Printers vulnerable to remote hacking, researchers claim

Millions of printers worldwide are vulnerable to hack attacks that range from identity theft to taking control of entire networks, researchers at Columbia University claimed.

 

The researchers said they had discovered a new class of computer security flaws for these printers that could impact millions of businesses, consumers, and even government agencies.

 

No easy fix exists for the flaw identified in some Hewlett-Packard LaserJet printer lines – and likely on other firms’ printers as well – and there’s no way to tell if hackers have already exploited it, according to a report on MSNBC.com.

 

“The problem is, technology companies aren’t really looking into this corner of the Internet. But we are,” said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science.

 

“The research on this is crystal clear.  The impact of this is very large. These devices are completely open and available to be exploited,” he added.

 

According to the researchers, who have working quietly for months in an electronics lab under a series of government and industry grants, they told HP about their findings.

 

They also described the flaw in a private briefing for federal agencies two weeks ago, the MSNBC report said.

 

HP said it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but disputes the researchers’ claim the flaw is widespread.

 

Keith Moore, chief technologist for HP’s printer division, said the firm “takes this very seriously,” but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases, MSNBC said.

 

“Until we verify the security issue, it is difficult to comment,” he said, adding that the firm cannot say yet what printer models are impacted.

 

Hijacking printers via firmware

 

The flaw involves firmware that runs “embedded systems” such as computer printers, which increasingly are packed with functions that make them operate more like full-fledged computers.

 

Making the potential problem worse is that they are commonly connected to the Internet.

 

While printer security flaws have been theorized, the Columbia researchers say they have discovered the first-ever doorway into millions of printers worldwide.

 

In a demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser, which is designed to dry the ink once it’s applied to paper.

 

This eventually caused the paper to turn brown and smoke.

 

In that demonstration, a thermal switch shut the printer down, in effect causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters.

 

Cui and Stolfo also said they had reverse-engineered software that controls common HP LaserJet printers through a “Remote Firmware Update.”

 

They said printers they examined do not discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity.

 

Thus, anyone can instruct the printer to erase its operating software and install a booby-trapped version.

 

On the other hand, they noted some printers are configured to accept print jobs via the Internet, meaning the virus can be installed remotely without any interaction by the printer’s owner.

 

“It’s like selling a car without selling the keys to lock it,” Stolfo said. “It’s totally insecure.”

 

Columbia researcher Ang Cui infected an HP printer with malicious code by rewriting the printer’s firmware, which takes only about 30 seconds.

 

Only pulling the computer chips out of the printer and testing them would reveal an attack, Cui said.

 

No modern antivirus software has the ability to scan, let alone fix, the software which runs on embedded chips in a printer.

 

“First of all, how the hell doesn’t HP have a signature or certificate indicating that new firmware is real firmware from HP?” said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw. “Printers have been a weak spot for many corporate networks.  Many people don’t realize that a  printer is just another computer on a network with exactly the same problems and, if compromised, the same impact.”

 

But HP’s Moore said the firm’s newer printers do require digitally signed firmware upgrades, and have since 2009. The printers tested by the researchers are older models, he added.

 

In contrast, the Columbia researchers say they purchased one of the printers they hacked in September at a major New York City office supply store.

 

Moore also said the impact of any potential vulnerability is limited because most home users have InkJet printers – not LaserJet printers – and they do not permit remote firmware upgrade.

 

MSNBC said HP dominates the printer market and claims it has sold 100 million LaserJet printers since 1984, meaning millions of computers could be vulnerable.

 

Citing IDC figures, it said HP is by far the dominant printer seller worldwide with 42 percent of the market, seling about 50 million printers of all kinds annually.

 

Proof of concept

 

In an exclusive demonstration for msnbc.com at Columbia University’s Intrusion Detection Systems Laboratory, Cui and Stolfo revealed the kind of havoc an attacker could wreak once they gained control of a printer.

 

After sending a virus-laced print job to a target printer, the device’s small screen read, in sequence, “Erasing...Programming...Code Update Complete.”

