Printers Could Be the Next Attack Vector 175
New submitter rcoxdav writes "Researchers have found that the upgradeable firmware on some laser printers can be easily updated and compromised. The updated firmware could then be used to do anything from overheating the printer to compromising a network. Quoting: 'In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke. In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.'"
Yeah right! (Score:5, Funny)
Yeah right, my printer could not possibly bring my networ
Re:Yeah right! (Score:5, Interesting)
Arrh!!! Ip0 on Fire! [wikipedia.org]
What is new, is old.
Re:Yeah right! (Score:4, Funny)
Time to bring back the Extinguish button?
Re:Yeah right! (Score:4, Interesting)
Arrh!!! Ip0 on Fire! [wikipedia.org]
What is new, is old.
We had files we could send to our old impact lineprinter which could play music. Hell on ribbons, so save these sources of amusement for the day you were changing the ribbon anyway.
Re: (Score:2)
Arrh!!! Ip0 on Fire! [wikipedia.org]
What is new, is old.
We had files we could send to our old impact lineprinter which could play music. Hell on ribbons, so save these sources of amusement for the day you were changing the ribbon anyway.
Don't tell this to the MAFIAA, or we'll pay a music tax on printers!
You laugh but... (Score:5, Interesting)
I've had a working uC-Linux demo for HP Deskjets available for a couple of years now (see my sig.) My intent was to open the systems up for robotics use and give robotics students a system cheap enough to allow them to take their lab projects home with them when the class was over. I don't work on it much anymore, as there hasn't been much interest, and it's boring doing it without any users to support.
I didn't approach lasers mostly because they have less to offer for this purpose, and also due to concerns over the safety issues, but some of the same tricks on my wiki page probably work on the older/cheaper HP personal lasers.
Could a deskjet be made to burn? Well, from playing with the stepper motor in the ink tray, I can definitely get that to heat up pretty good, not to mention draw enough current to force the device to reboot. Not that that was my intent.
I doubt the thermal management on deskjets is as thorough as on lasers, so yes, there's a potential for danger there. While a fusor might have a thermistor, that is only because it is an obvious danger. Sending the right bit pattern into motor drive circuits could heat up components, and AFAICT the only thermometers in the deskjets are far away on the print head daughterboard.
(Not yet published on github is my work on a slightly newer ARM-based copy/printer/scanner where I have a booting kernel already, but the toolchain is very hard to build and USB driver is still very dicey.)
Re: (Score:2)
That's interesting.. I always thought the deskjet printers were pretty dumb compares to the lasers...
Out of interest, do you have any experience of the HP 9100C, its a network based scanner basically a replacement for the network scanjet models, only unlike the scanjets (which are x86 based), they seem to be mips based, about 16mb ram, 3gb hdd and running vxworks...
The default firmware is a bit limited, they can scan to email but not at full resolution, but anything more complex requires a proprietary serve
Re: (Score:2)
I haven't played with any of those units, no. I suspect any hacks aimed at improving functionality would probably be tweaks of the pre-existing firmware, and what with the OS being vxworks on this one, you'd have to have a compatible development environment -- reverse engineering it to the metal and writing brand new code to run the scanner would be pretty time consuming.
Re: (Score:2)
Well, that link was confusing. I thought Brandon Harris's username on Slashdot was lp0.
Re: (Score:2)
Re: (Score:2)
Obligatory (Score:5, Informative)
http://en.wikipedia.org/wiki/Lp0_on_fire [wikipedia.org]
NExt??? (Score:5, Informative)
You have been able to use HP jetdirect printers as an attack vector for decades.
IT seems that Computer security is not remembering how attacks were happening from the 90's and earlier.
Hell you could make Xerox solid ink printers burn the paper by sending them a corrupted PDF. it would stop in mid print with the paper on the drum and under the fixer running full power.
Re: (Score:2)
Re: (Score:2)
Then you'd WISH the printer caught on fire & burned all the paper.
Re: (Score:2)
Aren't the HP Jetdirect boxes based on LynxOS?
Aaahhh ... imagine the possibilities .... (Score:5, Funny)
Re: (Score:2)
Well, somebody is selling those things, so I guess it could be much worse. I suppose if it happened at a church hackerspace, if such a thing exists...
Worse would be getting the machine owner in big trouble, like making plastic automatic knives aka switchblades, or rifle receivers or single use short barreled plastic 12 gauge shortguns or any number of things the BATFE demands licensing and fees. Even just endless streams of pirated trademarked copyrighted mickey mouse gear would be a problem.
