Columbia researchers show remote HP printer hijack [video]
Columbia University's Intrusion Detection Systems Lab has found a significant core vulnerability in certain networked HP printers that lets a remote system infiltrate print jobs, remotely inject malware into the printer's firmware that takes control of the machine.
The lab, headed by Professor Salvatore J. Stolfo, has been doing research on the vulnerabilities of embedded systems for the last year, identifying more than 540,000 publicly accessible embedded devices configured with factory default root passwords: this includes routers, VoIP phones, webcams, digital energy systems, and IPTV/Cable boxes.
Networked printers are a part of this environment, and researcher Ang Cui discovered certain HP LaserJet printers have a critical remote firmware update vulnerability. Stolfo and Cui show how a remote system can take complete control of these printers in the video we've embedded below. It's a definite must see.
"This work started by looking at printers as a device that could harbor malicious software that could do very bad damage…physical damage, for example. So we attempted to develop malicious software that would make the printer burn," Stolfo says in the presentation. "I can't think of a better way of demonstrating the vulnerabilities that are inherent in printers…the paper only browned rather than burned. Then, however, looking at what was achieved, it became crystal clear that the problem was far worse than burning paper or burning printers. Printers are everywhere, they're reachable through email, through thumb drives, through downloads, any perimeter defenses can be pierced because documents freely flow across perimeters, and documents that are printed to these devices can harbor firmware updates that are entirely stealthy and cannot be viewed. There's just no antivirus software to stop this type of threat."
HP issued a statement following the publicity this story experienced, downplaying the issue, saying no customer had reported any unauthorized access and that speculation regarding potential for devices to catch fire due to a firmware change were false.
"HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted," the company said. "In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers."