentary. Promptness. Clarity. Openness.
Follow @duckblog
Tags: columbia, firmware, flaming, flaming retort, hack, Hewlett Packard, HP, ids, LaserJet, macbook, miller, msnbc, printer, scada
http://www.dailytech.com/Exploit+Co...Printers+on+Fire+FBI+Briefed/article23388.htm
Hardware Exploit Could Literally Allow Hackers to Set HP Printers on Fire, FBI Briefed
Jason Mick (Blog) - November 29, 2011 11:56 AM
Print
25 comment(s) - last by Samus.. on Nov 30 at 4:10 PM
(Source: NBC Universal)
"How the hell doesn't HP have a...certificate indicating ... real firmware from HP?" -- Mikko Hyponen, F-Secure
And you thought flaming Chevy Volts and exploding iPods were bad. Imagine if malicious individuals worldwide could send commands to your printer, forcing it to steal your personal information and then self-destruct in taking out your home/office in a fiery blaze. That's exactly what might be possible with a newly discovered set of security exploits.
I. Columbia University Discovers Fire -- Hacked Printer Fire, to be Exact
The U.S. Federal Bureau of Investigations is on guard after receiving a debriefing from Columbia University that printers from Hewlett Packard, Comp. (HPQ) -- the world's top printer manufacturer -- and possibly other printer makers' designs are vulnerable to a newly discovered class of security flaws which can be exploited for anything from malicious mischief to participating in serious system intrusions.
Describes principal investigator Columbia University professor Salvatore Stolfo in an interview with MSNBC, "The problem is, technology companies aren't really looking into this corner of the Internet. But we are. The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited."
The exploit is possible, says Professor Stolfo, due to the fact that embedded printer software is developing such diverse functionality, but still remain poorly secured. HP and possibly other companies use an unsigned "Remote Firmware Update" process that updates the software on the printer. The problem? The update can come from anyone -- the printer has no security mechanism built into it.
States Professor Stolfo, "It's like selling a car without selling the keys to lock it. It’s totally insecure."
While others have theorized that printers could be the perfect point of entry for an attacker, Professor Stolfo believes he and his Ph.D student Ang Cui are the first to demonstrate a successful implementation of such an exploit.
Professor Salvatore Stolfo
Columbia University Professor Salvatore Stolfo (pictured: top left; right)
[Images Source: Columbia University/Salvatore Stolfo]
The malicious mischief/terrorism threat is high, according to Professor Stolfo. In a demo he sent unauthorized remote commands to a printer, which caused it to heat up its fuser element, the hardware element used to apply heat to the toner. The paper turned brown and began to smoke before the built-in temperature sensor shut off the printer to prevent a fire.
But other designs lack the temperature safeguard and could face full-blown fires -- a remote self-destruct sequence -- if attackers figured out a similar exploit.
Similar battery exploits have been revealed in the past.
II. "How the Hell Doesn't HP Have a Signature...?"
The attack can occur remotely, if the printer is set up for "cloud printing" as HP is particularly fond of. Researchers scanned the internet and in minutes found 40,000 printers they could have potentially set the "catch fire" command & control package to.
But the true number of vulnerable machines could be much, much higher. Comments Professor Stolfo, "I think it is very wise to broadcast the problem as soon as possible so all of the printer manufacturers start looking at their security architectures more seriously. It is conceivable that all printers are vulnerable. …Printers that are 3-, 4-, 5-years-old and older, I'd think, all used unsigned software. The question is, 'How many of those printers are out there?' It could be much more than 100 million."
Or in the case of good old-fashioned local printers, an on-site attack using a virus laden document print-job can offer equivalent access. Once the printer has received orders, its firmware is updated deleting the standard operating system and installing a malicious variant.
Mikko Hypponen, head of research at Finnish security firm F-Secure, was astounded by the flaw. He comments, "First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP? Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact."
The attack could also allow hackers to forward printed documents, gaining access to credit cards, social security numbers, and other personal details.
