Exclusive: Millions of printers open to devastating hack attack, researchers say
It’s not only possible, but likely, say researchers at Columbia University, who claim they've discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.
Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com. They say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there's no way to tell if hackers have already exploited it.
The researchers, who have working quietly for months in an electronics lab under a series of government and industry grants, described the flaw in a private briefing for federal agencies two weeks ago. They told Hewlett-Packard about it last week.
HP said Monday that it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but generally disputes the researchers’ characterization of the flaw as widespread. Keith Moore, chief technologist for HP's printer division, said the firm "takes this very seriously,” but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases.
“Until we verify the security issue, it is difficult to comment,” he said, adding that the firm cannot say yet what printer models are impacted.
But the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.
The flaw involves firmware that runs so-called "embedded systems" such as computer printers, which increasingly are packed with functions that make them operate more like full-fledged computers. They also are commonly connected to the Internet.
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science. “The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.”
Printer security flaws have long been theorized, but the Columbia researchers say they've discovered the first-ever doorway into millions of printers worldwide. In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
Hewlett Packard, in a statement, said all its printers include such thermal switches, and these would prevent a printer fire in all cases.
"(The thermal breaker) cannot be overcome by a firmware change or this proposed vulnerability," it said.
Click here to read H-P's full statement issued in response to this story.
Cui and Stolfo say they've reverse engineered software that controls common Hewlett-Packard LaserJet printers. Those printers allow firmware upgrades through a process called "Remote Firmware Update." Every time the printer accepts a job, it checks to see if a software update is included in that job. But they say printers they examined don't discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version.
In all cases, the Columbia researchers claim, duping a would-be target into printing a virus-laden document is enough to take control of that person's printer; but in some cases, printers are configured to accept print jobs via the Internet, meaning the virus can be installed remotely, without any interaction by the printer's owner.
“It's like selling a car without selling the keys to lock it,” Stolfo said. “It’s totally insecure.”
Printers, however, are just the tip of the iceberg when it comes to vulnerable embedded devices, Stolfo warned. Columbia researchers have found that many gadgets now wired to connect to the Internet – including DVD players, telephone conference tools, even home appliances – have no security at all.
"Right now, very few people are thinking about the security of all these devices, so we're moving on to look at many more of them,” Stolfo said, noting that supposedly secure offices – even in sensitive government agencies – have networked teleconferencing devices, printers, even thermostats that create security risks.
“This is a whole area that is being ignored,” he continued. “While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There's no focus on the security of these devices we take for granted and we carry into secure environments every day.”
Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter.
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).
Read the Rest of the Article, it's long but worth the read!...
- News 11-30-11
- Linux Today - The Lustre Distributed Filesystem
- Pros and cons of replacing tool batteries with Lithium Polymer - Hack a Day
- Extreme finger painting with a router - Hack a Day
- G-35 circuit board porn - Hack a Day
- FCC Allows AT&T/T-Mobile Merger Withdrawal, Publishes Damning Report | TPM Idea Lab
- Google Maps gets taken indoors - The Inquirer
- Probably the Best Free Security List in the World
- How to Control the Amount of Disk Space Used by System Protection (System Restore) in Windows Vista/7
- Concussions Might Affect Kids and Adults Differently
- HowStuffWorks "5 Surprising Tips for Saving Money at Home"
- Occupy Los Angeles and Philadelphia Camps Cleared by Police - NYTimes.com
- Will FTC force Facebook onto privacy straight and narrow? - Computerworld
- Siri: Why Apple will build, buy, or partner on a search engine | ZDNet
- Linux Today - Does Linux Mint 12 Measure Up?
- Linux Today - Oracle Sun ZFS Storage Appliance Buyer's Guide
- Cliche Finder
- ClichéSite.com - The largest collection of clichés or cliches, phrases and sayings with definitions and explanations.
- Network monitoring panel built from the IT Department junk heap - Hack a Day
- Prenotazione aule Network monitor - Google Translate
- Network monitor | zen.pn.it - Tecnologia e dintorni
- sentinella - a set on Flickr
- HP LaserJet printers vulnerable to attacks, researchers warn - Computerworld
- Red Tape - Exclusive: Millions of printers open to devastating hack attack, researchers say
- Lawmaker dissatisfied with Amazon's answers on Kindle Fire's data harvesting - Computerworld