backtop


Print 24 comment(s) - last by Dorkyman.. on Dec 1 at 11:21 AM


HP says its printers won't catch fire even if maliciously attacked by hackers-- not its current lineup at least. We're seeking clarification about whether all legacy models come with a thermal breaker.
Company admits vulnerability exists, but claims it only affects Macs and Linux machines

Hewlett Packard Comp. (HPQ) fired back after MSNBC covered recent research on a "devastating" printer driven attack.  Conducted by Columbia University, the resarch showed HP printers being forced to overheat after being exploited via a malicious firmware update.  The HP printer in the test attack did overheat but did not catch on fire as the thermal breaker shut down when in sensed the internal temperature rise.  Thus the paper was browned, indicating high temperature near-combustion reactions, but no full combustion and no blaze.

HP was upset, apparently at the Columbia University researchers' claim that some HP printers might lack the thermal breaker and completely catch on fire.  They were also upset about the allegation that Windows users might be vulnerable to the exploit.  The attack was done on a Linux machine, and HP states that it believes that only Macs and Linux machines are vulnerable to the attack.

HP writes to us in a tersely worded email:

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false. 

HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access. 

In other words, HP admits that its printers could, in theory, be taken over by hackers, but it doesn't believe that to have happened yet and it doesn't believe its printers are capable of catching on fire sort of takeover scenario.

While most of its commentary does sound about right, there's a couple of outstanding issues here.  First, HP suggests that "HP LaserJet printers have a hardware element called a 'thermal breaker'."

The issue here is the word "have", as in the present tense.  It is unclear when this became standard across HP's lineup.  We're reaching out to HP to find out.

---------------------------------------------------------------------------------------------------------
Edit (6:09 p.m.) : 
A 1996 book on printer repair indicates that series thermiresistors (aka the "thermal breaker") are standardly used in series with the fuser elements in printers.  It's unclear what Columbia University/MSNBC meant by claiming that some models could be vulnerable to fire.  It is possible that they were unaware of this design paradigm and still haven't figured it out.
---------------------------------------------------------------------------------------------------------

The second issue is HP's portrayal of this as an attack that's only possible if the printer is a Linux/Mac machine "placed on a public internet" or the attempt is made by "a trusted party on the network".  While this is technically accurate, it fails to mention that all it would take to carry out the assault on a local corporate network would be one hijacked Mac/Linux box with print permissions.  The jacked box would be able to scan for local printers or looked at saved settings and ID target HP printers.  

Depending on how tight the IT monitoring was, the attacker could even install a Linux partition or virtual machine on a Windows box to complete the attack, assuming no compromised Linux/Mac machines were available.  Likewise with a Windows-connected internet printer, even if Windows itself was not vulnerable, an attacker could gain access to the system in other ways and then install a Linux partition and boot to it, accessing the printer in that manner.

Of course these attacks would require a fair level of sophistication, so it's hardly the kind of thing your average SQL injection "script kiddies" could pull off.  At this point such attacks seem unlikely to happen, unlikely more so to happen very often.  But there have been surprisingly sophisticated in-the-wild exploits in the past both from private sector black hats and by nation state players, and when you add in the potential for terrorism, it's not entirely unfeasible that an attack on an unpatched machine could occur, given HP's market prevalence as the world's biggest manufacturer of printers.

HP -- whether it likes it or not -- better react quickly with all its available partners to patch the issue on all legacy printers.  Because god forbid if terrorists or cybercriminals did steal someone's identity or set their printer on fire via malformed firmware updates, HP would see worlds more negative PR than it's seeing now.

Thus while getting the right story out there is important -- and still a work in progress for MSNBC, HP, and Columbia University, all of whom are probing the full extent of this set of vulnerabilities -- it's equally important that story is out there.  Because given the media scrutiny, the issue now becomes one HP is forced to fix immediately.

Secunia back in August reported that numerous HP Photosmart printers were subject to potential remote attacks by malicious users'.  In its security advisory Secunia writes:

Some vulnerabilities have been reported in multiple HP Photosmart printers, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, and manipulate certain data.

1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) An unspecified error in the webscan component can be exploited to disclose certain information.

