Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Even more, hackers could cause actual physical damage to the device by continuously heating up the printer’s fuse.
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science. "The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited."
The exploit made known in the report was based on HP LaserJet printers that allow firmware upgrades through a "Remote Firmware Update" process. The problem is that the printers don't check the source of the update software, and the firmware update itself doesn't even come packed with a digital signature to authenticate its source. That said, anyone can send a virus-laiden document to the printer which would instruct the printer to erase its current firmware and install a malware-laced version. Hackers can even do this on printers configured to accept print jobs via the Internet.
"It's like selling a car without selling the keys to lock it," Stolfo said. "It’s totally insecure."
Researchers have quietly worked on the firmware issue over the last few months, funded by a series of government and industry grants. Federal agencies were told about the exploit in a private briefing two weeks ago. HP said that it was just told about the problem last week, and is currently reviewing the details. So far the company disputes the firmware problem as being "widespread," claiming that, in most cases, the likelihood that the vulnerability can be exploited in the real world is low.
"Until we verify the security issue, it is difficult to comment," he said, adding that the firm cannot say yet what printer models are impacted. However the researchers claim the problem affects tens of millions of printers and other embedded systems that uses a similar firmware update method.
Mikko Hypponen, head of research at security firm F-Secure, seems floored over the lack of a signature or certificate of authenticity in HP's firmware updates. "How the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?" he complained. "Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact."
HP claims that the company's newer printers do in fact require digitally signed firmware upgrades, and have since 2009. The company also insists that the printers in question are older models, yet it wouldn't specify what those vulnerable printers actually are. The researchers retaliated by saying they purchased one of the printers back in September at a major New York City office supply store.
HP's Official Response