Printer Hack: Researchers Can Set Media’s Pants on Fire

Wednesday, December 07, 2011

Brian Smithson

7ca9cf570bb97d22b119f3a70d335ede

Researchers can set media’s pants on fire! (was Hackers can set printers on fire!)

In the past couple of weeks, there has been quite a bit of press and blogging about a security vulnerability in HP printers that was discovered by researchers in the Intrusion Detection Lab at Columbia University.

In a nutshell, the researchers found a way to replace the operating firmware on an HP printer with firmware of their own design that can do bad things, and they also found a way to do it to a printer that is on a private network behind a firewall.

The media picked up on the story, and with some prompting from the Principal Investigator, blew it way out of proportion to the actual threat.

Let’s look at the whole thing in some detail:

What was reported?

MSNBC ran an “exclusive” story about it calling it a “devastating attack” to which “millions of printers” could be subjected. Its lede suggested that hackers could cause the printer to catch fire, or be used for identity theft, or be used to take control of entire networks.

Fox News upped the ante with an article headlined “Hackers can set your HP printer on fire”, but they subsequently pulled that article and replaced it with an updated article with the headline “HP refutes reports that printers can be remotely set on fire”.

SecurityNewsDaily, which you’d think should know better, posted an article with the headline “Researchers hack printers to spread malware, catch fire”. Later, it updated the article to include some of HP’s statements on the matter, but didn’t change the lurid headline.

Scientific American picked up SecurityNewsDaily’s article, but rather unscientifically didn’t pick up the subsequent update.

DailyTech ran an article that likened this exploit to “flaming Chevy Volts and exploding iPods”, and said that the FBI “is on guard after receiving a debriefing”.

All the while, the blogosphere smoldered with copy-and-paste speculation.

Lastly, HP issued a brief press release refuting the fire hazard but acknowledging the firmware update vulnerability.

What did the researchers actually demonstrate?

You can watch the researchers’ demo video (for Windows, or for Mac), as it is the most primary source of information about what the researchers did. The MSNBC article contains a number of quoted statements from the Principal Investigator which provide additional information.

And I contacted both the researcher and the P.I. and got some additional details, but they wouldn’t tell me everything because they’re planning to disclose it more fully at the Chaos Communications Conference later this month in Berlin.

Here is my understanding of what they were able to accomplish:

  • Reverse-engineered an HP printer so that they could create malicious firmware for it.
  • Used the “remote firmware update” function of HP’s Printer Job Language (PJL) to apply their new firmware to a victim’s printer.
  • Embedded that PJL code in a printable document (I don’t know what format, but probably PDF or PostScript) so that a victim could be tricked into unknowingly applying the firmware update to a printer that is on a private, firewalled network, simply by printing that document.
  • Demonstrated malicious firmware that sends a copy of each document that the victim prints to be printed by another printer outside of the victim’s private network.
  • Demonstrated that they could parse the copied document for a social security number, and then tweeted that number on Twitter.
  • Demonstrated malicious firmware that made an outbound TCP/IP connection to an attacker’s computer and an outbound connection to another computer in the victim’s private network, forming an IP tunnel that could be used to exploit vulnerabilities in the victim’s computer.
  • Demonstrated malicious firmware that caused the fuser (a heating element used to bond toner to the paper) to heat up to the point where the paper started to turn brown and a thermal circuit breaker cut power to the fuser.

What did the researchers say about this?

The P.I., Prof. Salvatore Stolfo, said that this exploit was signfiicant, widespread, and effected millions of printers worldwide.

He speculated that “it is conceivable that all printers are vulnerable”, or at least those that are “3-, 4-, 5-years-old and older”, and that the number of vulnerable printers could be “much more than 100 million”.

He also said that the industry has had “no or very little focus on security of these devices” and “this is a whole area that is being ignored”.

In later comments, Prof. Stolfo said that the media was to blame for the firestorm of scaremongering, but I think his statements quoted in the MSNBC article and in the video tell a different story, not to mention the words “OMG I’m on fire” written on a slightly singed paper in their fuser demostration.

What does it really take to exploit a printer?

In practice, this isn’t an easy vulnerability to exploit on a large scale.

First, you need to target a printer that supports PJL and its largely undocumented remote firmware update (RFU) function. Many printers support PJL, but RFU is less commonly supported. Many printers don’t have any mechanism for remote updates, and many others use something other than PJL’s RFU function for remote updates.

Once you've found a printer that supports PJL and its RFU function, you'll need to make sure that it will apply a firmware update without checking its authenticity. I can’t speak for other manufacturers, but my employer’s products have been using digital signature verification for firmware updates for at least the seven plus years that I have worked for them.

Next, you need to be able to create new firmware to do your bidding. To do that, you need to know what is the manufacturer and model of your target. The researchers demonstrated exploitation of a victim’s printer that was on a private, firewalled network, but didn’t mention how they determined which make and model of printer would be used by a particular victim. They would need to know that in order to send the correct firmware image to the victim.

And then there is the matter of reverse-engineering printer firmware. It is certainly possible, but not very practical when you consider that there are thousands of different printer models to contend with.

The researchers say that “rewriting the printer’s firmware takes only about 30 seconds”, but they are referring to the time it takes for the printer to update its flash memory and not how long it takes for someone to reverse-engineer a printer to do something malevolently useful.

Next, you need to get the victim to print a document that contains the firmware update code, and of course they need to print it on the printer that you targeted. I don’t know if it is possible to embed an RFU in a printable document in such a way that isn’t obvious when the document is viewed, as most people do before they print something. Perhaps they will disclose that detail at the Chaos conference.

Now, finally, you own the victim’s printer.

As for tweeting sensitive information, it’s a cute parlor trick but it assumes that the attacker has foreknowledge that the victim will be printing their social security number.

And now, a little ranting

I am astonished at how uninformed the researchers were about printer exploits. The MSNBC article said that “Printer security flaws have long been theorized, but the Columbia researchers say they’ve discovered the first-ever doorway into millions of printers worldwide.”

Hello? Do they allow these cloistered grad students to use Google as part of their research? PJL exploits have been around for more than a decade. Phenoelit’s Hijetter libraries for PJL exploitation even mention RFU, and they are copyright 2000-2001.

Regarding the researcher’s claims that the industry has little focus on security and needs to “start looking at their security architectures more seriously”, the industry (including HP) developed and published a series of security standards for all kinds of hardcopy devices and many manufacturers have been getting products certified in conformance to those standards by government-licensed independent labs.

But what I think was most irresponsible in this case was that the researchers took their exploit of one model of printer from one manufacturer and, apparently without even a cursory investigation, extrapolated the threat to an entire industry and to “hundreds of millions” of printers, and then fed it to media outlets that are hungry for sensational headlines and scary storylines.

In doing so, I think that the Columbia University researchers discredited their own efforts, and lost the opportunity to make a useful disclosure of a vulnerability that (while not as earth-shaking as setting millions of printers ablaze by remote control) could be used in conjunction with spear-phishing to penetrate a target network and cause real damage.

Note: These are my own opinions. My employer speaks for itself. 

Cross-posted from Grot

Possibly Related Articles:
10854
Enterprise Security
Hardware
Research Vulnerabilities hackers Hewlett Packard Media Multi-Function Printers exploit
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.