Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Hacking HP Printers for Fun and Profit - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hacking HP Printers for Fun and Profit

An MSNBC blog has published the recent findings of a study from Columbia University saying millions of HP printers are vulnerable to a "devastating hack attack".

In essence, the vulnerability is that the LaserJet (InkJet not vulnerable) printers made before 2009 (according to HP) do not check digital signatures before installing a firmware update.  Thus, a specially crafted version of firmware could be remotely installed by creating a crafted printjob including the new firmware version.  The researchers demonstrated overheating a fuser to simulate what kind of physical destruction could incur (it charred the paper but was shut off by a safety before a fire started).  Long story short, for an embedded system (or any system for that matter) if you can rewrite the Operating System you can control the device and make it do all sorts of unintended things.

This isn't the first time HP LaserJet printers have had vulnerabilities, though this is the first time (that I recall at least) of using the firmware to do it.  I think the severity of this vector is somewhat less than portrayed but worth noting, particularly for organizations that operate highly secure environments.

Best practices are likely sufficient to prevent against this attack, namely, you should never have printers (or any other embedded device for that matter) exposed to the Internet.  In theory, you could create malware that infects a PC to then infect a printer but I would suspect such effort would only be used in rare circumstances.  Additionally beyond firewalling the device, network traffic to and from the device could be monitored for traffic other than printjobs which should give indication of a problem.  For instance, any printer initiating an outbound TCP/IP connection is a sign that something is awry.

The study is a helpful reminded that even devices we don't think of as computers can be hacked and do things we don't intend and compromise our security.

Do you monitor printers or other embedded devices in your environment for compromise or otherwise protect them?  Take the poll and feel free to comment below.

--
John Bambenek
bambenek \at\ gmail /dot/ com
Bambenek Consulting

John

239 Posts
ISC Handler
I can envision blackhats hacking firmware to create a network backdoor; tunnel, or remote connection to a C and C to provide firewall bypass access later. This could be a covert channel to regain access to a compromised network later, or it could be an insurance policy -- a tunnel in on a device noone would suspect.

Cross-infection from a compromised PC.... OR the intruder is going for a job interview, and utilizes some excuse to get momentary access to a printer.

Another possibility is a hacker finagles an inside connection to someone in the used printer/office equipment business; someone buys the used printer thinking they have a deal, it works normally, but unbeknownst to them, this network printer is carrying a trojan payload with it...
Mysid

146 Posts Posts
Don't forget that you have disk crypto, firewalls, 2-factor and RBAC protecting your most sensitive documents....until you print them. Then the printer just transmits the documents to web, possibly via the trojan that originally infeted it.....nasty.
Simpler things can be a real PITA too - If the printer's stack is too dumb to prevent IP collisions, just changing it's IP to match the default gateway can really mess with all the clients on that LAN and can take a while to figure out.
Dom

31 Posts Posts
Actually, as I recall, FX of the Phenoelite group did a presentation about running custom code on certain HP printers back around the 2004 timeframe. As I recall he remotely overwrote the firmware to install a portscanner. I've got a copy of that presentation in a drawer around here somewhere.
Anonymous

Posts
Requiring digital signatures on firmware updates is a great idea, and one that should have been done from the start. But I also find it amazing that firmware updates can be bundled with print jobs by design. Printing documents and reprogramming the firmware are vastly different functions. I understand that having a separate NIC for administering these devices would add expense, but they could at least have separate TCP ports for submitting jobs vs. administrative tasks like overwriting the firmware.

Honestly, this kind of problem has been around for decades and decades... segregation of user and administrative activities should be a no-brainer requirement.
Anonymous

Posts
@Dom De Vitto: Don't forget that you can sometimes FTP into networked smart printers and download documents from (and upload documents to...) the queue's hard drive. It's not often that anonymous FTP is disabled on smart tree killers.
No Love.

37 Posts Posts
I have a Lexmark C530dn laser printer, and you can ftp into it by just hitting CR when it asks for username. Lexmark's printers are Linux based, so given that my firmware dates back to 2007, all the bugs we now know were in the network stack are still in that printer. In all fairness, I do not remember even checking for firmware updates to my printer. :-(
Moriah

133 Posts Posts
Don't forget that this only applies when the default account credentials are *still* in use. Change your administrator password!
Anonymous

Posts
HP have checklists and others tools to secure printers, look www.hp.com/go/secureprinting.

Anonymous

Posts
See: http://www.securitytracker.com/id/1026357
CVE Reference: CVE-2011-4161
Updated: Dec 1 2011...
... The vendor recommends disabling the 'Printer Firmware Update' feature as described at:
http://h71028.www7.hp.com/enterprise/downloads/HP-Imaging10.pdf
The vendor's advisory is available at:
http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03102449
Last Updated: 2011-11-30
.
Jack

160 Posts Posts
"For instance, any printer initiating an outbound TCP/IP connection is a sign that something is awry."

Well, I'm not worried when our printer at work initiates a TCP/IP connection... as long as it is a SMTP connection to our mailserver as it is capable of receiving faxes or scanning documents, encoding them into PDF-format and emailing them to specific users... ;)
Per

11 Posts Posts
"FX of the Phenoelite group did a presentation about running custom code on certain HP printers"
I remember it was a good presentation: www.blackhat.com/presentations/win-usa-03/bh-win-03-FX.pdf
Anonymous

Posts
If we must hide these 'smart' network-attached devices behind boxes that filter network traffic at layers 4 through 7, wouldn't we be better off if they'd just been old-fashioned USB/RS232/IEEE1284 peripherals in the first place?
Steven C.

171 Posts Posts
Why the devil can't *all* the security settings be set
with a command line program or via the printer
web interface instead of with Webjetadmin?

Every try to actually download and install WJA?
You need an HP Passport Login, then you must
fill out a form, then go through HP's "software
delivery" garbage and if you get the wrong version
(32-bit v. 64-bit), you have to do it all over again.

Also, it won't install on XP if you aren't running Windows Installer 4.5.

Oh and it also appears to want to install some
version of MS SQL server. I gave up here.
This is insane.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!