Slashdot Mirror
Printers Could Be the Next Attack Vector
New submitter rcoxdav writes "Researchers have found that the upgradeable firmware on some laser printers can be easily updated and compromised. The updated firmware could then be used to do anything from overheating the printer to compromising a network. Quoting: 'In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke. In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.'"
Yeah right, my printer could not possibly bring my networ
http://en.wikipedia.org/wiki/Lp0_on_fire
You have been able to use HP jetdirect printers as an attack vector for decades.
IT seems that Computer security is not remembering how attacks were happening from the 90's and earlier.
Hell you could make Xerox solid ink printers burn the paper by sending them a corrupted PDF. it would stop in mid print with the paper on the drum and under the fixer running full power.
Do not look at laser with remaining good eye.
Like every 3d printer in a major manufacturing installation hacked and reconfigured to manufacture 3d-cast giant cocks ... Can you imagine how will the plant manager feel after ending up with a warehouse full of cocks ?
Read radical news here
A printer was pirating its stuff!
How about a less sensational headline like: "Printer firmware opens attack vector".. or something.
It's not new. Computer hackers have had that ability for decades upon decades. It's called HCF: Halt and Catch Fire.
When our name is on the back of your car, we're behind you all the way!
Depends on the model. In most cases, probably you can at least crash the stack and update it that way, but you'd need a huge library of model-specific vectors to do so reliably. Printers are very diverse platforms.
Someone had to do it.
When I first toyed with Linux in the 90's I smoked a monitor by setting the refresh rate higher than it would support. Whilst it hasn't been possible to do this in many years you could have likewise called that just as much of an attack as this printer issue.
People discover printers, copiers and so on are really just dedicated computers and attack them. If your a professional and your surprised something like this is happening than you've just outed yourself as incompetent.
Why is this a news?
While this may be attractive to drunken programmers, it's not something I expect evul terrerists to perpetrate or nefarious crackers, who are far more interested in stealing your money.
A feeling of having made the same mistake before: Deja Foobar
This has been known and demonstrated since the early 1990s. Moreover, Tom Clancy used this type of attack as plot device in one of his novels, in the 90s.
I've had a working uC-Linux demo for HP Deskjets available for a couple of years now (see my sig.) My intent was to open the systems up for robotics use and give robotics students a system cheap enough to allow them to take their lab projects home with them when the class was over. I don't work on it much anymore, as there hasn't been much interest, and it's boring doing it without any users to support.
I didn't approach lasers mostly because they have less to offer for this purpose, and also due to concerns over the safety issues, but some of the same tricks on my wiki page probably work on the older/cheaper HP personal lasers.
Could a deskjet be made to burn? Well, from playing with the stepper motor in the ink tray, I can definitely get that to heat up pretty good, not to mention draw enough current to force the device to reboot. Not that that was my intent.
I doubt the thermal management on deskjets is as thorough as on lasers, so yes, there's a potential for danger there. While a fusor might have a thermistor, that is only because it is an obvious danger. Sending the right bit pattern into motor drive circuits could heat up components, and AFAICT the only thermometers in the deskjets are far away on the print head daughterboard.
(Not yet published on github is my work on a slightly newer ARM-based copy/printer/scanner where I have a booting kernel already, but the toolchain is very hard to build and USB driver is still very dicey.)
Someone had to do it.
Since we know that darknets of zombie machines are the "in thing", it would seem more obvious for printer hackers to expand such darknets to other devices. The CPU power isn't massive, but you don't need much to be able to send spam, push virus updates to infected machines, etc. Malicious attacks for the purpose of causing actual damage are relatively far and few between compared to hijacking of systems for remote use.
That doesn't mean there are no cases of malicious attacks. Even in situations where I'm sympathetic to the principle espoused, I'd still consider almost all hacktivism to be malicious in nature. (The "almost" is because there are bound to be exceptions to any rule.) Hacktivism has been on the rise, including by nation states, and in some such cases physical damage is already the goal. That is bound to get worse.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
More sensational headlines get more click-throughs. Duh.
Instead of burning the printer, I would more worry about someone logging all the print jobs. Long ago I joked with some coworkers that this wouldn't be too tough on a typical Windows network. Just change your IP address or machine name to match the printer, and you could intercept the jobs. I wanted to insert spelling errors or Dilbert comics into the document. But someone could be malicious and send the information to a competitor or a hedge fund.
The headline from this article sounds like it was randomly generated.
$Device could be the next $scary_phrase!
