Update: Security researchers say HP printers vulnerable to hackers

Flaw in HP's printer firmware update procedures could expose your company's printers to hackers. Here are the steps you should take to protect them

Don't throw away your HP printers just yet.

MSNBC released an "exclusive" report quoting two Columbia University researchers as saying that millions of HP printers are open to potentially devastating online hacks. While the security holes appear to be very real, there's a great deal of question about whether the attacks could ever be implemented in a real-world situation -- and there are steps you can take at your corporate firewall right now to mitigate the threat.

The fundamental problem stems from the way HP printers validate firmware updates prior to applying them. Or more accurately, the way HP printers don't bother to validate firmware updates prior to applying them.

Salvatore Solfo, a professor at Columbia, and Ang Cui, a doctoral student, have been looking at security holes with HP printer firmware. It's entirely possible that similar vulnerabilities exist with other printers, so don't take this flaw as an indictment of HP -- yet.

According to MSNBC's report, Solfo and Cui "described the flaw in a private briefing for federal agencies two weeks ago. They told Hewlett-Packard about it last week." In fact, details about the security hole started circulating more than a month ago, and Cui and Jonathan Voris, a doctoral student at Polytechnic Institutue of NYU, are due to present a paper on the topic at the 28th Chaos Communications Congress next month.

Solfo, Cui, and Voris say they have found a way to hijack the firmware in HP printers. The problem stems from the fact that HP doesn't require authentication for firmware updates -- no code signing, no validation, no password or manual supervisor intervention prior to a firmware patch being installed. Cui says, "We can actually modify the firmware of the printer as part of a legitimate document. It renders correctly, and at the end of the job there's a firmware update. ... In a super-secure environment where there's a firewall and no access -- the government, Wall Street -- you could send a résumé to print out."

Of course, none of the antivirus manufacturers has routines that will identify rogue remote firmware update files, nor do they have scanners for printer firmware.

Once the printer's firmware has been altered, Internet-accessible printers could, in theory, contact a malicious website and receive instructions. It's conceivable that a subverted printer could send copies of the documents being printed. One could even envision a botnet run on printers, not PCs.

The demo referenced in the MSNBC report involved an HP printer's fuser. The altered firmware turned the fuser on and left it on, browning the paper and throwing off smoke, before the printer's thermal interrupt kicked in.

HP has since issued a statement refuting the MSNBC report. "Speculation regarding potential for devices to catch fire due to a firmware change is false. ...While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access."

Cui and Voris promise a demo next month that involves an attack on an HP LaserJet P2050-series printer using a tool they've devised, called HPacker, that creates valid HP remote firmware update files. "Using HPacker, we demonstrate the injection of our malware into arbitrary P2050 RFUs, and show how similar malware can be created for other popular HP printer types. Next, we demonstrate the delivery of this modified firmware update over the network to a fully locked-down printer."

What can you do to lessen the chances of getting hit by this kind of attack? Obviously, if you have any printers on your corporate firewall's outbound whitelist, they shouldn't be there. Cui and Voris have an outline with two additional points: "Firewall off all printer ports from the internet (won't stop users who can legitimately print) 9100, 3910, FTP, HTTP, etc" and "update CUPS filters to strip out jobs that contain firmware updates (won't stop standard obfuscation techniques like HexAsciiEncode, etc)."

It isn't just printers. In the past, Stolfo and Cui have written about infecting Cisco routers, using firmware update hacking techniques.

We're entering a new era where IT has to be concerned about hacked peripherals on the corporate network. I'm looking forward to the day when my mouse can participate in a botnet.

This story, "Security researchers say HP printers vulnerable to hackers," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.


Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform