Can HP Printers Be Remote-Detonated?

[Anonymous]

Can HP Printers Be Remote-Detonated?

HP has refuted reports that its Web-connected printers can be hacked by outsiders,stating that no customers have so far ever reported unauthorized access. Its statement is a reaction to findings of researchers at Columbia who’ve warned that hackers can control Web-connected HP printers to the point of being able to make them catch fire.Researchers at Columbia University have demonstrated that a remote firmware update command in some HP LaserJet printers can be hijacked, according to a report from MSNBC. In one case, a hacked printer was reportedly given commands that might cause it to get hot enough to scorch paper loaded in it.

The researchers rewrote a test printer’s firmware and said that this would be impossible to detect without removing and examining the device’s embedded chips.Soon after, HP released a statement describing the reporting as "sensational and inaccurate."

No customers have reported unauthorized access so far, HP stated.
"This showcases a problem with embedded systems — that they can be hacked, and need to be better secured," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.

What the Researchers Say
Essentially, the printers demonstrate the vulnerability of embedded systems such as printers and photocopiers, which can be exploited because nobody’s really paying attention to embedded devices, according to Columbia professor Salvatore Stolfo, who directed the research.

Stolfo did not respond to our request for comment for this story.
Stolfo and fellow researcher Ang Cui have reportedly reverse-engineered software that controls common HP LaserJet printers so that it will accept software updates from unapproved sources that might send along malware.

Antivirus software apparently cannot scan or fix software running on embedded chips in a printer.The researchers also ran a demo where documents printed on an infected printer were automatically sent to an unauthorized computer that would then scan the document for critical information, such as Social Security numbers, and automatically Tweet what it found.

They reportedly found 40,000 unprotected printers open to online attacks in a quick scan.The researchers believe the problem isn’t limited to printers from HP alone.

HP Comes Out Swinging
HP said that some HP LaserJets are vulnerable if they’re placed on the public Internet without a firewall. On a private network, some printers may be vulnerable if a trusted party on the network tries to modify their firmware.

Also, in some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade, HP said.

HP is building a firmware upgrade to mitigate this issue and will inform customers and partners who might be affected by the vulnerability about this.

The company also directed users to its secure printing website, which has information about how to keep printers secure.

HP spokesperson Ethan Bauley declined to provide further details.
What’s the Truth?

Stolfo and Cui have collaborated since at least 2009 on studying the security threat posed by embedded systems. Some of their published papers are listed here.

They’re not alone in their belief.
"Devices commonly come with embedded Web server functionality fully enabled, and yet they either have no password, or simply use a default password across all devices," Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told TechNewsWorld in a previous interview.

A Zscaler study came across photocopiers from which documents could be retrieved, scanners that could be operated remotely and telephone systems that permitted eavesdropping, Sutton said, adding that these pose "serious confidentiality issues" for any enterprise.

A Storm In a Teacup?
However, securing embedded devices in the enterprise is relatively easy, Enderle said.
"HP sells printer management software that reports back when a printer’s updated, and in an enterprise, an attack like [the one demonstrated by the Columbia researchers] would typically be picked up," Enderle explained.

Small businesses, law offices or remote government offices, where such printer management software is typically not installed, are at risk, Enderle pointed out.

http://www.dailymail.co.uk/sciencetech/article-2068001/HP-Our-printers-set-remotely.html#ixzz1fC9SJjoe
Dousing duties: HP issued a vigorous denial that any of its printers can be remotely hacked and set alight

It said: ‘There has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers.

No customer has reported unauthorised access. Speculation regarding potential for devices to catch fire due to a firmware change is false.’

The statement was issued after the Columbia University team, led by Professor Salvatore Stolfo, bought a pre-2009 laser printer and fed it a malicious firmware update that wreaked havoc.

It turns out that HP printers made before 2009 don’t verify the source of firmware updates, which is something that ill-intentioned hackers can exploit.

Stolfo and his team fed instructions into a printer that caused the ink-drying fuser to heat up and brown the paper.

Although a thermal switch kicked in and turned off the printer it didn’t stop scare stories circulating the internet that HP’s printers could be set alight.

HP’s statement emphasises that this thermal switch cannot be disabled.

It says: ‘HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.’

However, while HP’s printer didn’t burn, Stolfo told Msnbc that it can’t be ruled out that machines made by other manufacturers won’t.

He also drew attention to the fact that the firmware update flaw is still a big worry.

HP has sold over 100million printers since 1984 so a huge number could be vulnerable.
Revelation: Columbia researcher Ang Cui explains how he was able to infect an HP printer with malicious code

Revelation: Columbia researcher Ang Cui explains how he was able to infect an HP printer with malicious code

Stolfo told Msnbc: ‘The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.’

It’s something that McAfee security expert Raj Samani didn’t raise his eyebrows about, however.

He told MailOnline: ‘To be honest, I’m not surprised there are vulnerabilities in embedded devices. This issue has been known for a number of years.

‘Any connected device, like a smartphone or PC, has the potential to have a vulnerability. Even cars. Nowadays the average car has 10million lines of code and there are stats out there that estimate a certain number of vulnerabilities for every 1,000 lines.

‘By 2020, it’s estimated that there will be 50billion connected devices in the world.’

The answer to keeping these devices secure, says Samani, isn’t a firewall, as these don’t always stop attacks.

He said: ‘Our approach is to use whitelists. This is where we tell machines what commands are acceptable, with anything outside that being stopped, rather than blacklists, which only stop known threats.

‘The problem is that there are so many new threats. We get about 60,000 new malware samples per day.

‘So for a lot of devices a better approach would be to turn the security paradigm on its head.

‘Any organisation needs to stop looking at it in terms of traditional computers and desktops, but embedded devices that are connected to a network.’

HP, meanwhile, played down the potential threat.

It said: ‘While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorised access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall.

‘In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

‘HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted.’

[Author]

December 1, 2011 at 7:31 AM