[Text goes here]
the printer’s fuser – which is designed to dry the ink once it’s applied to paper
Stupid submitter makes my head hurt.
There is no ink in laser printers. There is toner, a bone-dry powder that is fused to the paper by the fuser, generally a very warm cylinder.
Ink-jet printers use ink, but those droplets are so small they dry into the paper without having to be heated.
Facts, use them.
Money for nothing, pix for free
Some of the larger LaserJets supported two JetDirect cards. If you could make a JetDirect card run an OS, I can see a scenario like:
1) Go to company X as printer tech on fake service call
2) Install hacked JetDirect card as secondary device, connect to network
3) ????
4) Profit!
And the motivation of that would be?
To sell you more printer supplies?
Have gnu, will travel.
Would be having it print out big black squares or troll faces until the toner runs out.
At least one HP MFP that I have played with can load a firmware upgrade off a camera flash card. You have to hold a button down during boot, but it would only take a couple minutes of alone time with the device and you wouldn't have to touch the target machine at all. Then all you need is the code to crash the printer driver on the target machine, the code for which is generally not hardened because it expects the printer to behave itself.
Someone had to do it.
Destroy the printer, office space style http://www.youtube.com/watch?v=l0_S_EdZ_I8
Previewing comments are for sissies!
Some of the larger LaserJets supported two JetDirect cards. If you could make a JetDirect card run an OS, I can see a scenario like:
1) Go to company X as printer tech on fake service call
2) Install hacked JetDirect card as secondary device, connect to network
3) ????
4) Profit!
If you can hack a Jetdirect card and gain physical access to the printer, why install a second one? Just upload your hacked firmware to the primary Jetdirect card and you're done. Just have it transparently pass print jobs to the printer while it does whatever nefarious activity you've programmed it to do. No need to hope that your target printer has a second Jetdirect slot, and no need to find a second network port to plug your hacked card into.
Wasn't there a network attached printer that had a small nas device built into it a couple of years ago and the nas contained infected printer drivers? There are all kinds of stories about printers being used as vectors of attack for isolated networks.
I guess this research just goes from the realm of allegory to the realm of reality.
At this point, if you're not treating every device you attach to your network as a potential threat... you're doing it wrong.
Yes Francis, the world has gone crazy.
That means that you can remove a bridge from the system since you could write a firmware image that supported Xorp or Quagga. If a JetDirect card uses chips supported under LinuxBIOS^WCoreboot, then you can load an OS on it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Visit their pages at Columbia. They have numerous papers on embedded device security. Having someone who is an authority on the subject to do things like serve as expert witnesses, testify to legislative bodies, and advise project managers is worthwhile. Not all "research" has to be astonishingly groundbreaking.
Someone had to do it.
If this vector has been known for so long, why is it still wide open? Why does the HP printer check for firmware updates at the outset of every print job? Why were their printers not verifying digital signatures until just two years ago?
The fact that modern printers are susceptible to this attack is still a cause for alarm.
:(){
Seriously - this is about as big news as saying Windows XP is going to be an increasing attack vector. Printers are a generally *dying* medium. The company where I work (a health insurance company) has put severe restrictions on what you are even allowed to print, and every print job is via secure keycard release - privacy regulations and all - but the main driving factor was actually cost savings - they have a target for our internal operations to be "functionally paperless" by 2014 - meaning the only "paper" printed will be for legal requirements, such as signed contracts, etc. Printers are dying slowly - in 10 years I don't imagine most homes will even have printers anymore - I have a laser printer, and a color inkjet, and both rarely if ever get used. This is all of course just my opinion - feel free to disagree/hate me/show me evidence to the contrary/downvote me/etc
we don't need no water let the motherfucker burn!
https://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q=hot+printer+sale
Immediately made me think of the story that came up during the First Gulf War of American cyberwarriors doing this to Saddam's printers, putatively with the result that they could read everything his commanders were printing out.
No telling if it was true (and likely it was apocryphal because this is the sort of hack that stays top secret for as long as it works; see the story of the WW1 invisible ink recipe that remained classified for nearly a century), but it was certainly plausible.
It's not that the printer checks for firmware at the outset of every job, it's that there is an interactive interpreter which has at its disposal such handy commands as "udw_write_mem" allowing you to scribble all over the printer's memory space and "udw_srec_upload" which imports an SREC with new firmware and jumps to the provided execute address. Also plenty of things for moving print heads, checking hardware state, and managing nvram variables. So the payload can be embedded anywhere in the print job. FWIW.
