HP slams 'sensational' reports about LaserJet printer hack vulnerability

Nov 30, 2011 by Nancy Owano report

(PhysOrg.com) -- Columbia University researchers have demonstrated how hackers can use printers not only to infect computer systems and steal information but to set printers on fire. Their claims were made this week in a demo at Columbia University’s Intrusion Detection Systems Laboratory for msnbc. They report a security flaw in Hewlett-Packard (HP) printers open for exploit. While their experiments were only on HP printers, they said that they are just starting to sample other manufacturers’ printers too.

As some observers explain the situation, we are in a computer equipment stage of embedded systems in printers, packed with Internet-connecting functions that make them operate more like computers.

Rewriting the printer's firmware takes only about 30 seconds, according to researcher Ang Cui, and a virus would be virtually impossible to detect once installed. Only pulling the computer chips out of the to test them would confirm an attack, Cui said.

Every time a vulnerable printer accepts a print job, it scans that job to see if it includes a firmware update. Older printers do not discriminate the source of the update; hackers can in turn intercept requests and plant their own updates. As one blogger described the potential mischief, the printer can be told to erase its software and can install a “booby trapped” version.

The Columbia team sent standard print commands from a Mac and a PC running Linux and succeeded in tricking an printer into reprogramming itself.

The researchers have been working on the printer security project under grants from government and industry, according to reports, and they described the flaw in a private briefing for federal agencies. They also reported their findings to Hewlett-Packard.

Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science, said that these devices are completely open and available to be exploited. He and his team have been forceful in describing this as a serious matter for attention, involving a vulnerability that could impact millions of printers and other hardware.

In contrast, HP initially took a cautious view in response. Keith Moore, chief technologist for HP's printer division, had said HP takes the Columbia findings seriously but initial research suggested vulnerability was low. He pointed out that the models tested were older models, and he would generally disagree that the threat is widespread. He said the company was reviewing the issue. But in a hard-hitting statement issued Tuesday, HP said, “Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

Explore further: After Fukushima, Japan gets green boom—and glut

More information: msnbcmedia.msn.com/i/msnbc/sec… _printersecurity.pdf

Related Stories

HP Launches New Enterprise Printers

Apr 12, 2007

The company adds to its printing portfolio with two new ink-based color multifunction printers, updated management tools and a universal print driver.

Federal agency backs HP inkjet patent complaint

Jun 11, 2011

Hewlett-Packard said Friday that a US federal agency has backed its claim that rival MicroJet Technology Co. was infringing on patents for lucrative inkjet printer cartridges.

HP Expands with New Deskjet Printer Line

Apr 19, 2007

Hewlett-Packard will be adding on to its printing portfolio with three new deskjet printers designed for home and small and midsize business users.

HP's webOS moves out of tablet foxhole into appliance mode

Aug 18, 2011

(PhysOrg.com) -- HP is set to spread the wings of its operating system for its smartphones and TouchPad tablet, webOS, and plant it into a wider technology space of an OS for cars and household appliances. HP’s webOS ...

Recommended for you

Drivebot aims to touch driver bases for safety, savings

16 hours ago

Five Thailand-based engineers have developed a dongle device that serves as a fitness tracker for cars and have turned to Indiegogo to raise funds for bringing it forward. The attraction is that it is a simple ...

HP announces Sprout—a truly innovative workstation

18 hours ago

Hewlett-Packard Co has announced the development of a new kind of computer workstation—one that combines the power of a desktop computer with 3D scanning and projection—and adds a second display surface ...

Q&A: 'Interstellar' filmmaker Nolan on his robots

18 hours ago

In his secrecy-shrouded sci-fi extravaganza "Interstellar," filmmaker Christopher Nolan isn't just taking audiences to outer space. He's also sending a couple of robots along for the ride—and they're just ...

User comments : 32

Adjust slider to filter visible comments by rank

Display comments: newest first

Vendicar_Decarian
0.8 / 5 (41) Nov 30, 2011
Of course they did. They don't want the news that their products can be easily hacked to become known. It might lower their share price further.

