Printer vulnerabilities via firmware update
Regular readers of this page will not find it surprising to hear about attacks against hardware, typically through the firmware installed on them. The recent report about a vulnerability in HP laser printers falls into that category, but there are some twists. The researchers at Columbia University certainly picked an attention-getting example when they were able to alter the printer firmware and nearly set the paper being printed on fire, but HP's reaction to the flaw, at least so far, is eye-opening as well.
The flaw is a simple one, evidently. Print jobs sent to the printers are
scanned to see if they contain a firmware update, if so, the update is
installed. Crucially, the update is not checked for any kind of digital
signature, nor is user input requested before performing the update. In
the msnbc report, HP's
Keith Moore, chief technologist for the printer division, said that
printers since 2009 have required signed updates, but the Columbia
researchers "say they purchased one of the printers they hacked in
September at a major New York City office supply
store
". Regardless, there are certainly millions of pre-2009 HP
laser printers in service that are presumably vulnerable.
The researchers were able to rewrite the firmware so that it "would
continuously heat up the printer's fuser — which is designed to dry
the ink
once it's applied to paper — eventually causing the paper to turn brown
and smoke
". Before the paper could catch fire, though, a "thermal
breaker" shut down the printer—seemingly permanently. In a press
release, HP said that the breaker is designed to thwart just that kind
of problem. The company also said that the breaker "cannot be
overcome by a firmware change or this proposed
vulnerability
". That's certainly a nice safety feature, but disabled
printers definitely make for a painful denial-of-service attack.
There are several other interesting parts of the rather defensively worded press release. According to HP, no customers have reported suffering from these firmware-rewrite attacks, but it's unclear how those customers would know. Obviously, if their printers were emitting brown, smoking paper, there would be little question, but the researchers demonstrated other kinds of attacks that would be more difficult to detect:
As might be guessed, HP tries to minimize the extent of the problem, but it's not yet clear that the company completely understands the ramifications. From the press release:
Given the attack vector, submitted print jobs, it's a bit hard to believe that only Linux or Mac systems can trigger the problem. While that may be the case, it seems much more likely that there are ways to coerce Windows into submitting jobs with firmware upgrades as well. How else would customers running Windows do a firmware update? Even if Windows is somehow prevented from sending a corrupted print job, it's pretty uncommon today to find a corporate network with no Mac or Linux machines on them.
It's also rather disingenuous to suggest that printers behind firewalls (on networks with no malicious users) are somehow immune. Again, that could be the case, but it is far more likely that malware of various sorts could cause jobs to be sent to printers. A firewall doesn't necessarily prevent web or email-based attacks, for example, and anti-virus software is unlikely to be looking for malware exploiting printer vulnerabilities.
It doesn't take much imagination to come up with other attacks beyond those demonstrated. Printers could be used as part of a botnet, as bridgeheads to launch further attacks on a corporate network, and so on. Like many devices, printers are fairly capable general-purpose computers under the covers, even if they tend to have fewer resources (e.g. CPU horsepower, RAM) than desktops or servers.
HP has said that it will put out a firmware update to fix the problem, but it will be a challenge to get those patches installed on all of the affected devices. And, as pointed out in the msnbc report, any printers that are already infected—if attackers have previously discovered the hole—may well reject any further attempts to upgrade them. In addition, while the researchers found the problem in LaserJets, there is no reason to believe that other printers—or other networked devices, from HP and others—don't suffer from similar flaws. In many ways, embedded device security is in its infancy.
It is a difficult balancing act, however. If recent HP printers will only accept firmware updates that are signed using HP's keys, that solves the problem of this kind of attack, but leaves a different problem in its wake: lockdown by a manufacturer. As we have seen with TiVo, PlayStation 3, locked-down mobile phones, and other devices, manufacturers may be able to add anti-features, disable previously working features, and generally interfere with the owner's wishes when only they hold the keys to a device.
It is, in some ways, similar to the UEFI secure boot issues that have been in the news recently. In both cases, customers that want to actually own their devices are going to need a way to store their own key and have it be trusted by the device. That may be overkill for printers or other devices, so manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once, but the alternative, ceding all upgradability only to the manufacturer, has some major downsides as well.
| Index entries for this article | |
|---|---|
| Security | Embedded systems |