Someone had to do it.
If your intranet is so poorly protected that an attacker can access it from the outside, then the printer is not the real problem and I'd almost say you get what you deserve. Make sure you've got an adequate firewall, and password protect your printer.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Ah, thanks for the info.
I'm having a hard time deciding what's worse; constantly checking for updates without user consent (what I initially thought), or the ability for a random print job to scribble all over the printer's memory (what I know now).
I think I'm going to have to go with "scribbling all over the printer's memory". That is freaking scary. And it completely bypasses the digital signature check.
:(){
Someone needs to make a firmware update that eliminates the warning messages about "non-standard" cartridges.
Reminds me of how the Air Force got intel on Iraq during Desert Storm. "Ssh, we secretly switched this laser printer shipment with one that has compromised firmware. Let's see if they notice the Americans are getting a copy of every document it prints!"
Furries make the internet go.
Only, very few companies ever bother to password protect their printers because they refuse to consider the risks...
The worst offenders are the larger printers that have a full blown windows box inside, because its a windows box it needs to be managed the same as any other with regular updates and AV... But since its a "printer" it doesn't get managed in the same way all the other windows boxes do, it gets plugged in and never touched ever again.
Other types of printer are no better, just windows boxes are the most likely to become worm fodder...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
This is why even with IPv6 you may still want to use NAT.
1. to stop people from just scanning the net for printers and wasting ink
2. to make hacks like this harder to pull off.
Or the 3D printers start producing terminators...
It should not be possible, but there is a) stupid design and b) vulnerabilities like buffer overflows. Not a surprise this is possible.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
What is really scary is that in order to come up with a standard format for sending data to printers somebody decided to invent a turing-complete language. That means you can't even examine a set of data being sent to the printer and determine whether it will ever print anything without actually running it.
Not convinced? Try printing some of the files on this page.
My guess is that a standard JetDirect card doesn't have enough horsepower to run a meaningfully hacked firmware image AND still function as a working printer interface.
I'm also wondering if there's not some value to a physically hacked JetDirect card -- whether you hack it totally and replace the PCB with some kind of single board computer that can draw power from the printer and just "looks" like a JetDirect card when installed, or do some kind of hackery to increase memory or flash.
Not only that, but you can keep the old JetDirect card, hack it, and use it for the next printer you attack.
It's worse than that: after seeing this article I checked the firmware on my HP LaserJet 2300 and found it was out-of-date, so I downloaded the new firmware from HP's site and upgraded it. The update procedure was a single command in Linux: "lpr -P HP_LaserJet_2300 firmwarefile.rfu". As soon as the printer received this file over the network, it automatically used it to update itself. There's no security here whatsoever. It wouldn't be hard at all for someone to make a hacked firmware file and make accessible printers accept it; heck, you could probably brick a bunch of printers by making a fake firmware file that looks like a valid one, but has no real code.
http://hardware.slashdot.org/story/10/12/01/1821215/attack-of-the-trojan-printers
Fandroids hate facts.
FWIW, Xerox consistently refers to toner as "dry ink", at least for our printers and copiers.
But dick-waving about the semantics of "ink" is missing the point. A fuser doesn't *dry* the ink/toner. It heats it up until it fuses to the paper. Hence the name.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
More than 15 years ago, there was an HP deskjet (it might have been officejet) that actually did have a heating element under the output tray that was used to help dry the ink. This was the only HP Inkjet printer that I have ever seen with any type of fuser analog. I doubt that the element could start a fire, even if you could force it to be constantly on. Printers of that era didn't even have flash upgradable firmware.
Oops, I should have looked up 'contention' BEFORE I replied to your post! English is not my first language and I started to doubt the meaning of the word after I submitted my comment. My excuses to you sir/ma'am, I thought we disagreed on this, but we don't.
What person will donate an airborne act of love?
Yes I do know what the implications would be. We could have a world that would be SAFE from the vermin that is out to fuck everyone.
I've been a victim of this bullshit and I'm fucking sick of it.
Data breaches happen every day, many, many times a day.
Back in the old days someone had to stick a gun in your face to rob you.
Now, spineless pussies sit in dark, dank basements and rob you with a mouse from halfway around the world or maybe next door to you.
Fuck them. Kill them and put an end to the problem. As they are killed off and the bodies pile up, the others that haven't been killed yet might start re-thinking their priorities and stop this bullshit.
Yeah. I'm pissed. And no, I am not a "bro". I'm a pissed off woman.