III. HP Says Threat is Overstated
HP isn't happy about the study or the publicity it is generating. It insists that it adopted digital signing on all its new line since 2009. But the researchers were able to find unsigned printers still being sold at office retailers in September 2011. Further, given HP's top market share, there's like countless vulnerable legacy laser jets in the wild today.
HP claims the researchers are wrong about infected print jobs being able to update the printer firmware, that only special types of files can do that. The Columbia University team claimed they've demonstrated it.
HP has since backed off that claim, admitting that Macs and Linux machines can send print jobs that install firmware updates, potentially, but that it believes Windows machines to be safe.
HP Printer Update
HP says Mac and Linux users may be at risk, but says it believes Windows users may be safe.
HP's Keith Moore, chief technologist with the printer division, says his company is concerned about the security flaw. He reasserts that he believes Windows machines may be safe and that all machines made post 2009 used digital signing.
But he adds, "Until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more. If this turns out to be the broad (problem) that's being discussed…we will reach out to customers and get it fixed. We support our customers and value their trust."
IV. No Easy Fix, Other Electronics at Risk as Well
Professor Stolfo and security researchers agree -- there's no easy fix for the problem. Antivirus firms like F-Secure could step in by offering tools to scan print jobs for malicious firmware updates. However, such scans are hardly a fail-safe solution.
True protection will likely require a mass update to firmware with digital signing in legacy machines. Patching all non-internet connected printers sounds like a daunting task. Firmware updates are delivered in a loosely coordinated fashion, so patching the affected machines will require a concerted effort from HP and other top players like Microsoft Corp. (MSFT).
Ang Cui, Columbia
Ang Cui, a Columbia University Ph.D Candidate, also helped with the work.
[Image Source: MSNBC]
Professor Stolfo and Ang Cui warn [PDF] that printers exploits are just the start of attacks to come. He warns that a whole host of digital electronics, including DVD players, telephone conference tools, even home appliances have virtually no security, but are becoming increasingly internet connected. He said similar attacks (e.g. mechanical attacks like starting fires or breaking parts or physical attacks like using the machine to attack its local network) are likely to occur.
Source: MSNBC
研究称部分惠普激光打印机可遭黑客控制起火
2011年11月30日 15:03:39
来源: 新华网
新华微博
分享到腾讯微博
分享到QQ空间
【字号:大 中 小】【打印】
新华网旧金山11月29日电(记者李宓)美国研究人员29日在一项最新研究中称,黑客有可能通过具备联网功能的惠普激光打印机的一个漏洞在机器上安装恶意软件,盗取有关信息甚至控制打印机起火。惠普公司随后发表声明予以否认,称报道有失准确且耸人听闻。
美国著名调查报道记者鲍勃·沙利文当天在其博客中说,哥伦比亚大学研究人员发现,部分惠普激光打印机上一个名为“远程固件更新”的功能可以让黑客在机器上安装恶意软件后完全控制打印机,将打印文件传回黑客电脑、使打印机停止工作甚至让打印机上对碳粉进行加热加压的定影仪不断加热至起火。
研究人员表示,他们相信这一安全漏洞并不局限于惠普激光打印机,为此已开始着手调查其他品牌具有类似功能的产品。他们指出,防病毒软件不能查杀打印机,目前也没有什么简单的修复方法,存在安全隐患的打印机可能达数千万甚至上亿部。
惠普随后就此发表声明说,惠普激光打印机有一个“热断路器”部件,专门为防止定影仪过热或起火而设计。此外,打印机只有在与公共互联网相连且没有防火墙的情况下才存在风险,目前惠普没有收到任何黑客入侵打印机的报告。
同时,惠普承认通过苹果Mac电脑和运行Linux操作系统电脑发送的恶意打印指令可能导致打印机出现固件更新,并表示正在着手解决这一问题。该公司建议消费者要为打印机添加防火墙,未受保护的打印机最好关闭远程固件更新功能。
打印机安全不是一个新话题。在2006年的黑帽安全会议上,就有安全专家展示黑客几分钟内就可以控制一台施乐打印机,并由此获得一家机构的局域网结构及先前打印的文件等。与会专家当时就告诫说,打印机是网络安全的一个薄弱环节,应该像服务器或工作站一样对待它们。
http://www.infobarrel.com/New_Virus_Sets_Printers_on_Fire_Is_Your_Computer_Secure
New Virus Sets Printers on Fire: Is Your Computer Secure?
