Your Printer Could be the Next Target of a Hack
- Posted on November 29, 2011 at 3:17pm by
Liz Klimas
- Print »
- Email »
Andy Bernard on "The Office" had to deal with a printer fire. (Photo: NBC)
It seems computers get all the action when it comes to hackers’ target of choice, but that could very well change. According to an exclusive report on MSNBC, unassuming printers could soon become victims of hacking crimes, if they haven’t been already, and could even be remotely tampered with to start a fire.
Why have printers been overlooked? MSNBC reports that printers are just like any other device often hooked up the the Internet for convenient use. It’s this Internet connection that makes them vulnerable. Researchers at Columbia University, working under government and industry grants, found flaws in some Hewlett-Packard LaserJet printers, which MSNBC reports could be on other printers too, that would allow hackers to steal information and attack “otherwise secure networks” and cause physical damage.
MSNBC continues:
[...] the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.
[...]
“The problem is, technology companies aren’t really looking into this corner of the Internet. But we are,” said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science. “The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.”
Printer security flaws have long been theorized, but the Columbia researchers say they’ve discovered the first-ever doorway into millions of printers worldwide. In one demonstration of an attack based on the flaw, Stolfo and fellow researcher AngCui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
[...]
Cui and Stolfo say they’ve reverse engineered software that controls common Hewlett-Packard LaserJet printers. Those printers allow firmware upgrades through a process called “Remote Firmware Update.” Every time the printer accepts a job, it checks to see if a software update is included in that job. But they say printers they examined don’t discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version.
Columbia University researcher Ang Cui demonstrates the printer hack. (Photo: Columbia University via MSNBC)
According to MSNBC, the attack only takes about 30 seconds to do and is hard to detect unless the actual computer chip within the printer is taken out and examined. All the hackers have to do is send an infected print job to the printer that causes the printer’s firmware to be upgraded.
The hack has the ability to affect both office and at home printers, though home printers less so as they often have to be hooked up via USB connection. MSNBC reports that in a quick scan revealed 40,000 printers are unprotected printers and open to Internet attack.
The researchers are reported as saying that fixing this flaw will be challenging and printers that could have already been exploited may not being to be fixed at all:
“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui said. “This is nothing like fixing a virus on your PC.”
Such inability to help consumers manually secure their printers could ultimately have disastrous consequences, Stolfo said.
“It may ultimately lead to telling everyone they just have to throw their printers out and start over,” he said. “Fixing this is going to require a very coordinated effort by the industry,” Stolfo said.
In addition to looking at other brands of printers for vulnerabilities, the researchers said they are going to begin looking for flaws in other devices that have an Internet connection, such as DVD players and other household items:
“This is a whole area that is being ignored,” Stolfo said. “While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There’s no focus on the security of these devices we take for granted and we carry into secure environments every day.”
MSNBC reports Keith Moore, chief technologist for HP’s printer division, as not being too concerned over the potential for this hack to occur in real world but that the company “takes this very seriously.” HP is currently looking into the claims. MSNBC points out several areas of contention between HP and the researchers over issue like whether this hack could really take place through a regular print job, as legitimate updates are sent in “specially-crafted files” to the printer, and Moore says the company requires digitally signed updates.