I take it they're talking about using maliciously-crafted print jobs to exploit vulnerabilities.
Because every networked office printer should have its administrative interfaces password-locked and, if possible, be behind an lprng server.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
The purpose of the fuser heater/roller is not to dry the toner but to heat the toner to melt it and fuse it with pressure to the paper. It is NOT a drying process.
It is also not liquid INK it is TONER. These are laser printers using a dry process.
I actually invented some of the laser printer toners so I have some familiarity with these issues. I wish the writers would cover their topics better.
Well, there's a bit of security-by-obscurity: the actual driver code for writing to the flash chip is only in the upgrade images, not in the installed firmware. So you'd at least have to figure out what data not to corrupt to keep the flash writing code intact, and adjust the checksum.
Someone had to do it.
The only Google hit on the entire Internet for the terms "udw_write_mem" and "udw_srec_upload" are your own post.
http://www.amazon.com/Stealing-Network-How-Own-Box/dp/1931836876/ ... from 2003!
Chapter 4
Come on guys...
Arrrrrrgh... no it doesn't.. Go back to printer school 101 and try again.
Ignorance at this level is unbelievable, and unacceptable.
---- Booth was a patriot ----
Not in the rest of the world. We are printing even more than before all this talk of a 'paperless office' back in the mid 80s first began, and of course that memo was printed and distributed..
At home, perhaps we will see it end sooner, but at the office, people love their paper. ( and i'm not tossing stones.. id rather read a printout then sit and stare at my monitor all day. Far easier on the eyes )
---- Booth was a patriot ----
Couldn't resist
www.Migrainesoft.com - Computer giving you a headache? We can fix that!
copy /b evilprinterfile lpt1
Or open an ftp session to the printer and 'put' the file in the appropriate directory.
Or just netcat the file to ip.of.printer:9100
Welcome to Crazy Town! Where Weird Things are capitalized, and people have TOO MUCH time on their HANDS
What's a "jump point"?
this has been a possibility for quite some time (in the tens of years) - having worked in said industry many years ago. I suspect that these 'researchers' finally realized this, and needed some press in our economic downturn. Anything that is connected to 'them there intertubes' could, in theory (and likely in practice) be 'the next vector'.
We're like rats, in some experiment! -- George Costanza
From TFA:
There are plenty of points of contention between HP and the researchers, however. Moore, the HP executive, said the firm’s newer printers do require digitally signed firmware upgrades, and have since 2009. The printers tested by the researchers are older models, Moore said.
Maybe this means that it isn't much of a problem at least with newer gear?
Some HP printers' firmware can be upgraded simply by sending the network card an appropriately formated "print job". No authentication is necessary.
I realized this years ago while troubleshooting a printer with an HP technician. HP's own flash upgrade software uses the printer port settings on your local computer, and sends the update via those settings.
It seems any device that can talk to those printers on port 9100 can compromise those printers.
A simple solution would be to require some sort of manual intervention at the control panel to perform firmware upgrades.
My guess is that a standard JetDirect card doesn't have enough horsepower to run a meaningfully hacked firmware image AND still function as a working printer interface.
You've obviously never seen the resulting machine code that the disaster they call a compiler produces. There's plenty of space/wasted CPUs to harvest. The problem of course is the time needed to re-implement everything.
I don't know about the jetdirect, but the deskjets I've worked with were more powerful inside than my first i386 system was. Not to mention they have more IRQ lines and a larger array of precise hardware timers than modern commodity PCs.
Someone had to do it.
Something which can be accessed, exploited, and used to inject packets from a "trusted" inside-the-network IP address, bypassing firewalls and thus allowing you to exploit other machines which would normally be protected.
Even better if it's something that will likely be missed when they notice the infection and try to clean up their network, so that it can re-infect all their computers again afterward.
Take a chill pill, wait a few days, and come back and post when you're not on your period.
I'm the real Vorokrytin P. Winterbuttocks.
Hello?
/me sips his coffee and ponders a new sig...
who did that about once a week. No hacking needed - simple mechanical glitches and design flaws did the job,.I don't know if it had a thermal switch at all, as the room's main fuse used to blow just before "Laser Harris" would catch fire after having lit up all the paper in the sorter. It was quite a vicious construction. It never produced a classic paper jam, but the printed sheets sometimes did not get cleanly ejected but piled up between the outlet and the sorter causing the printer to overheat and finally catch fire. It also had some unshielded metal surfaces that would discharge on me whenever I removed.the paper tray too carelessly.
Oh, the beautiful gloss of greality!