Can HP Printers Be Remote-Detonated?
HP has refuted reports that its Web-connected printers can be hacked by outsiders,stating that no customers have so far ever reported unauthorized access. Its statement is a reaction to findings of researchers at Columbia who've warned that hackers can control Web-connected HP printers to the point of being able to make them catch fire.
Nov 30, 2011 5:00 AM PT
Researchers at Columbia University have demonstrated that a remote firmware update command in some HP LaserJet printers can be hijacked, according to a report from MSNBC. In one case, a hacked printer was reportedly given commands that might cause it to get hot enough to scorch paper loaded in it.
The researchers rewrote a test printer's firmware and said that this would be impossible to detect without removing and examining the device's embedded chips.
Soon after, HP released a statement describing the reporting as "sensational and inaccurate."
No customers have reported unauthorized access so far, HP stated.
"This showcases a problem with embedded systems -- that they can be hacked, and need to be better secured," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
What the Researchers Say
Essentially, the printers demonstrate the vulnerability of embedded systems such as printers and photocopiers, which can be exploited because nobody's really paying attention to embedded devices, according to Columbia professor Salvatore Stolfo, who directed the research.
Stolfo did not respond to our request for comment for this story.
Stolfo and fellow researcher Ang Cui have reportedly reverse-engineered software that controls common HP LaserJet printers so that it will accept software updates from unapproved sources that might send along malware.
Antivirus software apparently cannot scan or fix software running on embedded chips in a printer.
The researchers also ran a demo where documents printed on an infected printer were automatically sent to an unauthorized computer that would then scan the document for critical information, such as Social Security numbers, and automatically Tweet what it found.
They reportedly found 40,000 unprotected printers open to online attacks in a quick scan.
The researchers believe the problem isn't limited to printers from HP alone.
HP Comes Out Swinging
HP said that some HP LaserJets are vulnerable if they're placed on the public Internet without a firewall. On a private network, some printers may be vulnerable if a trusted party on the network tries to modify their firmware.
Also, in some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade, HP said.
HP is building a firmware upgrade to mitigate this issue and will inform customers and partners who might be affected by the vulnerability about this.
The company also directed users to its secure printing website, which has information about how to keep printers secure.
HP spokesperson Ethan Bauley declined to provide further details.
What's the Truth?
Stolfo and Cui have collaborated since at least 2009 on studying the security threat posed by embedded systems. Some of their published papers are listed here.
They're not alone in their belief.
"Devices commonly come with embedded Web server functionality fully enabled, and yet they either have no password, or simply use a default password across all devices," Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told TechNewsWorld in a previous interview.
A Zscaler study came across photocopiers from which documents could be retrieved, scanners that could be operated remotely and telephone systems that permitted eavesdropping, Sutton said, adding that these pose "serious confidentiality issues" for any enterprise.
A Storm In a Teacup?
However, securing embedded devices in the enterprise is relatively easy, Enderle said.
"HP sells printer management software that reports back when a printer's updated, and in an enterprise, an attack like [the one demonstrated by the Columbia researchers] would typically be picked up," Enderle explained.
Small businesses, law offices or remote government offices, where such printer management software is typically not installed, are at risk, Enderle pointed out.