By adancingfool | 0 Comments | Rating: 0 | |
According to a new study by researchers at Columbia University, it is possible for hackers to exploit Internet-enabled printers in such a way that they could catch fire. In the experiments, researchers observed that a virus infecting the printer could send power to the ink drying mechanism (called the fuser) continuously. Usually the fuser is used only briefly on each part of the paper, but researchers were able to activate the device repeatedly on the same section of paper, causing it to start to smolder.
This is a worrying development in computer security. Most of us are already aware of many of the hidden dangers of Internet viruses and have gotten into habits that protect us from viruses. However this virus has the potential to not only disable a computer but cause a fire in a home or office. The printer also becomes infected independently of the computer, meaning that the virus cannot be uninstalled with regular anti-virus software. The Columbia team only was able to “clean” the virus by physically removing certain parts of the printer and replacing them with new ones. Even detecting that there is a virus would be impossible without removing components and subjecting them to tests and examination
The virus infects printers when the owner unknowingly prints a document that has been embedded with a hidden virus. It rewrites the firmware of the printer, which doesn’t have security measures. n addition to causing fires, this virus can use printers to steal information from attached computers, create “botnets,” groups of hacked computers under the control of criminal hackers. Hackers could do anything from rendering printers inoperable, to simultaneously setting fire to thousands of printers. The team discovered the flaw on Hewlett-Packard LaserJet printer, but it is believed that it could affect millions of newer printers all over the world.
This discovery demonstrates one of the problems with printers that now have more computer-like components; with increased capability comes the risk of criminals exploiting that hardware. Older printers that had fewer computational components are less at risk than newer printers, the highest risk falling on printers that can connect to the Internet without a computer. These printers could potentially be infected with this virus even without the user printing anything.
HP claims that their newer printers are now equipped with security programs to prevent this exploitation, and hopes to work towards solving the problem.
http://nakedsecurity.sophos.com/2011/11/30/flaming-retort-putting-out-the-hp-printer-fires/
FLAMING RETORT: Putting out the HP printer fires
Manila AT&T hackers tied to terrorist attack in Mumbai
LEO - the world's first business software ran 60 years ago today
FLAMING RETORT: Putting out the HP printer fires
by Paul Ducklin on November 30, 2011 | 8 Comments
Filed Under: Data loss, Featured, Malware, Vulnerability
Yesterday, Naked Security wrote about a flaming war of words that seemed to have broken out between Columbia University and HP.
As MSNBC rather breathlessly asked, "Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire?"
[Update. As made clear in the comment below by An Cui, one of the Columbia researchers, there is no war of words between the University and HP. It just seemed that way.]
-
Smoke and fire certainly make good hacking headlines.
Charlie Miller got advance publicity by the wheelbarrowful for his 2011 Black Hat talk - he showed how the embedded microcontroller in Macbook batteries works - by sneaking the words overcharging or fire into his abstract.
And recent claims that a hacker broke into a US water treatment plant and burned out a pump by repeatedly turning it on and off made headlines worldwide.
So where does that leave your HP printer? Is it ready to combust at a remote hacker's whim?
The truth is: almost certainly not.
With health and safety regulations being what they are in most developed countries - especially HP's home turf, the USA - it would be surprising indeed if your printer could be tricked through software alone into malfunctioning in this way.
The facts are much more mundane that the headlines.
Macbook batteries have a physical safety fuse; the burned-out pump immediately raised an alarm (and may simply have been a burned out pump after all); HP printers have a thermal cutout which cannot be overridden in software.