Re: (Score:2)
Even just endless streams of pirated trademarked copyrighted mickey mouse gear would be a problem.
you know ... a serious hacker group could practically end trademark/copyright thing by continually hacking and rewiring 3d printers around the world to flood the world with those items.
Re: (Score:2)
Re: (Score:2)
Great, now the phrase "Ron Jeremy, prior art" is stuck in my head.
Maybe the RIAA was right (Score:4, Funny)
"THE next attack vector"? (Score:4, Insightful)
How about a less sensational headline like: "Printer firmware opens attack vector".. or something.
Re:"THE next attack vector"? (Score:4, Informative)
Re: (Score:2)
Or... "any programmable computing device can be attacked, and any hardware attached to it can be used to cause damage", except that would be longer. More honest, though.
Want to trash a computable device? Upload something akin to CPUBurn onto it, styled and compiled for that specific processor. Want to trash a monitor? Set the timings to something totally screwball until it screams or fries. Want to wreck a hard-drive? The 80s computer virus "headbanger" smashed read heads into the end buffers until they mis
Re: (Score:3)
CPUburn can't trash a CPU, it'll just turn itself off when it overheats.
HCF (Score:4, Interesting)
It's not new. Computer hackers have had that ability for decades upon decades. It's called HCF: Halt and Catch Fire.
Nothing new here (Score:2)
When I first toyed with Linux in the 90's I smoked a monitor by setting the refresh rate higher than it would support. Whilst it hasn't been possible to do this in many years you could have likewise called that just as much of an attack as this printer issue.
People discover printers, copiers and so on are really just dedicated computers and attack them. If your a professional and your surprised something like this is happening than you've just outed yourself as incompetent.
Why is this a news?
Re: (Score:2)
Why is this a news?
Because it's news to the layperson. You know, the one who owns a printer but doesn't know the difference between a parallel port and a serial port. They just assume the devices are "safe" because they are sold casually.
Re:Nothing new here (Score:4, Interesting)
The truly important news that everyone so far has missed is that the original submission had a typo that the editors fixed. THAT is absolutely staggering news!
Re: (Score:2)
Good catch, you should submit that as a news story! Slashdot editor edits news story. Just make sure you submit the story with your own typo.
I'm the guy who responded to their user feature request a few months back with a request that they hire a professional editor...
Filed under 'Possible, But Unlikely' (Score:3)
While this may be attractive to drunken programmers, it's not something I expect evul terrerists to perpetrate or nefarious crackers, who are far more interested in stealing your money.
Re: (Score:2)
And if your company happens to print out checks, or other sensitive data, it could be a nice easy way to capture that information and send it off to a remote site to be sifted thru.
Re: (Score:2)
researchers find attack vector known for 20 years (Score:5, Informative)
Re: (Score:2)
If this vector has been known for so long, why is it still wide open? Why does the HP printer check for firmware updates at the outset of every print job? Why were their printers not verifying digital signatures until just two years ago?
The fact that modern printers are susceptible to this attack is still a cause for alarm.
Re:researchers find attack vector known for 20 yea (Score:4, Informative)
It's not that the printer checks for firmware at the outset of every job, it's that there is an interactive interpreter which has at its disposal such handy commands as "udw_write_mem" allowing you to scribble all over the printer's memory space and "udw_srec_upload" which imports an SREC with new firmware and jumps to the provided execute address. Also plenty of things for moving print heads, checking hardware state, and managing nvram variables. So the payload can be embedded anywhere in the print job. FWIW.
Re: (Score:2)
Ah, thanks for the info.
I'm having a hard time deciding what's worse; constantly checking for updates without user consent (what I initially thought), or the ability for a random print job to scribble all over the printer's memory (what I know now).
I think I'm going to have to go with "scribbling all over the printer's memory". That is freaking scary. And it completely bypasses the digital signature check.
Re: (Score:2)
What is really scary is that in order to come up with a standard format for sending data to printers somebody decided to invent a turing-complete language. That means you can't even examine a set of data being sent to the printer and determine whether it will ever print anything without actually running it.
Not convinced? Try printing some of the files on this page [uq.edu.au].
Re: (Score:2)
Re: (Score:2)
Immediately made me think of the story that came up during the First Gulf War of American cyberwarriors doing this to Saddam's printers, putatively with the result that they could read everything his commanders were printing out.
