Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Printer Security Network IT Hardware

Printers Could Be the Next Attack Vector 175

New submitter rcoxdav writes "Researchers have found that the upgradeable firmware on some laser printers can be easily updated and compromised. The updated firmware could then be used to do anything from overheating the printer to compromising a network. Quoting: 'In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke. In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.'"
This discussion has been archived. No new comments can be posted.

Printers Could Be the Next Attack Vector

Comments Filter:
  • Yeah right! (Score:5, Funny)

    by Anonymous Coward on Tuesday November 29, 2011 @01:46PM (#38205072)

    Yeah right, my printer could not possibly bring my networ

    • Re:Yeah right! (Score:5, Interesting)

      by ColdWetDog ( 752185 ) on Tuesday November 29, 2011 @01:48PM (#38205124) Homepage

      Arrh!!! Ip0 on Fire! [wikipedia.org]

      What is new, is old.

      • by GameboyRMH ( 1153867 ) <gameboyrmh@gCHEETAHmail.com minus cat> on Tuesday November 29, 2011 @01:58PM (#38205262) Journal

        Time to bring back the Extinguish button?

      • Re:Yeah right! (Score:4, Interesting)

        by ackthpt ( 218170 ) on Tuesday November 29, 2011 @01:58PM (#38205274) Homepage Journal

        Arrh!!! Ip0 on Fire! [wikipedia.org]

        What is new, is old.

        We had files we could send to our old impact lineprinter which could play music. Hell on ribbons, so save these sources of amusement for the day you were changing the ribbon anyway.

        • Arrh!!! Ip0 on Fire! [wikipedia.org]

          What is new, is old.

          We had files we could send to our old impact lineprinter which could play music. Hell on ribbons, so save these sources of amusement for the day you were changing the ribbon anyway.

          Don't tell this to the MAFIAA, or we'll pay a music tax on printers!

      • You laugh but... (Score:5, Interesting)

        by skids ( 119237 ) on Tuesday November 29, 2011 @01:59PM (#38205278) Homepage

        ...printers are rather more perniciously distributed into fire-prone environments these days than from back then, and though the journalists did their usual job of munging the information so it's inaccurate and sounds sensationalistic, there's actual potential for damage to be done here.

        I've had a working uC-Linux demo for HP Deskjets available for a couple of years now (see my sig.) My intent was to open the systems up for robotics use and give robotics students a system cheap enough to allow them to take their lab projects home with them when the class was over. I don't work on it much anymore, as there hasn't been much interest, and it's boring doing it without any users to support.

        I didn't approach lasers mostly because they have less to offer for this purpose, and also due to concerns over the safety issues, but some of the same tricks on my wiki page probably work on the older/cheaper HP personal lasers.

        Could a deskjet be made to burn? Well, from playing with the stepper motor in the ink tray, I can definitely get that to heat up pretty good, not to mention draw enough current to force the device to reboot. Not that that was my intent.

        I doubt the thermal management on deskjets is as thorough as on lasers, so yes, there's a potential for danger there. While a fusor might have a thermistor, that is only because it is an obvious danger. Sending the right bit pattern into motor drive circuits could heat up components, and AFAICT the only thermometers in the deskjets are far away on the print head daughterboard.

        (Not yet published on github is my work on a slightly newer ARM-based copy/printer/scanner where I have a booting kernel already, but the toolchain is very hard to build and USB driver is still very dicey.)

        • by Bert64 ( 520050 )

          That's interesting.. I always thought the deskjet printers were pretty dumb compares to the lasers...

          Out of interest, do you have any experience of the HP 9100C, its a network based scanner basically a replacement for the network scanjet models, only unlike the scanjets (which are x86 based), they seem to be mips based, about 16mb ram, 3gb hdd and running vxworks...

          The default firmware is a bit limited, they can scan to email but not at full resolution, but anything more complex requires a proprietary serve

          • by skids ( 119237 )

            I haven't played with any of those units, no. I suspect any hacks aimed at improving functionality would probably be tweaks of the pre-existing firmware, and what with the OS being vxworks on this one, you'd have to have a compatible development environment -- reverse engineering it to the metal and writing brand new code to run the scanner would be pretty time consuming.

      • Well, that link was confusing. I thought Brandon Harris's username on Slashdot was lp0.

      • by cvtan ( 752695 )
        My favorite printer message (printed on paper) said, "Printer Not Available."
      • Frankly I don't see why they would bother with the firmware. Has anybody seen the new Windows drivers for some of the HP and Lexmark consumer printers? Man what a POS! And they ALL set themselves up open permissions on the firewall so they can "call home' to try to sell you more shit.

