Researchers: HP LaserJet printers can be remotely exploited

Could someone remotely hack into your printer, steal your personal information, and then set the device on fire? Yes, according to researchers who went public with a pretty startling proof of concept this morning.

As MSNBC reports, the Columbia University team, led by Professor Salvatore Stolfo, found HP’s LaserJet printers can be remotely compromised through their automatic firmware update mechanism. If I understand correctly, the printers are designed to check each print job to see if it includes a firmware update. All hackers have to do is hijack that mechanism by sending a print job with a custom firmware. That can be done either locally or over the Internet, if the printer is configured to accept remote print jobs. The consequences can be dire:

In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.

Attacks can be more insidious, too. MSNBC says the researchers programmed one printer to intercept incoming tax forms and send them to another machine. That machine was able to extract Social Security numbers and post them to Twitter.

Now, HP Chief Technologist Keith Moore says LaserJet printers released after 2009 require firmware updates to be digitally signed, so only older models may be vulnerable. An HP spokesperson also told Ars Technica that, even when compromised, LaserJet printers can’t catch on fire. A "thermal breaker" inside the devices prevents fires and "cannot be overcome by a firmware change or this proposed vulnerability," the spokesperson claims.

Still, the pool of vulnerable printers could be considerable. HP has reportedly sold 100 million LaserJet printers since 1984; untold numbers of them may still be in use today, and many could be open to remote attack over the Internet. The researchers claim an online scan yielded a whopping 40,000 vulnerable devices. Worst of all, they say hacked firmware would be "virtually impossible to detect" unless one took out chips and tested then manually, since no antivirus software currently has the right countermeasures.

Good thing this is only a proof of concept… for now.

Comments closed
    • albundy
    • 8 years ago

    wait, people still print taxes or anything for that matter? has nobody heard of e-file? there’s some serious credibility issues with that legacy hardware |33t hacker, lol

      • Scrotos
      • 8 years ago

      At least in the financial industry, people are copying and printing and faxing paper all the time. You submit info for a loan or mortgage? Chances are it’s been printed out and handed out to a committee to go over in a meeting and follow up on. I wouldn’t be surprised if that’s commonplace in the medical profession as well.

      I agree with you 100%. Go paperless! But then again, a moron sending a PDF scan of his tax returns via unsecured email is creating just as large if not larger security issue for himself.

      Screwed if ya do, screwed if ya don’t!

        • khands
        • 8 years ago

        Yup, happens a lot in the insurance industry too actually, in part thanks to HIPPA.

    • TravelMug
    • 8 years ago

    PC LOAD LETTER

    • MadManOriginal
    • 8 years ago

    PC BURN PPR

    • UberGerbil
    • 8 years ago

    [quote<]In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – eventually causing the paper to turn brown and smoke.[/quote<]Boy, this brings back memories. My department in college had a lab with seven Xerox Altos (technically, Dandelions -- one of the models from PARC that demonstrated the GUI prior to the Mac and Windows). They were networked together with a Xerox laser printer (again, something that pre-dated the Laserjets and Laserwriters). This was no desktop printer: it was about the size of a washing machine, and it ran on code that mostly executed on one of workstations (Xerox had taken the "network is the computer" and run with it to the point that you actually weren't sure which workstation was going to host the printer for any given print job; it was supposedly whichever machine was least busy, but if they were all in use one user would suddenly discover his machine had slowed to a crawl because another user at a different machine had decided to print something out -- because almost any other task looked "less busy" than rendering a document for printing). The workstations, meanwhile, were 16bit CPUs that booted from microcode loaded off 8" floppies; in addition to the "normal" microcode you could also turn it into a hardware LISP machine. Which is still such a cool idea I wish I still had one to play with. Anyway, one day somebody ran something that the printer didn't like, and it jammed up and started smoking. We powered it down and pulled it apart in a panic to find several pieces of paper just like this. But the first one turned brown part way down, and the print in the transition zone was burned right through the paper like a stencil -- which looked so cool with taped it up on the wall above the printer (which survived to print many more pages.)

      • Scrotos
      • 8 years ago

      [url<]http://en.wikipedia.org/wiki/Lp0_on_fire[/url<] You're like a living, breathing wikipedia, old man! 😀

        • dpaus
        • 8 years ago

        That error code was still present in the last version of QNX that I used (probably circa 1999)

    • TurtlePerson2
    • 8 years ago

    Tomorrow an antivirus company is going to announce a $20/year printer antivirus.

      • crabjokeman
      • 8 years ago

      ..which you can get from your ISP for “no charge” (except the inevitable raised monthly fee).

    • Krogoth
    • 8 years ago

    slowpoke.jpg

    Printers have been crackable for the longest time. I believe there are a fair amount of IT professionals who can attest to this through countless printer pranks.