As HP stated in a no-punches-pulled press release earlier today:
HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or [the researchers' claimed] vulnerability.
That's that for the fire, then. But is there anything more we can learn from this heated narrative?
Yes.
Firstly, security researchers should be more circumspect about how they position their research in the media, and what conclusions they allow hacks to reach when their work is publicised.
I'm sure The Columbia University Intrustion [sic] Detection Systems Lab (that's the spelling they use in the title of their web page) are delighted at the coverage they've had. But they might have better served the public if they'd objected to the author rather glibly adding a rider to his report saying, "the researchers believe other printers might be used as fire starters."
[Update: the 'Intrustion' typo is now fixed!]
Secondly, technology writers should be more circumspect about the conclusions they invite the public to reach.
If the researchers genuinely are of the opinion - a word, incidentally, better suited to scientific reports than belief - that other printers on the market could become fireballs, then they will have supporting evidence, and the writer ought to have seen it, surveyed it, and mentioned it.
Thirdly, companies caught in security cross-fire - as HP was in this case, since the story actually makes it clear that HP's overheating safeguard performed correctly in the demonstration - ought to aim for greater clarity in their media releases.
HP responded quickly, which is commendable, but the company's PR statement is vague and dismissive about the underlying vulnerability - which is much more of a story than the unlikelihood of printers going up in flames.
Apparently, older HP printers allow unsigned firmware upgrades to be embedded into print jobs and accepted over the network. This does represent a risk, and it isn't a good idea to allow firmware updates to be deployed so easily. But HP's release only talks about "the potential security vulnerability," without any suggestion of what sort of vulnerability is meant.
In many ways, HP has made things worse with its strongly-worded release.
Security observers with an overall interest in this issue must now be asking themselves, "Is there something else in there that we don't know about?" That leaves them well short of being able to reach a final conclusion.
I've said it before, when RSA was breached earlier this year, so I may as well say it again.
Three words for security commentary. Promptness. Clarity. Openness.
Follow @duckblog
Tags: columbia, firmware, flaming, flaming retort, hack, Hewlett Packard, HP, ids, LaserJet, macbook, miller, msnbc, printer, scada
http://www.dailytech.com/Exploit+Co...Printers+on+Fire+FBI+Briefed/article23388.htm
Hardware Exploit Could Literally Allow Hackers to Set HP Printers on Fire, FBI Briefed
Jason Mick (Blog) - November 29, 2011 11:56 AM
25 comment(s) - last by Samus.. on Nov 30 at 4:10 PM
(Source: NBC Universal)
"How the hell doesn't HP have a...certificate indicating ... real firmware from HP?" -- Mikko Hyponen, F-Secure
And you thought flaming Chevy Volts and exploding iPods were bad. Imagine if malicious individuals worldwide could send commands to your printer, forcing it to steal your personal information and then self-destruct in taking out your home/office in a fiery blaze. That's exactly what might be possible with a newly discovered set of security exploits.
I. Columbia University Discovers Fire -- Hacked Printer Fire, to be Exact
The U.S. Federal Bureau of Investigations is on guard after receiving a debriefing from Columbia University that printers from Hewlett Packard, Comp. (HPQ) -- the world's top printer manufacturer -- and possibly other printer makers' designs are vulnerable to a newly discovered class of security flaws which can be exploited for anything from malicious mischief to participating in serious system intrusions.
Describes principal investigator Columbia University professor Salvatore Stolfo in an interview with MSNBC, "The problem is, technology companies aren't really looking into this corner of the Internet. But we are. The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited."
The exploit is possible, says Professor Stolfo, due to the fact that embedded printer software is developing such diverse functionality, but still remain poorly secured. HP and possibly other companies use an unsigned "Remote Firmware Update" process that updates the software on the printer. The problem? The update can come from anyone -- the printer has no security mechanism built into it.
States Professor Stolfo, "It's like selling a car without selling the keys to lock it. It’s totally insecure."
While others have theorized that printers could be the perfect point of entry for an attacker, Professor Stolfo believes he and his Ph.D student Ang Cui are the first to demonstrate a successful implementation of such an exploit.