No telling if it was true (and likely it was apocryphal because this is the sort of hack that stays top secret for as long as it works; see the story of the WW1 invisible ink recipe [telegraph.co.uk] that remained classified for nearly a century), but it was certainly plausible.
Re: (Score:2)
Maybe. (Score:4, Interesting)
Since we know that darknets of zombie machines are the "in thing", it would seem more obvious for printer hackers to expand such darknets to other devices. The CPU power isn't massive, but you don't need much to be able to send spam, push virus updates to infected machines, etc. Malicious attacks for the purpose of causing actual damage are relatively far and few between compared to hijacking of systems for remote use.
That doesn't mean there are no cases of malicious attacks. Even in situations where I'm sympathetic to the principle espoused, I'd still consider almost all hacktivism to be malicious in nature. (The "almost" is because there are bound to be exceptions to any rule.) Hacktivism has been on the rise, including by nation states, and in some such cases physical damage is already the goal. That is bound to get worse.
Re: (Score:2)
Ye gods! The Ghost in the Machine is a Nigerian Elizabot?
More likely (Score:5, Informative)
Instead of burning the printer, I would more worry about someone logging all the print jobs. Long ago I joked with some coworkers that this wouldn't be too tough on a typical Windows network. Just change your IP address or machine name to match the printer, and you could intercept the jobs. I wanted to insert spelling errors or Dilbert comics into the document. But someone could be malicious and send the information to a competitor or a hedge fund.
Gah. (Score:5, Informative)
the printer’s fuser – which is designed to dry the ink once it’s applied to paper
Stupid submitter makes my head hurt.
There is no ink in laser printers. There is toner, a bone-dry powder that is fused to the paper by the fuser, generally a very warm cylinder.
Ink-jet printers use ink, but those droplets are so small they dry into the paper without having to be heated.
Facts, use them.
Re: (Score:2)
There is no ink in laser printers. There is toner, a bone-dry powder that is fused to the paper by the fuser
http://en.wikipedia.org/wiki/Ink [wikipedia.org]
Re: (Score:2)
First words in that article: Ink is a liquid or paste.
If it's completely dry, it's not ink.
Re: (Score:2)
The toner powder is a paste. It is not dry enough to be not considered a paste. That is, you can apply pressure on them to turn it into clay like substance.
Re: (Score:2)
Apparently you have never opened a laserprinter or only ones that are very different from the ones I used to repair and maintain.
Toner is a very fine powder and of it leaks out of its containter it goes everywhere. Try blowing out a laserprinter with compressed air and see for yourself. One advice: wear a face mask or don't breath, if the stuff gets in your lungs it's not good for you!
Re: (Score:2)
Dry ink (Score:2)
FWIW, Xerox consistently refers to toner as "dry ink", at least for our printers and copiers.
But dick-waving about the semantics of "ink" is missing the point. A fuser doesn't *dry* the ink/toner. It heats it up until it fuses to the paper. Hence the name.
Re: (Score:2)
Re: (Score:2)
Agreed. My point of contention is that the toner does contain ink. I agree with GGP about everything else.
Re: (Score:3)
Sorry to have to disagree with you again but:
Toner is a kind of plastic powder and does NOT contain ink. In the printing process the toner is charged and pulled to the paper which has an opposite charge on the places where the toner must 'land'. After that, the toner is molten into the paper bij heating it. That step of the process is accomplished by the fuser, which, as the name says, fuses the toner with the paper.
If toner wore anything but a very fine powder (getting back to one of your earlier posts) th
Re:Gah....reacted too soon! (Score:2)
Oops, I should have looked up 'contention' BEFORE I replied to your post! English is not my first language and I started to doubt the meaning of the word after I submitted my comment. My excuses to you sir/ma'am, I thought we disagreed on this, but we don't.
ink and fuser (Score:2)
Re: (Score:2)
They were only quoting TFA, which was written by a journalist at MSNBC, so lets give credit where credit is due.
Re: (Score:2)
Has anyone hacked a JetDirect card to run an OS? (Score:3)
Some of the larger LaserJets supported two JetDirect cards. If you could make a JetDirect card run an OS, I can see a scenario like:
1) Go to company X as printer tech on fake service call
2) Install hacked JetDirect card as secondary device, connect to network
3) ????
4) Profit!