        If I was the malware guys I'd be aiming at the printer drivers, people expect their printers to have a bunch of crap with them anymore, hell i doubt they'd even notice one more service with HP or LX at the front of it.

  • Obligatory (Score:5, Informative)

    by TheLink ( 130905 ) on Tuesday November 29, 2011 @01:47PM (#38205104) Journal
  • NExt??? (Score:5, Informative)

    by Lumpy ( 12016 ) on Tuesday November 29, 2011 @01:49PM (#38205134) Homepage

    You have been able to use HP jetdirect printers as an attack vector for decades.

    IT seems that Computer security is not remembering how attacks were happening from the 90's and earlier.

    Hell you could make Xerox solid ink printers burn the paper by sending them a corrupted PDF. it would stop in mid print with the paper on the drum and under the fixer running full power.

  • by unity100 ( 970058 ) on Tuesday November 29, 2011 @01:49PM (#38205138) Homepage Journal
    Like every 3d printer in a major manufacturing installation hacked and reconfigured to manufacture 3d-cast giant cocks ... Can you imagine how will the plant manager feel after ending up with a warehouse full of cocks ?
    • by vlm ( 69642 )

      Well, somebody is selling those things, so I guess it could be much worse. I suppose if it happened at a church hackerspace, if such a thing exists...

      Worse would be getting the machine owner in big trouble, like making plastic automatic knives aka switchblades, or rifle receivers or single use short barreled plastic 12 gauge shortguns or any number of things the BATFE demands licensing and fees. Even just endless streams of pirated trademarked copyrighted mickey mouse gear would be a problem.

      • Even just endless streams of pirated trademarked copyrighted mickey mouse gear would be a problem.

        you know ... a serious hacker group could practically end trademark/copyright thing by continually hacking and rewiring 3d printers around the world to flood the world with those items.

      • by skids ( 119237 )

        Great, now the phrase "Ron Jeremy, prior art" is stuck in my head.

  • by pem ( 1013437 ) on Tuesday November 29, 2011 @01:49PM (#38205140)
    A printer was pirating its stuff!
  • by dmomo ( 256005 ) on Tuesday November 29, 2011 @01:50PM (#38205150)

    How about a less sensational headline like: "Printer firmware opens attack vector".. or something.

    • by bananaquackmoo ( 1204116 ) on Tuesday November 29, 2011 @02:03PM (#38205338)
      How about a more true headline, like "have been potential attack vectors for many many years now"
    • by jd ( 1658 )

      Or... "any programmable computing device can be attacked, and any hardware attached to it can be used to cause damage", except that would be longer. More honest, though.

      Want to trash a computable device? Upload something akin to CPUBurn onto it, styled and compiled for that specific processor. Want to trash a monitor? Set the timings to something totally screwball until it screams or fries. Want to wreck a hard-drive? The 80s computer virus "headbanger" smashed read heads into the end buffers until they mis

  • HCF (Score:4, Interesting)

    by camperdave ( 969942 ) on Tuesday November 29, 2011 @01:51PM (#38205166) Journal

    ...the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.

    It's not new. Computer hackers have had that ability for decades upon decades. It's called HCF: Halt and Catch Fire.

  • When I first toyed with Linux in the 90's I smoked a monitor by setting the refresh rate higher than it would support. Whilst it hasn't been possible to do this in many years you could have likewise called that just as much of an attack as this printer issue.

    People discover printers, copiers and so on are really just dedicated computers and attack them. If your a professional and your surprised something like this is happening than you've just outed yourself as incompetent.

    Why is this a news?

    • by skids ( 119237 )

      Why is this a news?

      Because it's news to the layperson. You know, the one who owns a printer but doesn't know the difference between a parallel port and a serial port. They just assume the devices are "safe" because they are sold casually.

    • Re:Nothing new here (Score:4, Interesting)

      by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday November 29, 2011 @02:33PM (#38205696) Homepage Journal

      The truly important news that everyone so far has missed is that the original submission had a typo that the editors fixed. THAT is absolutely staggering news!

      • Good catch, you should submit that as a news story! Slashdot editor edits news story. Just make sure you submit the story with your own typo.

        I'm the guy who responded to their user feature request a few months back with a request that they hire a professional editor...

  • by ackthpt ( 218170 ) on Tuesday November 29, 2011 @01:55PM (#38205220) Homepage Journal

    While this may be attractive to drunken programmers, it's not something I expect evul terrerists to perpetrate or nefarious crackers, who are far more interested in stealing your money.

    • by nurb432 ( 527695 )

      And if your company happens to print out checks, or other sensitive data, it could be a nice easy way to capture that information and send it off to a remote site to be sifted thru.