The fact is, the firmware on many of their printers can be replaced by modified firmware that can retain copies of printed documents, transmit those documents over networks, or be used to generate denial of service attacks, or used as a route for conducting surveillance of businesses or further hacking.

They are incompetently designed printers developed by an incompetently run company.

Bob_Kob
not rated yet Nov 30, 2011
Just imagine that. Send a trojan fax to a government printer or whatnot and get into the whole network.

Who knows how many of these situations occur in higher lever espionage that we do not know of.
Vendicar_Decarian
0.9 / 5 (42) Nov 30, 2011
The idea that a print job may contain embedded code for altering the firmware of the printer is not just an example of stupidity. It is an example of criminal stupidity.

It represents complete incompetence, or worse, a complete disregard for security.

How about a nice message *** SECURITY WARNING *** you are about to update the firmware on this printer. Open up the security compartment and press the big red button if you wish this to be done.

But HP doesn't want the additional cost of having such a button. It might add 2 cents to the manufacturing cost of their printer.

So they chose to implement zero security to save a few pennies.

This is criminal behavior that is only seen in the incompetent, or bean counter logic, or businessman logic.

No matter the alternative.. they are all filth.
Eikka
5 / 5 (5) Nov 30, 2011
Just imagine that. Send a trojan fax to a government printer or whatnot and get into the whole network.

It represents complete incompetence, or worse, a complete disregard for security.


Thing is, to make any use of the flaw you kinda sorta have to be in the network already, and crack the passwords so you could send a print job to the printer already.

If your network is so ill-administered that just anybody can send a compromized print job to your printers, your stuff is already as good as compromized anyways. Who needs the printers?

If somebody plants a video camera in your shower, the first thing to think about is not the competence of the person who built your shower, but the competence of the person who installed the lock on your front door.
Eikka
not rated yet Nov 30, 2011
Especially on this point:
Send a trojan fax to a government printer


You know why serious business fax solutions are handled virtually by a computer instead of a fax machine? First reason is to save work, and the second reason is to stop stupid tricks like sending a blank sheet of paper taped end to end in a loop to unroll the receiver's paper out of the machine.

You need someone on the inside to craft a malicious print job and send it to the printers, because the program that recieves the fax ignores everything else except the Huffman coded image data that is the document itself.
antialias_physorg
5 / 5 (2) Nov 30, 2011
a blank sheet of paper taped end to end in a loop to unroll the receiver's paper out of the machine.

Preferrably a black sheet of paper. Might as well empty the toner cratridge while you're at it.
Isaacsname
5 / 5 (3) Nov 30, 2011
Makes me wonder about future vulnerabilities in homes with internet-connected devices. Toasters, microwaves, furnaces, your children's toys, etc, not just printers and fax machines.

Serious implications for the future, imnsho.
Royale
not rated yet Nov 30, 2011
Agreed Issacsname. I've been wondering about that since they started talking about everything being connected. I guess your best bet is a great firewall and well protected wireless. If you're using WEP you might just as well take away the password completely...
antialias_physorg
not rated yet Nov 30, 2011
Toasters, microwaves, furnaces, your children's toys, etc, not just printers and fax machines.


While your children's toys, toaster and microwave might conceivably be connected to a LAN or WAN inside the house there's no real need to have such a network even be connected to the internet at large (or are you planning to issue commands to your microwave from your vacation spot on Hawaii?).

If on a WAN then some basic encryption should make those relatively safe from all but the most determined outside hackers. At that point: If someone caughs up the cash to seriously break through your WPA2 encryption then they're much cheaper off simply physically breaking in and connecting directly.
Isaacsname
5 / 5 (1) Nov 30, 2011
Lol, you could have spam advertisements print on peoples documents out of nowhere. I can see it now....printer spam.....every sheet of paper with an ad for ED medicines or " love muscle " stretchers at the bottom, for example.