 

In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine.

 

The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

 

But the researchers say the possibilities created by hijacked printers go far beyond pranks or identity theft.

 

Printers on a company network are nearly always trusted by other computers. A hijacked printer could act as a beachhead to attack a company’s network that was otherwise protected by a firewall.

 

Few companies are prepared to protect themselves from an attack by their own printer, they said.

 

But Moore disagreed with this assertion, saying standard print jobs could not be used to initiate a firmware upgrade; only specially-crafted files sent directly to the printer can do that.

 

Were that true, the vulnerability could only be exploited on printers left exposed to the Internet; printers behind a firewall would be safe.

 

“This (vulnerability) is probably not as broad as what I had heard in their first announcement,” Moore said. “It sounds like we disagree on what the exposure might be.”

 

On the other hand, the the Columbia researchers say standard print commands sent both from a Macintosh computer and a PC running Linux tricked an HP printer into reprogramming itself.

 

Moore later conceded that might be true; but the two sides disagreed on whether users in a Microsoft Windows environment were safe from the attack.

 

Home users at risk

 

Even home users with printers that are not directly connected to the Internet are at risk, Cui said.  As long as the printer is connected to a computer – through a USB cable, for example – it could be used to launch attacks, or as part of a botnet.

 

A quick scan of unprotected printers left open to Internet attack by the researchers found 40,000 devices that they said could be infected within minutes.

 

Cui discovered the lack of authentication by physically disassembling the printer, and painstakingly reading output from its chipset, one character at a time. The chips run off-the-shelf operating systems like VxWorks and Linx, a scaled-down version of the Linux operating system designed for embedded devices.

 

Reprogramming the chip was relatively easy, he said – and now that the concept has been proven, he thinks others could reproduce his work in a day or two.

 

“In fact, it’s almost impossible to think that someone else hasn’t already done this,” he said.

 

Stolfo added fixing the flaw will not be easy, as there is no natural path to update printer operating system software, as there is for desktop PC software.

 

It’s possible a consortium of firms could “push out a fix,” once one is available, he said.

 

He urged HP to work with companies like Microsoft to help consumers update their printers.

 

But one vexing part of the fix is that printers that are already compromised by rogue software likely cannot be fixed. An attacker could easily shut down the pathway for future updates that would “cure” an infected printer.

 

“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective.  Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui said. “This is nothing like fixing a virus on your PC.”

 

Such inability to help consumers manually secure their printers could ultimately have disastrous consequences, Stolfo said.

 

“It may ultimately lead to telling everyone they just have to throw their printers out and start over,” he said. “Fixing this is going to require a very coordinated effort by the industry,” Stolfo said.

 

Software detection tools

 

Hypponen said the anti-virus industry could develop software tools that would detect booby-trapped print jobs in word processing documents or emails, and thwart attempts to update printers with rogue software that way.

 

But such an approach would hardly be foolproof.

 

“I think it is very wise to broadcast the problem as soon as possible so all of the printer manufacturers start looking at their security architectures more seriously,” Stolfo said.  “It is conceivable that all printers are vulnerable. …Printers that are 3-, 4-, 5-years-old and older, I’d think, all used unsigned software. The question is, ‘How many of those printers are out there?’ It could be much more than 100 million.”

 

Tip of the iceberg

 

Stolfo warned printers are just the tip of the iceberg when it comes to vulnerable embedded devices.

 

Columbia researchers have found that many gadgets now wired to connect to the Internet – including DVD players, telephone conference tools, even home appliances – have no security at all.

 

“Right now, very few people are thinking about the security of all these devices, so we’re moving on to look at many more of them,” Stolfo said, noting that supposedly secure offices – even in sensitive government agencies – have networked teleconferencing devices, printers, even thermostats that create security risks.

 

“This is a whole area that is being ignored. While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There’s no focus on the security of these devices we take for granted and we carry into secure environments every day,” he added. — TJD, GMA News