      • Not to mention printers have had full blown operating systems for firmware for years. The printer we just got can print via ftp, e-mail (pop access to remote account), etc. Printers are now computers that print and need to be secured as such.
  • by rubycodez ( 864176 ) on Tuesday November 29, 2011 @01:55PM (#38205224)
    This has been known and demonstrated since the early 1990s. Moreover, Tom Clancy used this type of attack as plot device in one of his novels, in the 90s.
    • If this vector has been known for so long, why is it still wide open? Why does the HP printer check for firmware updates at the outset of every print job? Why were their printers not verifying digital signatures until just two years ago?

      The fact that modern printers are susceptible to this attack is still a cause for alarm.

      • by skids ( 119237 ) on Tuesday November 29, 2011 @03:00PM (#38206054) Homepage

        It's not that the printer checks for firmware at the outset of every job, it's that there is an interactive interpreter which has at its disposal such handy commands as "udw_write_mem" allowing you to scribble all over the printer's memory space and "udw_srec_upload" which imports an SREC with new firmware and jumps to the provided execute address. Also plenty of things for moving print heads, checking hardware state, and managing nvram variables. So the payload can be embedded anywhere in the print job. FWIW.

        • Ah, thanks for the info.

          I'm having a hard time deciding what's worse; constantly checking for updates without user consent (what I initially thought), or the ability for a random print job to scribble all over the printer's memory (what I know now).

          I think I'm going to have to go with "scribbling all over the printer's memory". That is freaking scary. And it completely bypasses the digital signature check.

          • by Rich0 ( 548339 )

            What is really scary is that in order to come up with a standard format for sending data to printers somebody decided to invent a turing-complete language. That means you can't even examine a set of data being sent to the printer and determine whether it will ever print anything without actually running it.

            Not convinced? Try printing some of the files on this page [uq.edu.au].

        • The only Google hit on the entire Internet for the terms "udw_write_mem" and "udw_srec_upload" are your own post.
    • by blair1q ( 305137 )

      Immediately made me think of the story that came up during the First Gulf War of American cyberwarriors doing this to Saddam's printers, putatively with the result that they could read everything his commanders were printing out.

      No telling if it was true (and likely it was apocryphal because this is the sort of hack that stays top secret for as long as it works; see the story of the WW1 invisible ink recipe [telegraph.co.uk] that remained classified for nearly a century), but it was certainly plausible.

  • Maybe. (Score:4, Interesting)

    by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Tuesday November 29, 2011 @02:01PM (#38205314) Homepage Journal

    Since we know that darknets of zombie machines are the "in thing", it would seem more obvious for printer hackers to expand such darknets to other devices. The CPU power isn't massive, but you don't need much to be able to send spam, push virus updates to infected machines, etc. Malicious attacks for the purpose of causing actual damage are relatively far and few between compared to hijacking of systems for remote use.

    That doesn't mean there are no cases of malicious attacks. Even in situations where I'm sympathetic to the principle espoused, I'd still consider almost all hacktivism to be malicious in nature. (The "almost" is because there are bound to be exceptions to any rule.) Hacktivism has been on the rise, including by nation states, and in some such cases physical damage is already the goal. That is bound to get worse.

  • More likely (Score:5, Informative)

    by MobyDisk ( 75490 ) on Tuesday November 29, 2011 @02:07PM (#38205396) Homepage

    Instead of burning the printer, I would more worry about someone logging all the print jobs. Long ago I joked with some coworkers that this wouldn't be too tough on a typical Windows network. Just change your IP address or machine name to match the printer, and you could intercept the jobs. I wanted to insert spelling errors or Dilbert comics into the document. But someone could be malicious and send the information to a competitor or a hedge fund.

  • Gah. (Score:5, Informative)

    by richie2000 ( 159732 ) <rickard.olsson@gmail.com> on Tuesday November 29, 2011 @02:10PM (#38205434) Homepage Journal

    the printer’s fuser – which is designed to dry the ink once it’s applied to paper

    Stupid submitter makes my head hurt.

    There is no ink in laser printers. There is toner, a bone-dry powder that is fused to the paper by the fuser, generally a very warm cylinder.

    Ink-jet printers use ink, but those droplets are so small they dry into the paper without having to be heated.

    Facts, use them.

    • There is no ink in laser printers. There is toner, a bone-dry powder that is fused to the paper by the fuser

      http://en.wikipedia.org/wiki/Ink [wikipedia.org]

      • First words in that article: Ink is a liquid or paste.

        If it's completely dry, it's not ink.