Re: (Score:2)
At least one HP MFP that I have played with can load a firmware upgrade off a camera flash card. You have to hold a button down during boot, but it would only take a couple minutes of alone time with the device and you wouldn't have to touch the target machine at all. Then all you need is the code to crash the printer driver on the target machine, the code for which is generally not hardened because it expects the printer to behave itself.
Re: (Score:2)
It's worse than that: after seeing this article I checked the firmware on my HP LaserJet 2300 and found it was out-of-date, so I downloaded the new firmware from HP's site and upgraded it. The update procedure was a single command in Linux: "lpr -P HP_LaserJet_2300 firmwarefile.rfu". As soon as the printer received this file over the network, it automatically used it to update itself. There's no security here whatsoever. It wouldn't be hard at all for someone to make a hacked firmware file and make acce
Re: (Score:2)
Well, there's a bit of security-by-obscurity: the actual driver code for writing to the flash chip is only in the upgrade images, not in the installed firmware. So you'd at least have to figure out what data not to corrupt to keep the flash writing code intact, and adjust the checksum.
Re: (Score:2)
Some of the larger LaserJets supported two JetDirect cards. If you could make a JetDirect card run an OS, I can see a scenario like:
1) Go to company X as printer tech on fake service call
2) Install hacked JetDirect card as secondary device, connect to network
3) ????
4) Profit!
If you can hack a Jetdirect card and gain physical access to the printer, why install a second one? Just upload your hacked firmware to the primary Jetdirect card and you're done. Just have it transparently pass print jobs to the printer while it does whatever nefarious activity you've programmed it to do. No need to hope that your target printer has a second Jetdirect slot, and no need to find a second network port to plug your hacked card into.
Re: (Score:2)
My guess is that a standard JetDirect card doesn't have enough horsepower to run a meaningfully hacked firmware image AND still function as a working printer interface.
I'm also wondering if there's not some value to a physically hacked JetDirect card -- whether you hack it totally and replace the PCB with some kind of single board computer that can draw power from the printer and just "looks" like a JetDirect card when installed, or do some kind of hackery to increase memory or flash.
Re: (Score:2)
My guess is that a standard JetDirect card doesn't have enough horsepower to run a meaningfully hacked firmware image AND still function as a working printer interface.
You've obviously never seen the resulting machine code that the disaster they call a compiler produces. There's plenty of space/wasted CPUs to harvest. The problem of course is the time needed to re-implement everything.
I don't know about the jetdirect, but the deskjets I've worked with were more powerful inside than my first i386 system was. Not to mention they have more IRQ lines and a larger array of precise hardware timers than modern commodity PCs.
Re: (Score:2)
Not only that, but you can keep the old JetDirect card, hack it, and use it for the next printer you attack.
Re: (Score:2)
That means that you can remove a bridge from the system since you could write a firmware image that supported Xorp or Quagga. If a JetDirect card uses chips supported under LinuxBIOS^WCoreboot, then you can load an OS on it.
If it acts up, just take it outside and beat it up (Score:2)
Destroy the printer, office space style http://www.youtube.com/watch?v=l0_S_EdZ_I8 [youtube.com]
Seriously... this is old news... (Score:2)
I guess this research just goes from the realm of allegory to the realm of reality.
At this point, if you're not treating every device you attach to your network as a potential threat... you're doing it wrong.
Re: (Score:2)
The printer is on fire... (Score:2)
we don't need no water let the motherfucker burn!
Ignoring the real problem (Score:2)
Re: (Score:2)
The point isn't that the network is poorly protected. The point is that someday grandma or grandpa is going to get a virus that infects their printer and you're probably going to completely overlook it when you try to clean their system.
Re: (Score:2)
Assuming an attacker has got into the network, one of their goals is to stay there...
Who would suspect the printer as a jumpoff point?
Also, who's going to check a printer for malware before installing it? You could intercept shipment of a printer before it was delivered, load malware on it and wait for them to connect it to the network... You could even contact the victim offering them a really good deal on a printer, wouldnt be hard to convince them to connect it to the network.
It makes a lot of sense to i
NAT and IPV6 (Score:3)
This is why even with IPv6 you may still want to use NAT.
1. to stop people from just scanning the net for printers and wasting ink
2. to make hacks like this harder to pull off.
Re:NAT and IPV6 (Score:4, Insightful)
How does that stop a "print out this coupon" email containing a print job with an embedded exploit, which is what TFA is about?
Re: (Score:3)
No, you want to use a firewall.