True AP, that neighborhoods of linked and connected homes are still likely a ways off in the future, but you have to admit it's bothersome that these vulnerabilities aren't discovered until the devices are in our homes.

A nefarious grocer, for ex, could have all local refrigerator temps raised to 45f, in turn making people's food spoil just a little quicker, in turn boosting sales, all done by remote with some lines of code, completely under the radar unless you have a digital readout on your icebox that you check on a regular basis.

Just thinking out loud here, there's definitely the possibility of monkey-wrenching if somebody is hell-bent on it.
Eikka
5 / 5 (1) Nov 30, 2011
a blank sheet of paper taped end to end in a loop to unroll the receiver's paper out of the machine.

Preferrably a black sheet of paper. Might as well empty the toner cratridge while you're at it.


Thermal printers don't have toner. It's in the paper, and the paper is wasted anyways because it's so difficult to put back on the roll neatly enough that it would fit in the machine again.
gwrede
5 / 5 (1) Nov 30, 2011
Damn, the future is full of opportunities, after all!!
CHollman82
1.8 / 5 (10) Nov 30, 2011
They are incompetently designed printers developed by an incompetently run company.


You're being too harsh, it is very difficult to perceive every possible threat when designing a software system. Hindsight is 20/20 and all that...
Royale
not rated yet Nov 30, 2011
Eikka, they were talking about a fax machine. Not a receipt printer. How many fax machines have you seen that use thermal paper? All the ones I've seen use toner or ink.
Prbsolver
1 / 5 (1) Nov 30, 2011
A foolproof system does not take in account the ingenuity of a fool.... Therefore a fool proof system does not exist...
Prbsolver
not rated yet Nov 30, 2011
Just imagine that. Send a trojan fax to a government printer or whatnot and get into the whole network.

Who knows how many of these situations occur in higher lever espionage that we do not know of.


Does anyone remember the "Ferby"... Its amazing how ppl think this is a "New Threat"
Nerdyguy
1 / 5 (1) Nov 30, 2011
Makes me wonder about future vulnerabilities in homes with internet-connected devices. Toasters, microwaves, furnaces, your children's toys, etc, not just printers and fax machines.

Serious implications for the future, imnsho.


No need to wonder too much. Sooner or later, not only will those mostly-already-connected devices be commonplace, but your implants will have the same cheap technology that's in your PC.

The history of technology has basically been one big rush to market, followed by patch after patch to fix things that just weren't "sexy cool" enough to worry about by the marketing department.

There should be no doubt that people who wish others ill will find a way to hack implants. And the home based stuff is child's play.

We're already witnessing industrial-level equipment control being seized, so your toaster is something your kid will likely figure out.
Nerdyguy
1.8 / 5 (9) Nov 30, 2011
This is criminal behavior that is only seen in the incompetent, or bean counter logic, or businessman logic.

No matter the alternative.. they are all filth.


Hmmm...shall we pause for dramatic effect?

Spreading your nastiness won't help matters. Could you offer some suggestions as to how the engineers working with this almost two-decades old technology might have predicted this and might make it better in the future?
Vendicar_Decarian
0.9 / 5 (42) Nov 30, 2011
Internet connected printers are hardly 2 decades old. And how could it be predicted? You must be kidding.

Anything that is connected to a network is subject to hacking.

Allowing the firmware to be updated via the network without a physical interlock is just begging to be hacked.

If it isn't obvious to you then you are even dumber than I thought possible.

It is an example of corporate criminal stupidity. Any engineer who designed such a thing for my company would be fired immediately for gross incompetence.
rwinners
not rated yet Nov 30, 2011
Have to admit that if these printers don't have a "auto update OFF" option in their control programming, it is a big hole. Still, I'd have to get inside the network to send the print job in the first place. That means hacking the router firewall, for starters. Then hacking network security, etc. Not something for the uninitiated.
gregor2
3.2 / 5 (11) Dec 01, 2011
Anything that is connected to a network is subject to hacking.