        • The toner powder is a paste. It is not dry enough to be not considered a paste. That is, you can apply pressure on them to turn it into clay like substance.

          • Apparently you have never opened a laserprinter or only ones that are very different from the ones I used to repair and maintain.
            Toner is a very fine powder and of it leaks out of its containter it goes everywhere. Try blowing out a laserprinter with compressed air and see for yourself. One advice: wear a face mask or don't breath, if the stuff gets in your lungs it's not good for you!

          • by swalve ( 1980968 )
            It's a powder. Try opening up a toner cartridge and seeing if it's paste...
        • FWIW, Xerox consistently refers to toner as "dry ink", at least for our printers and copiers.

          But dick-waving about the semantics of "ink" is missing the point. A fuser doesn't *dry* the ink/toner. It heats it up until it fuses to the paper. Hence the name.

      • Still hard to get around that quote that the fuser is designed to "dry" that toner/ink. GP is correct. The "journalist" is an idiot.
        • Agreed. My point of contention is that the toner does contain ink. I agree with GGP about everything else.

          • Sorry to have to disagree with you again but:
            Toner is a kind of plastic powder and does NOT contain ink. In the printing process the toner is charged and pulled to the paper which has an opposite charge on the places where the toner must 'land'. After that, the toner is molten into the paper bij heating it. That step of the process is accomplished by the fuser, which, as the name says, fuses the toner with the paper.
            If toner wore anything but a very fine powder (getting back to one of your earlier posts) th

          • Oops, I should have looked up 'contention' BEFORE I replied to your post! English is not my first language and I started to doubt the meaning of the word after I submitted my comment. My excuses to you sir/ma'am, I thought we disagreed on this, but we don't.

    • More than 15 years ago, there was an HP deskjet (it might have been officejet) that actually did have a heating element under the output tray that was used to help dry the ink. This was the only HP Inkjet printer that I have ever seen with any type of fuser analog. I doubt that the element could start a fire, even if you could force it to be constantly on. Printers of that era didn't even have flash upgradable firmware.
  • by swb ( 14022 ) on Tuesday November 29, 2011 @02:14PM (#38205484)

    Some of the larger LaserJets supported two JetDirect cards. If you could make a JetDirect card run an OS, I can see a scenario like:

    1) Go to company X as printer tech on fake service call
    2) Install hacked JetDirect card as secondary device, connect to network
    3) ????
    4) Profit!

    • by skids ( 119237 )

      At least one HP MFP that I have played with can load a firmware upgrade off a camera flash card. You have to hold a button down during boot, but it would only take a couple minutes of alone time with the device and you wouldn't have to touch the target machine at all. Then all you need is the code to crash the printer driver on the target machine, the code for which is generally not hardened because it expects the printer to behave itself.

      • It's worse than that: after seeing this article I checked the firmware on my HP LaserJet 2300 and found it was out-of-date, so I downloaded the new firmware from HP's site and upgraded it. The update procedure was a single command in Linux: "lpr -P HP_LaserJet_2300 firmwarefile.rfu". As soon as the printer received this file over the network, it automatically used it to update itself. There's no security here whatsoever. It wouldn't be hard at all for someone to make a hacked firmware file and make acce

        • by skids ( 119237 )

          Well, there's a bit of security-by-obscurity: the actual driver code for writing to the flash chip is only in the upgrade images, not in the installed firmware. So you'd at least have to figure out what data not to corrupt to keep the flash writing code intact, and adjust the checksum.

    • by hawguy ( 1600213 )

      Some of the larger LaserJets supported two JetDirect cards. If you could make a JetDirect card run an OS, I can see a scenario like:

      1) Go to company X as printer tech on fake service call
      2) Install hacked JetDirect card as secondary device, connect to network
      3) ????
      4) Profit!

      If you can hack a Jetdirect card and gain physical access to the printer, why install a second one? Just upload your hacked firmware to the primary Jetdirect card and you're done. Just have it transparently pass print jobs to the printer while it does whatever nefarious activity you've programmed it to do. No need to hope that your target printer has a second Jetdirect slot, and no need to find a second network port to plug your hacked card into.

      • by swb ( 14022 )

        My guess is that a standard JetDirect card doesn't have enough horsepower to run a meaningfully hacked firmware image AND still function as a working printer interface.

        I'm also wondering if there's not some value to a physically hacked JetDirect card -- whether you hack it totally and replace the PCB with some kind of single board computer that can draw power from the printer and just "looks" like a JetDirect card when installed, or do some kind of hackery to increase memory or flash.

        • by skids ( 119237 )

          My guess is that a standard JetDirect card doesn't have enough horsepower to run a meaningfully hacked firmware image AND still function as a working printer interface.