(1) is impractical in IPv6. Network scanning will go away when each subnet in an organization is 64 bits long. Even if you find a subnet, to scan it you must scan an address size *four billion times larger* than the entire IPv4 internet. Even if there's some predictability to IPv6 autoconfigured addresses, you still end up having to scan address spaces thousands of times larger than the entire IPv4 internet.
(2) It's not NAT that makes hacks like this harder to pull off (they a
Re: (Score:2)
Flashback from a year ago (Score:2)
Malicious print job (Score:2)
I take it they're talking about using maliciously-crafted print jobs to exploit vulnerabilities.
Because every networked office printer should have its administrative interfaces password-locked and, if possible, be behind an lprng server.
This is so 20th century ! (Score:2)
http://www.amazon.com/Stealing-Network-How-Own-Box/dp/1931836876/ [amazon.com] ... from 2003!
Chapter 4
Come on guys...
A Fuser Drying Ink?!?!?!?! (Score:2)
Arrrrrrgh... no it doesn't.. Go back to printer school 101 and try again.
Ignorance at this level is unbelievable, and unacceptable.
Talk about hot off the presses (Score:2)
sigh. nothing to see here. move along .. (Score:2)
this has been a possibility for quite some time (in the tens of years) - having worked in said industry many years ago. I suspect that these 'researchers' finally realized this, and needed some press in our economic downturn. Anything that is connected to 'them there intertubes' could, in theory (and likely in practice) be 'the next vector'.
Please note this (Score:2)
From TFA:
There are plenty of points of contention between HP and the researchers, however. Moore, the HP executive, said the firm’s newer printers do require digitally signed firmware upgrades, and have since 2009. The printers tested by the researchers are older models, Moore said.
Maybe this means that it isn't much of a problem at least with newer gear?
Re: (Score:2)
Re: (Score:2)
Depends on the model. In most cases, probably you can at least crash the stack and update it that way, but you'd need a huge library of model-specific vectors to do so reliably. Printers are very diverse platforms.
Re: (Score:2)
Someone needs to make a firmware update that eliminates the warning messages about "non-standard" cartridges.
Re: (Score:2)
It should not be possible, but there is a) stupid design and b) vulnerabilities like buffer overflows. Not a surprise this is possible.
Re: (Score:2)
Or open an ftp session to the printer and 'put' the file in the appropriate directory.
Or just netcat the file to ip.of.printer:9100
Re: (Score:2)
Only, very few companies ever bother to password protect their printers because they refuse to consider the risks...
The worst offenders are the larger printers that have a full blown windows box inside, because its a windows box it needs to be managed the same as any other with regular updates and AV... But since its a "printer" it doesn't get managed in the same way all the other windows boxes do, it gets plugged in and never touched ever again.
Other types of printer are no better, just windows boxes are t
Re: (Score:2)
And the motivation of that would be?
To sell you more printer supplies?
Re: (Score:2)
Re: (Score:2)
Visit their pages at Columbia. They have numerous papers on embedded device security. Having someone who is an authority on the subject to do things like serve as expert witnesses, testify to legislative bodies, and advise project managers is worthwhile. Not all "research" has to be astonishingly groundbreaking.
Re: (Score:3)
I think this is ridiculous. They've been talking about "paperless offices" for decades now, and it hasn't happened yet. In fact, there's now tons of low-end laser printers aimed at the home market, costing about $100; this was unheard of 15+ years ago, when laser printers were always quite expensive.
There'll always be things people and businesses will want printers for. Anyone who needs a job has to be able to print a resume, for instance. It doesn't look good going for a job interview and not having a
Re: (Score:2)
They've been talking about it for decades, but it was obvious that there was no way for it to happen back then...
These days, though, Smart Phones provide the last missing piece of the puzzle. Tiny e-Reader in your pocket at all times. Pull it out and look up the info you need, open your e-mail, launch a VNC session, whatever. Now we have a plausible endgame to eliminate 99% of print-outs found in offices, as soon a
Printers are a generally *dying* medium? (Score:2)
Not in the rest of the world. We are printing even more than before all this talk of a 'paperless office' back in the mid 80s first began, and of course that memo was printed and distributed..
At home, perhaps we will see it end sooner, but at the office, people love their paper. ( and i'm not tossing stones.. id rather read a printout then sit and stare at my monitor all day. Far easier on the eyes )
Re: (Score:2)
Re: (Score:2)