So, when The Office’s Andy Bernard claims that the smoking office printer is due to lack of adhering to safety regulations, could it be the printer was really hacked? Watch the clip:
[H/T Gawker]
Comments (9)
Sign In To Post Comments! Sign In
Popular Stories
Paper Details Obama Admin’s Alleged Secret Note Sent to Iran: If Israel Attacks, We Won’t Get Involved 598 Comments
This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 420 Comments
‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 415 Comments
President Obama Issues Major ‘Green Energy’ Executive Order 393 Comments
Roseanne Barr: Most Billionaires ‘Violent Pedophiles’ & ‘Heartless’ Cocaine Addicts 378 Comments
Faith
Arab-Muslim Character to Join DC Comics‘ ’Green Lantern’ Series Read More- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 420 Comments
Pakistani Muslim Cleric Accused of Framing Disabled Christian Girl in Koran-Burning Case Read More- ‘Made Up Religion’: TV Historian Enrages Muslims, Receives Threats After Producing UK Documentary Questioning Islam’s Beginnings 415 Comments
Meet the Controversial German Imam Accused of Brutally Beating His Wife & Pushing Sharia Law Read More
Business
- President Obama Issues Major ‘Green Energy’ Executive Order 393 Comments
- Germany’s Upcoming Court Ruling Will be Huge for the EU Read More
Ford Looks to Beat Toyota for Best-Selling Car in 2012 With This Model 151 Comments
Bernanke & QE3: Here’s What You Need to Know 100 Comments- ‘Extortion’: Why Did the Labor Department ‘Drop the Hammer’ on Oregon Farmers? 303 Comments
Technology
- This Is the Creationists‘ Response to Scientist Bill Nye’s Viral Pro-Evolution Video Claiming They Harm Children 420 Comments
‘TaserDrone’: Hackers Weaponize Quadcopter With Actual ‘Shocking’ Technology Read More
Ever Heard of the Wild ‘Burning Man’ Festival in the Middle of the Nev. Desert? Here’s Your Primer Read More
Stanford Develops Technology ‘Better Than Steroids’ for Athlete Recovery Read More
Have You Pretended to Know What ‘the Cloud’ Is? You’re Not Alone Read More
Submitting your tip... please wait!
SergeantMajor
Posted on December 1, 2011 at 8:51amBeing a network security professional I can tell you that printer hacking in nothing new. Personally, I doubt that merely sending a print job to a printer can result in re-flashing the printer OS. That being said, it is relatively easy to replace the OS on a printer if the device is not configured properly – as most are not, but not through a print job.
More often, printers are used by hackers as data repositories – many printers have storage space that can be used as local storage on your network for hackers to use for whatever they desire. The other – probably more serious issue is that many printers store print jobs locally and those jobs can be retrieved by the bad guys if the printer is network connected. Have you ever printed something sensitive? Watch out – it could be retrieved by a hacker long after you sent it to the printer :/
Report Post »Stoic one
Posted on November 30, 2011 at 3:16pmHMN……….. potential challenge. As more objects are being connected to the web, these folks may have a valid point.
Report Post »Chucktowner
Posted on November 30, 2011 at 7:57amMr. Fitnah,
“Nah I know enough about how machines work to know the fuses are hard and not subject to internet commands.”
I am afraid you are confusing Fuses with Fusers. I will assume that you were just busy and did not really read or comprehend this story.
A fuse is an electrical component designed to fail to prevent damage. You cannot “HACK” a fuse.
A Fuser in a printer is a heating element with a firmware controlled / regulated thermostat. If the firmware tells the fuser to heat to its highest setting, that is exactly what it will do.
Report Post »Lee_in_PA
Posted on November 30, 2011 at 7:16amWhat will unpluging the printer do for protection? Disconnect it from the USB too. I turn everything off when we are done with the PC. Takes a few minutes longer to start up in the morning, but no firemen visit overnnight. Seems to work for us.
Report Post »Rowgue
Posted on November 30, 2011 at 5:56amThe printer is using the same connection your computer is. If they’ve already gotten into your network they already have access to your computer, your printer is the least of your worries.
Report Post »Brooke Lorren
Posted on November 30, 2011 at 1:53amI guess it‘s a good thing that my printer’s internet connection doesn’t seem to work. I went through one house fire a few years ago and that was enough. Maybe the hackers would figure out how to get it working though…
Report Post »Searchingforthelight
Posted on November 29, 2011 at 7:53pmI say enjoy my kids homework, I do.
Report Post »Mr.Fitnah
Posted on November 29, 2011 at 5:52pmNah I know enough about how machines work to know the fuses are hard and not subject to internet commands .I calling pinhead academic BS on this one.
Report Post »82dAirborne
Posted on November 29, 2011 at 8:54pm@Mr.Fitnah
I disagree. I have worked with computers and related hardware since a “fast” dot-matrix printer was the THING. Two things limit laser printer speed: 1) The mechanics & (2) The fuser. The fuser has to have recycle time to cool or bingo -> heat buildup. A lot of heat. A fire isn’t very likely but it isn’t impossible.
All of the details aside; no one should be able to take control of your hardware or mine!!! Hackers are ALWAYS one step ahead of the white hats & the companies. That’s why they are called hackers.
Report Post »