Professor Salvatore Stolfo
Columbia University Professor Salvatore Stolfo (pictured: top left; right)
[Images Source: Columbia University/Salvatore Stolfo]
The malicious mischief/terrorism threat is high, according to Professor Stolfo. In a demo he sent unauthorized remote commands to a printer, which caused it to heat up its fuser element, the hardware element used to apply heat to the toner. The paper turned brown and began to smoke before the built-in temperature sensor shut off the printer to prevent a fire.
But other designs lack the temperature safeguard and could face full-blown fires -- a remote self-destruct sequence -- if attackers figured out a similar exploit.
Similar battery exploits have been revealed in the past.
II. "How the Hell Doesn't HP Have a Signature...?"
The attack can occur remotely, if the printer is set up for "cloud printing" as HP is particularly fond of. Researchers scanned the internet and in minutes found 40,000 printers they could have potentially set the "catch fire" command & control package to.
But the true number of vulnerable machines could be much, much higher. Comments Professor Stolfo, "I think it is very wise to broadcast the problem as soon as possible so all of the printer manufacturers start looking at their security architectures more seriously. It is conceivable that all printers are vulnerable. …Printers that are 3-, 4-, 5-years-old and older, I'd think, all used unsigned software. The question is, 'How many of those printers are out there?' It could be much more than 100 million."
Or in the case of good old-fashioned local printers, an on-site attack using a virus laden document print-job can offer equivalent access. Once the printer has received orders, its firmware is updated deleting the standard operating system and installing a malicious variant.
Mikko Hypponen, head of research at Finnish security firm F-Secure, was astounded by the flaw. He comments, "First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP? Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact."
The attack could also allow hackers to forward printed documents, gaining access to credit cards, social security numbers, and other personal details.
III. HP Says Threat is Overstated
HP isn't happy about the study or the publicity it is generating. It insists that it adopted digital signing on all its new line since 2009. But the researchers were able to find unsigned printers still being sold at office retailers in September 2011. Further, given HP's top market share, there's like countless vulnerable legacy laser jets in the wild today.
HP claims the researchers are wrong about infected print jobs being able to update the printer firmware, that only special types of files can do that. The Columbia University team claimed they've demonstrated it.
HP has since backed off that claim, admitting that Macs and Linux machines can send print jobs that install firmware updates, potentially, but that it believes Windows machines to be safe.
HP Printer Update
HP says Mac and Linux users may be at risk, but says it believes Windows users may be safe.
HP's Keith Moore, chief technologist with the printer division, says his company is concerned about the security flaw. He reasserts that he believes Windows machines may be safe and that all machines made post 2009 used digital signing.
But he adds, "Until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more. If this turns out to be the broad (problem) that's being discussed…we will reach out to customers and get it fixed. We support our customers and value their trust."
IV. No Easy Fix, Other Electronics at Risk as Well
Professor Stolfo and security researchers agree -- there's no easy fix for the problem. Antivirus firms like F-Secure could step in by offering tools to scan print jobs for malicious firmware updates. However, such scans are hardly a fail-safe solution.
True protection will likely require a mass update to firmware with digital signing in legacy machines. Patching all non-internet connected printers sounds like a daunting task. Firmware updates are delivered in a loosely coordinated fashion, so patching the affected machines will require a concerted effort from HP and other top players like Microsoft Corp. (MSFT).
Ang Cui, Columbia
Ang Cui, a Columbia University Ph.D Candidate, also helped with the work.
[Image Source: MSNBC]
Professor Stolfo and Ang Cui warn [PDF] that printers exploits are just the start of attacks to come. He warns that a whole host of digital electronics, including DVD players, telephone conference tools, even home appliances have virtually no security, but are becoming increasingly internet connected. He said similar attacks (e.g. mechanical attacks like starting fires or breaking parts or physical attacks like using the machine to attack its local network) are likely to occur.
Source: MSNBC
:p