Allowing the firmware to be updated via the network without a physical interlock is just begging to be hacked.


this just goes to show you how flawed capitalism is when such an incompetent programmer as chollman82 can claim to make $100k a year...! daddy must have come connections.....
rwinners
5 / 5 (1) Dec 01, 2011
Flawed capitalism? How'd we get here?
At any rate, I agree with chollman. Other than in a tightly controlled environment, it is not only difficult, but impossible to perceive much less predict the ultimate outcome of any action, over time.
MarkyMark
1.6 / 5 (7) Dec 01, 2011
I agree with Chollman82 noone can predict everything, they can try and predict every concevable idea but thats based on what the programmer knows about how current tech can be manipulated and how future tech can interact with devices that dont exist yet.
Vendicar_Decarian
0.8 / 5 (41) Dec 01, 2011
"You're being too harsh, it is very difficult to perceive every possible threat when designing a software system" - CHollman82

You would be an incompetent programmer.
abhishekbt
not rated yet Dec 02, 2011
@ Vendicar_Decarian:
Denial of service attacks from a printer?
Now this I gotta see.
Nerdyguy
1.4 / 5 (9) Dec 02, 2011
Internet connected printers are hardly 2 decades old. And how could it be predicted? You must be kidding.

...

If it isn't obvious to you then you are even dumber than I thought possible.

It is an example of corporate criminal stupidity. Any engineer who designed such a thing for my company would be fired immediately for gross incompetence.


You're just plain wrong. The only thing new here was a a quick attach of a radio frequency interface to the same technology that they've been using for 20 years. Sure, it's been updated. Sure, some companies have done a better job than others.

But, if you believe that manufacturers of every product either are, or should be, spending billions to study every product that could someday have the potential for criminals to use it illegally, then YOU are even stupider than I thought possible.
Nerdyguy
1.4 / 5 (9) Dec 02, 2011
By the twisted logic of some here, the manufacturers of my kids toys will be considered criminally negligent someday because no one used CIA-level risk analysis to consider how a hacker might do bad things with the significant technology in some of them.

Some of these toys are more expensive than most printers.

CHollman82
1.4 / 5 (9) Dec 02, 2011
"You're being too harsh, it is very difficult to perceive every possible threat when designing a software system" - CHollman82

You would be an incompetent programmer.


You are being completely unrealistic and ridiculous.

I AM a programmer, and I am going to shatter your fairy tale view of how you think things should be... I am paid to get the job done WELL ENOUGH and as QUICKLY as possible. NO ONE is going to pay programmers to spend weeks or months analyzing every possible security threat to their software, it is not economical, it is not practical, and it is not even POSSIBLE to prevent everything a malicious person would do. You're point of view is the product of your lack of experience with what you are talking about coupled with a completely unrealistic and idealistic opinion of how you think the world should be that is ultimately impossible. If you want total security in all software prepare to spend 10x as much or more on it.
CHollman82
1 / 5 (7) Dec 02, 2011
Anything that is connected to a network is subject to hacking.

Allowing the firmware to be updated via the network without a physical interlock is just begging to be hacked.


this just goes to show you how flawed capitalism is when such an incompetent programmer as chollman82 can claim to make $100k a year...! daddy must have come connections.....


I don't remember claiming to make 100k a year... I hope to get there eventually and am over half way now but I'm only 5 years out of college
Vendicar_Decarian
0.8 / 5 (43) Dec 03, 2011
You are incompetent.

"I AM a programmer, and I am going to shatter your fairy tale view of how you think things should be... I am paid to get the job done WELL ENOUGH and as QUICKLY as possible." - Chollman82
CHollman82
1.8 / 5 (5) Dec 05, 2011
Clown on the internet, meet the real world. You two should get better acquainted.
Royale
1 / 5 (1) Dec 05, 2011
lol. While I don't agree usually with CHollman82, I certainly do here. If he had the option to further work out kinks he probably would, but companies want more code, not the best and cleanest possible code that gets 15 lines a day added to it.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.