Once the printer's firmware has been altered, Internet-accessible printers could, in theory, contact a malicious website and receive instructions. It's conceivable that a subverted printer could send copies of the documents being printed. One could even envision a botnet run on printers, not PCs.
The demo referenced in the MSNBC report involved an HP printer's fuser. The altered firmware turned the fuser on and left it on, browning the paper and throwing off smoke, before the printer's thermal interrupt kicked in.
HP has since issued a statement refuting the MSNBC report. "Speculation regarding potential for devices to catch fire due to a firmware change is false. ...While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access."
Cui and Voris promise a demo next month that involves an attack on an HP LaserJet P2050-series printer using a tool they've devised, called HPacker, that creates valid HP remote firmware update files. "Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer."
What can you do to lessen the chances of getting hit by this kind of attack? Obviously, if you have any printers on your corporate firewall's outbound whitelist, they shouldn't be there. Cui and Voris have an outline with two additional points: "Firewall off all printer ports from the internet (won't stop users who can legitimately print) 9100, 3910, FTP, HTTP, etc" and "update CUPS filters to strip out jobs that contain firmware updates (won't stop standard obfuscation techniques like HexAsciiEncode, etc)."
It isn't just printers. In the past, Stolfo and Cui have written about infecting Cisco routers, using firmware update hacking techniques.
We're entering a new era where IT has to be concerned about hacked peripherals on the corporate network. I'm looking forward to the day when my mouse can participate in a botnet.
This story, "Security researchers say HP printers vulnerable to hackers," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.