    The only difference is that demonstration is showing how it can easily be turned into real-world damages.

      • derFunkenstein
      • 8 years ago

      Let’s soak this one in, shall we?

      [quote<]Printers have crackable[/quote<] Also, most "printer pranks" are performed locally.

        • sluggo
        • 8 years ago

        I can haz crackable?

        • Krogoth
        • 8 years ago

        Not so much anymore.

        The advent of affordable networkable printer makes it preferable to do the pranking on a remote system.

        The news blub is just being to light on how most networkable printers are lacking built-in network security measures.

      • Scrotos
      • 8 years ago

      He’s right, ya know.

      [url<]http://web.nvd.nist.gov/view/vuln/search-results?query=HP+printer&search_type=all&cves=on[/url<] (link from Ars discussion) [url<]http://www.irongeek.com/i.php?page=security/networkprinterhacking[/url<] I'm in charge of the printer fleet where I work (no one else wants to do it) so I've had to update firmware and disable protocols and in some cases use the printer's built-in firewalls to restrict access even further. The real-world damages is a stretch, though. HP's response seems reasonable--you just don't get fire hazards onto market that easily. But the security issues are known and this is just a publicity play, in my mind. It's not like updating firmware on all the printers is that easy, either. The newer ones, yes, but there are many older ones out there too. Here's the pain of updating a laserjet 4: [url<]http://www.vangeyn.net/j255x/[/url<] [url<]http://h30499.www3.hp.com/t5/Print-Servers/J2552A-firmware-upgrade-problem-A-03-06-to-A-05-05/m-p/2698837/highlight/true#M1962[/url<] I'm actually going to attempt this somewhat soon. Should be... "fun".

        • Scrotos
        • 8 years ago

        And, various vendors offer guides to help lock down their printers.

        “HP Imaging and Printing Security Best Practices – Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs” manual, available here:
        [url<]http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01707469/c01707469.pdf?jumpid=reg_R1002_USEN[/url<] "Network Security White Paper for Digital Multifunction and Printing Devices" [url<]http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf[/url<] etc. Not that it's all that easy to find this stuff. Gotta dig a bit, unfortunately.

    • jordank
    • 8 years ago

    We had a few publicly facing printers in our department until today. They were older printers that had been setup in the late 90’s before we changed our security policies on them. So I got to run all over reseting printers and updating our print servers to deal with this. We are now safer as of 10 minutes ago.

    • FuturePastNow
    • 8 years ago

    Relevant: [url<]http://imgur.com/wGneV[/url<]

      • Scrotos
      • 8 years ago

      You can do that with Hijetter:

      [url<]http://www.phenoelit-us.org/hp/index.html[/url<] [url<]http://www.irongeek.com/i.php?page=security/networkprinterhacking[/url<]

    • Farting Bob
    • 8 years ago

    You would have thought that printers would have stopped being absolute **** since they’ve been around decades, but alas no.

    Seriously, why the hell does the printer check to see if there is a firmware update packaged with every print job sent? Surely there is a more logical way of doing it. Such as how every other piece of hardware can check for updates in a secure way. I just cannot work out how it was decided the most logical way of updating was by sending it along at the same time as a print job, then not checking to see if said update is from a genuine source or not and just installing merrily.

    • indeego
    • 8 years ago

    Gotta love this when there are still tens of thousands of publicly facing printers on the Internet, ready for exploit.

      • derFunkenstein
      • 8 years ago

      I find it weird that there are ANY printers publicly available on the internet.

        • indeego
        • 8 years ago

        Many schools have historically had an “open Internet” philosophy and did not firewall many devices on their networks.

          • derFunkenstein
          • 8 years ago

          Yeah, that’s probably true. I’ve worked with lots of small schools where their “tech” is a math or science teacher who does whatever IT tasks they can during their prep periods or after school.

    • GasBandit
    • 8 years ago

    “the printer’s fuser – which is designed to dry the ink once it’s applied to paper ”

    Dry? DRY?!

    ELECTROSTATIC PRINTING DOES NOT WORK THAT WAY! GOODNIGHT!

      • dpaus
      • 8 years ago

      C’mon, it’s Microsoft-NBC – how much technical sophistication can you expect?

      I wonder if this vulnerability – which I’ll bet HP has known about for months – has anything to do with their plans to put WebOS on every printer they make?

        • jpostel
        • 8 years ago

        My exact thoughts about WebOS. Easy to address security issues like this in the future, when WebOS printers have an in-built auto-update feature.

          • Kollaps
          • 8 years ago

          It’s the existing printers built in auto update that makes this hack possible.

Pin It on Pinterest

Share This