3) An unspecified error in the SNMP component can be exploited to disclose or manipulate certain data.

HP confirmed this vulnerability for numerous models and has released a preventive firmware patch.

Firmware-level attacks have seen growing interest both in the black hat and cybersecurity ("white hat") communities, although attacks in the wild using such sophisticated exploits remain almost nonexistent.

Source: (email)



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Humans Have Butts...
By dashrendar on 11/29/2011 5:15:08 PM , Rating: 5
quote:
While most of its commentary does sound about right, there's a couple of outstanding issues here. First, HP suggests that "HP LaserJet printers have a hardware element called a 'thermal breaker'."

The issue here is the word "have", as in the present tense. It is unclear when this became standard across HP's lineup. We're reaching out to HP to find out.


When I read "HP LaserJet printers have a hardware element called a 'thermal breaker'" I understand it as all LaserJet printers, past and present. Not just present.

My car has tires. Humans have eyes.

Is my grammar f*ed up or is Jason's?

By the way, I don't disagree with your point regarding when it became a standard. I just don't see the present tense thing being the hint.




RE: Humans Have Butts...
By JasonMick (blog) on 11/29/11, Rating: -1
RE: Humans Have Butts...
By MrTeal on 11/29/2011 5:45:06 PM , Rating: 2
Why are you pretty sure that the pretty old models don't have a thermal breaker?


RE: Humans Have Butts...
By seamonkey79 on 11/29/2011 5:56:29 PM , Rating: 2
I think I would assume they have had them from day one simply because of the amount of heat that extended bouts of printing would have been creating even 27 years ago... seems to me that keeping them from bursting into flames through software would have been more difficult back then with the (lack of) processing ability in computers and the internal processors in the printer, and so it would be even more required that the printer have a thermal breaker to keep it from damage/fire.


RE: Humans Have Butts...
By JasonMick (blog) on 11/29/2011 6:14:02 PM , Rating: 3
quote:
Why are you pretty sure that the pretty old models don't have a thermal breaker?

I'm thinking that I probably was wrong. I checked with a couple printer repair books from the 1990s and saw that themistors were standard. I took apart an HP printer with a bad fuser back around 2004 and didn't notice one (where my impression came from), but it must have just been hidden in there somewhere.

I'm a bit baffled that a computer science professor at Columbia University wouldn't realize that. You'd think they'd at least research it a bit better before making a bold statement like that, or do like I did -- reach out to HP with a request for technical specifics.

Still the point on information theft (using Linux partitions or VMs) still stands, even if the printer can merely smolder and power off, not catch ablaze.


RE: Humans Have Butts...
By Zoomer on 11/30/2011 12:01:35 AM , Rating: 3
It's pretty much a glorified fuse. Would HP not have added such fuses to a laser printer's very hot fuser?

Are you kidding me?


RE: Humans Have Butts...
By Dorkyman on 12/1/2011 11:21:51 AM , Rating: 3
There's Book Smart and then there's Common Sense Smart. Two different things.

Back before I burned out most of my brain cells I was a student at MIT. I saw a lot of stupid stuff being done. Columbia? Pffft.


RE: Humans Have Butts...
By DopeFishhh on 11/30/2011 10:14:40 AM , Rating: 1
Even with a thermal breaker it got the paper to brown and smoke BEFORE the thermal breaker cut in. All it takes is for a faulty or lower quality breaker to fail to stop it catching. Furthermore Different paper could be in the printer from what they used in this proof of concept that paper could have a lower ignition point.

Also considering they reverse engineered the software to send the commands to overwrite the firmware, its ludicrous to think the same can't be done on a windows environment, even if they have to write half a print spooler to do it once you get onto a windows machine you can probably emulate or create enough of whats missing from the linux/mac version of the exploit.

I don't think this is the end of what you can do with such an exploit, I'd wager that it would be possible to upload firmware onto a printer to make it a zombie machine that is capable of infecting computers on the network. Possibly through an exploit in the printing software or by other exploits over the network.

And finally they focused on HP cos it's the biggest, what about other printer brands? do they even have thermal cut outs?

