Millions of Printers Open to Exploits That Could Light Them on Fire
In a world where more and more things are getting connected to the Internet, it’s getting more and more important to focus on security for things that aren’t traditional computers. I’m not just talking smartphones and tablets, but things like cars, prison security systems, and printers. According to researchers at Columbia University, tens of millions of printers have firmware vulnerabilities that make them super hackable. But what’s the worst a hacker could do to a printer? How about set it on fire.
Columbia professor Salvatore Stolfo has been investigating the subject and and says “The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.” It turns out that as printer companies have been trying to cram more functionality into the devices, they’ve been giving them capabilities that are more and more like a traditional computer. The problem is that printer security hasn’t been growing along with printer functionality, which leaves us where we are right now.
Stolfo has identified an issue with HP LaserJet printers, one of the best selling models for business use, that allows hackers to push unofficial firmware updates to the machine, causing it to do all sorts of things. Before printing a job, HP LaserJets will go out onto the Internet to see if they need to pick up a firmware update before printing. The issue is that the printers don’t discriminate based on source, so anyone with the technical know-how can trick the printers into accepting the bogus update, and the printer can’t or won’t do anything to stop it.
What kind of effects could this have? Well, the most spectacular example Stolfo has shown off is the ability to make the printer melt down, smoke, and potentially catch fire. Using the bogus firmware trick, he can get the printer to overheat its fuser — the component used to dry ink — until it melts. Granted, most printers have a thermal switch installed to keep the thing from actually bursting into literal flames, but it’s still pretty intense.
There are more subtle applications as well. In another demonstration, an infiltrated printer was used to copy printed documents and send them off to hackers. In this case, tax returns being printed on an infected device were copied and sent off to hackers where they could be scanned for information like social security numbers. And of course, any hackers who wanted to just disable printers in an entirely mundane fashion could do that as well, easily.
HP, as you might expect, is being cagey about the exploits, for the moment. They report that they’re still investigating the exploits and won’t comment on the existence, or implications, of the vulnerabilities until they are 100% sure they actually exist. When they inevitably do find out they exist, they’ll surely roll out a fix, but there’s one more little thing to consider: Any printers that are already compromised are compromised for good. Once you’ve updated firmware on a device, it’s trival to block any further updates, official or not. So while HP may be able to put a stop to any further infection, they can’t fix any that have already happened. Of course, there are no reported cases of hacked printers, but a hacked printer is notoriously hard to detect. Better hope your printer isn’t sitting over there, plotting to ruin you. At the moment, there’s not all that much you can do to stop it.
(via Red Tape)