HP Dismisses Malicious Printer Hijack Hack

Fahmida Y Rashid and Eric Doyle,
lexmark

Firmware print job redirection hack publicly demonstrated by a Columbia University team disputed by HP

While the researchers used Hewlett-Packard’s line of LaserJet printers and the Remote Firmware Update process in their demonstration, they said other vendors’ printers are similarly vulnerable. HP LaserJet printers tend to check to see if a firmware upgrade is included in the data being sent with a print job, but the researchers claimed the machines do not check for a digital signature to verify the firmware update is actually an authentic HP upgrade before installation.

“It’s like selling a car without selling the keys to lock it,” Stolfo said.

HP told MSNBC that since 2009 printers have required digitally signed firmware updates and claimed that the researchers must have used older models. The researchers denied the claim, saying they bought the printer at a major office supply store.

Keith Moore, chief technologist for HP’s printer division, told MSNBC that the likelihood of such an attack is slim.

“Regardless of whether HP is right that newer LaserJet printers are protected against the vulnerability or not, it’s clear that there may be many devices which are potentially at risk of attack,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.

Stolfo and Cui also noted that a hijacked printer could be used to launch attacks on other computers within the corporate network. HP’s Moore said standard print jobs could not be used to initiate a firmware upgrade. Only specially crafted files sent directly to the printer from the Internet can, he said. If that is the case, this kind of attack could be launched against printers connected to the Internet, but printers behind a corporate firewall would be safe from attack, Moore claimed.

Smoke with no fire

The researchers also demonstrated how sending continuous commands to a printer could cause it to heat up and smoke. The HP printer shut down before a fire could break out, but researchers believed other printers may not have the same kind of thermal switch to protect the machine. This gives attackers “a dangerous new tool that could allow simple computer code to wreak real-world havoc,” MSNBC reported.

A malicious individual trying to set a printer to catch fire is “downright unlikely”, but the fact that HP has a huge market share in printers means “a potentially large number may now be more vulnerable to ordinary exploitation”, Gossels said.

HP confirmed that it is impossible to make one of its printers to burst into flames: “HP LaserJet printers have a hardware element called a ‘thermal breaker’ that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability,” the official statement pointed out.

The company advised: “HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.”