Only thing preventing this from being a really bad situation is that theres really not much financial incentive for a hacker to burn your house down with a lemon (printer).


RE: Humans Have Butts...
By drycrust3 on 11/30/2011 2:52:22 PM , Rating: 1
quote:
its ludicrous to think the same can't be done on a windows environment

I think it is highly unlikely that this would actually work in the Linux environment. When you consider that the Ubuntu website (https://help.ubuntu.com/community/Linuxvirus) reports a total of 30 known viruses, trojans, worms, etc, all of which predate 2008, and none of them are known to be a problem, then it stands to reason that if someone was going to attack HP printers then they would do it via a Windows XP computer (where the default is the average user has administrative rights) and not via a Linux or BSD based OS (where the default is the average user doesn't have administrative rights).
What this just highlights is the wider issue, which the Stuxnet virus and its variants have already realised (and they don't attack through Linux or Mac's based computers) which is that computers don't just control a screen, a HDD, and a printer, they are often controlling other things, such as security systems, industrial applications, traffic light control systems, and the thousands of computerised bits and pieces that utilities need to function, and that those computerised bits and pieces can also be attacked and destructively disabled.


RE: Humans Have Butts...
By alcalde on 11/29/2011 7:54:44 PM , Rating: 2
I used the original HP LaserJet, and I'd just like to point out that those beasts had parallel printer ports. Back then if you had an internal network it was probably "token ring", not ethernet.

I'm fairly certain that even if very old models didn't have a thermal breaker, they sure as heck didn't have a network-addressable programmable firmware to exploit.


RE: Humans Have Butts...
By Dr of crap on 11/30/2011 9:00:09 AM , Rating: 2
Printer from 1984 won't be on the net as newer models are, and certainly don't get firmware updates.
You do remember 1984?
The internet can about after that, and the printers that had any kind of microprocessor and net access came way after.
So it's only in the last few years that an HP printer COULD have the ability to be taken over.


RE: Humans Have Butts...
By 91TTZ on 11/30/2011 10:17:23 AM , Rating: 2
quote:
You do remember 1984? The internet can about after that, and the printers that had any kind of microprocessor and net access came way after.


Printers had microprocessors on them back then.

Even some cameras had microprocessors in them by the mid 1970's.


RE: Humans Have Butts...
By Dr of crap on 11/30/2011 10:42:12 AM , Rating: 2
Yep, but no wirless printing, no internet access, nothing other than printing, and dot matrix printing as well.
Man those were the days of great printing - huh!


Sensationalist
By artemicion on 11/29/2011 5:24:21 PM , Rating: 4
Gonna have to agree with HP's characterization of this story as sensationalist. Does DailyTech REALLY think a hacker is going to take the time to hijack a mac/linux box to (possibly) start a printer fire?

NEWSFLASH: Researchers discover that hackers can buy $0.10 books of matches at ANY corner store and light your printer on fire! Preliminary research suggests that such an exploit can cause a fire ANYWHERE, not just at your printer, but further research is ongoing...




RE: Sensationalist
By JasonMick (blog) on 11/29/2011 5:31:09 PM , Rating: 1
quote:
Gonna have to agree with HP's characterization of this story as sensationalist. Does DailyTech REALLY think a hacker is going to take the time to hijack a mac/linux box to (possibly) start a printer fire?

NEWSFLASH: Researchers discover that hackers can buy $0.10 books of matches at ANY corner store and light your printer on fire! Preliminary research suggests that such an exploit can cause a fire ANYWHERE, not just at your printer, but further research is ongoing...

As reader in the previous piece pointed out, this could be used by a nation state level actor -- say China -- or a sophisticated enough terrorist group to create chaos in a target nation.

Of course that's unlikely to happen as it would essentially be an act of war for whomever did it, but it's still a dangerous door to leave open regardless of the likelihood of the actual attack or sophistication required.

Unsigned machines should be patched into a signed updates implementation to be on the safe side.


RE: Sensationalist
By VERBW on 11/30/2011 4:03:35 AM , Rating: 2
So you were accused of sensationalism, and your response is to suggest that China might use this in an attack on the US?

