Your Printer Could be the Next Target of a Hack

It seems computers get all the action when it comes to hackers' target of choice, but that could very well change. According to an exclusive report on MSNBC, unassuming printers could soon become victims of hacking crimes, if they haven't been already, and could even be remotely tampered with to start a fire.

Why have printers been overlooked? MSNBC reports that printers are just like any other device often hooked up the the Internet for convenient use. It's this Internet connection that makes them vulnerable. Researchers at Columbia University, working under government and industry grants, found flaws in some Hewlett-Packard LaserJet printers, which MSNBC reports could be on other printers too, that would allow hackers to steal information and attack "otherwise secure networks" and cause physical damage.

MSNBC continues:

[...] the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.

[...]

"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science. “The research on this is crystal clear.  The impact of this is very large. These devices are completely open and available to be exploited.”

Printer security flaws have long been theorized, but the Columbia researchers say they've discovered the first-ever doorway into millions of printers worldwide. In one demonstration of an attack based on the flaw, Stolfo and fellow researcher AngCui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper –  eventually causing the paper to turn brown and smoke.

[...]

Cui and Stolfo say they've reverse engineered software that controls common Hewlett-Packard LaserJet printers. Those printers allow firmware upgrades through a process called "Remote Firmware Update." Every time the printer accepts a job, it checks to see if a software update is included in that job.  But they say printers they examined don't discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version.

According to MSNBC, the attack only takes about 30 seconds to do and is hard to detect unless the actual computer chip within the printer is taken out and examined. All the hackers have to do is send an infected print job to the printer that causes the printer's firmware to be upgraded.

The hack has the ability to affect both office and at home printers, though home printers less so as they often have to be hooked up via USB connection. MSNBC reports that in a quick scan revealed 40,000 printers are unprotected printers and open to Internet attack.

The researchers are reported as saying that fixing this flaw will be challenging and printers that could have already been exploited may not being to be fixed at all:

“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective.  Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui said. “This is nothing like fixing a virus on your PC.”

Such inability to help consumers manually secure their printers could ultimately have disastrous consequences, Stolfo said.

“It may ultimately lead to telling everyone they just have to throw their printers out and start over,” he said. "Fixing this is going to require a very coordinated effort by the industry," Stolfo said.

In addition to looking at other brands of printers for vulnerabilities, the researchers said they are going to begin looking for flaws in other devices that have an Internet connection, such as DVD players and other household items:

“This is a whole area that is being ignored,” Stolfo said. “While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There's no focus on the security of these devices we take for granted and we carry into secure environments every day.”

MSNBC reports Keith Moore, chief technologist for HP's printer division, as not being too concerned over the potential for this hack to occur in real world but that the company "takes this very seriously." HP is currently looking into the claims. MSNBC points out several areas of contention between HP and the researchers over issue like whether this hack could really take place through a regular print job, as legitimate updates are sent in "specially-crafted files" to the printer, and Moore says the company requires digitally signed updates.

So, when The Office's Andy Bernard claims that the smoking office printer is due to lack of adhering to safety regulations, could it be the printer was really hacked? Watch the clip:

[H/T Gawker]