          You've obviously never seen the resulting machine code that the disaster they call a compiler produces. There's plenty of space/wasted CPUs to harvest. The problem of course is the time needed to re-implement everything.

          I don't know about the jetdirect, but the deskjets I've worked with were more powerful inside than my first i386 system was. Not to mention they have more IRQ lines and a larger array of precise hardware timers than modern commodity PCs.

      • Not only that, but you can keep the old JetDirect card, hack it, and use it for the next printer you attack.

    • by jd ( 1658 )

      That means that you can remove a bridge from the system since you could write a firmware image that supported Xorp or Quagga. If a JetDirect card uses chips supported under LinuxBIOS^WCoreboot, then you can load an OS on it.

  • Wasn't there a network attached printer that had a small nas device built into it a couple of years ago and the nas contained infected printer drivers? There are all kinds of stories about printers being used as vectors of attack for isolated networks.

    I guess this research just goes from the realm of allegory to the realm of reality.

    At this point, if you're not treating every device you attach to your network as a potential threat... you're doing it wrong.
    • by swalve ( 1980968 )
      Some Xerox Phasers have a hard disk that contains drivers and manuals and stuff (in addition to being used for job storage). It's just FAT16 or something like that. I don't know if you can do it over the network, but you can pull the drive, insert the badness, and reinstall.
  • we don't need no water let the motherfucker burn!

  • If your intranet is so poorly protected that an attacker can access it from the outside, then the printer is not the real problem and I'd almost say you get what you deserve. Make sure you've got an adequate firewall, and password protect your printer.
    • The point isn't that the network is poorly protected. The point is that someday grandma or grandpa is going to get a virus that infects their printer and you're probably going to completely overlook it when you try to clean their system.

    • by Bert64 ( 520050 )

      Assuming an attacker has got into the network, one of their goals is to stay there...
      Who would suspect the printer as a jumpoff point?

      Also, who's going to check a printer for malware before installing it? You could intercept shipment of a printer before it was delivered, load malware on it and wait for them to connect it to the network... You could even contact the victim offering them a really good deal on a printer, wouldnt be hard to convince them to connect it to the network.

      It makes a lot of sense to i

  • by Joe_Dragon ( 2206452 ) on Tuesday November 29, 2011 @03:51PM (#38206708)

    This is why even with IPv6 you may still want to use NAT.

    1. to stop people from just scanning the net for printers and wasting ink

    2. to make hacks like this harder to pull off.

    • Re:NAT and IPV6 (Score:4, Insightful)

      by skids ( 119237 ) on Tuesday November 29, 2011 @04:24PM (#38207064) Homepage

      How does that stop a "print out this coupon" email containing a print job with an embedded exploit, which is what TFA is about?

    • by Alioth ( 221270 )

      No, you want to use a firewall.

      (1) is impractical in IPv6. Network scanning will go away when each subnet in an organization is 64 bits long. Even if you find a subnet, to scan it you must scan an address size *four billion times larger* than the entire IPv4 internet. Even if there's some predictability to IPv6 autoconfigured addresses, you still end up having to scan address spaces thousands of times larger than the entire IPv4 internet.

      (2) It's not NAT that makes hacks like this harder to pull off (they a

  • I take it they're talking about using maliciously-crafted print jobs to exploit vulnerabilities.

    Because every networked office printer should have its administrative interfaces password-locked and, if possible, be behind an lprng server.

  • Arrrrrrgh... no it doesn't.. Go back to printer school 101 and try again.

    Ignorance at this level is unbelievable, and unacceptable.

  • this has been a possibility for quite some time (in the tens of years) - having worked in said industry many years ago. I suspect that these 'researchers' finally realized this, and needed some press in our economic downturn. Anything that is connected to 'them there intertubes' could, in theory (and likely in practice) be 'the next vector'.

  • From TFA:

    There are plenty of points of contention between HP and the researchers, however. Moore, the HP executive, said the firm’s newer printers do require digitally signed firmware upgrades, and have since 2009. The printers tested by the researchers are older models, Moore said.

    Maybe this means that it isn't much of a problem at least with newer gear?

  • Some HP printers' firmware can be upgraded simply by sending the network card an appropriately formated "print job". No authentication is necessary.

    I realized this years ago while troubleshooting a printer with an HP technician. HP's own flash upgrade software uses the printer port settings on your local computer, and sends the update via those settings.

    It seems any device that can talk to those printers on port 9100 can compromise those printers.

    A simple solution would be to require some sort of manual i

The cost of feathers has risen, even down is up!