Not uhhh... that I disagree with you, but that seems like the definition of sensationalist right there.

Seriously though, if China's idea of a first strike is to set your printers on fire, you can pretty much sell off your military now


Linux/MacOS only?
By bug77 on 11/29/2011 5:28:58 PM , Rating: 2
If I understood correctly, the exploit was that _any_ 3rd party could install a malicious firmware on the printer. How is this limited to Linux and Mac OS?

And while the fire danger may be mitigated, what about the possibility of the printer relaying your documents to the outside world? That's the real danger, the overheating was just for show.




RE: Linux/MacOS only?
By JasonMick (blog) on 11/29/2011 5:39:27 PM , Rating: 2
quote:
If I understood correctly, the exploit was that _any_ 3rd party could install a malicious firmware on the printer. How is this limited to Linux and Mac OS?

This has not been published yet. It's possible Columbia University could publish some information on the attack, but given the potential national security risk even from local network espionage attempts (ignoring the fires aspect), I think the researchers will avoid going into explicit system level implementation details.
quote:
And while the fire danger may be mitigated, what about the possibility of the printer relaying your documents to the outside world? That's the real danger, the overheating was just for show.

Yep. As I wrote here, a vulnerability in HP Photosmart printers was already known since Aug. 2011 that could allow access to your information, with the right attack.

As always it's important that security researchers reveal these vulnerabilities to establish they exist, that journalists cover them to force action to be taken, and for the companies themselves to take that action to mitigate the risk.

Novel/sophisticated attacks are rare, but once in the wild can be hard to stop as people can just reuse tools created by a more savvy hacker.


RE: Linux/MacOS only?
By JediJeb on 11/30/2011 4:16:15 PM , Rating: 2
I don't really understand why that would be a limiting factor also. If the printer is connected directly to an ethernet connection which is openly routed through to the internet, couldn't someone outside the company using a Mac or Linux computer sent a print job straight to the printer to accomplish the hack? If the researchers easily found 40,000 printers available on the internet, then most of those are probably sitting there ready to accept a print job from anyone who can get one through to them.

The big question is who has their printers sitting with open ports on the internet? Also if you have a WiFi printer, could someone sit outside your house and send the hack straight to the printer without the need to access your network at all?


Pointless
By Strunf on 11/30/2011 6:27:32 AM , Rating: 2
What would be the point for a hacker to get access to your network and set your printer on fire? sure we can start fantasizing about a scenario where some communist country would come after the good old US by setting its printers on fire but lets be realist if they get access to your network (since they need it for the printer hack) your printers are the thing you should be the least worried about...




RE: Pointless
By bug77 on 11/30/2011 8:38:28 AM , Rating: 3
If you can break all printers on a competitor's site, the competitor will take a substantial hit.

But again, overheating was just for show, the real danger is someone installing a malicious firmware and redirecting documents sent to print.


Highly improbable situation
By Beenthere on 11/29/2011 8:49:28 PM , Rating: 2
So what we have is a highly improbable hacking situation leading to an even more improbable possibility of a printer burning up. Must have been a slow news day?




Script kiddies
By 91TTZ on 11/30/2011 9:52:03 AM , Rating: 2
quote:
Of course these attacks would require a fair level of sophistication, so it's hardly the kind of thing your average SQL injection "script kiddies" could pull off.


No, once someone writes a script to do all the sophisticated stuff, it makes things like this very easy to do. Then non-technical people are able to take advantage of the vulnerability. Hence, "script kiddies".

I've played with a few such tools in the past and you shouldn't underestimate just how much automation you can program into a script. The end result can be a program as simple as a field with the IP of the printer and a button that says "go".




By WhiteHat1 on 11/30/2011 4:59:52 PM , Rating: 2
HP's response is very "They can break into your house, but they can't steal everything in it." The whole idea of internet-connected printers with apps means they're susceptible to intrusion and that's the main issue at hand here with these printers and many more devices moving forward.




"If you look at the last five years, if you look at what major innovations have occurred in computing technology, every single one of them came from AMD. Not a single innovation came from Intel." -- AMD CEO Hector Ruiz in 2007














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki