1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Hackers Can Make HP Printers Catch Fire!! Well, Singe Paper...

Discussion in 'News' started by qubit, Dec 8, 2011.

  1. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,819 (4.22/day)
    Thanks Received:
    3,468
    Researchers at Columbia University have investigated the security of HP network printers and have found them wanting. The basic problem is the complexity of the devices and the fact that the authenticity of firmware updates for these devices isn't checked by using a digital signature. MSNBC published an exclusive story, explaining how by using a hacked computer, the researchers could make their test printers do various nasties, such as continuously heat the fuser unit until the paper singed, at which point the printer shut off due to the built-in safety device, a thermal switch which cannot be overridden by software. They could also be programmed to spread viruses, which would be very dangerous, as these attacking printers would be within the firewall perimeter, allowing them unrestricted access to the soft underbelly of the network. And as the MSNBC article put it so well: "Few companies are prepared to protect themselves from an attack by their own printer." Quite, seems ridiculous at first sight, doesn't it? The researches focused on HP printers, which are by far the most popular brand out there, but say that there are similar vulnerabilities within all devices which employ embedded networked computers, leaving them wide open to attack, hence the industry should wake up to this threat and fix their systems before hackers start to exploit these for real. HP for their part, played down the overall threat and disagreed on several points made by the researchers. Also, the attacks were carried out using Linux and Mac computers and the suggestion seems to be that it's somehow harder to do with a Windows computer. There's a lot more detail at the MSNBC article and readers are encouraged to check it out.

    [​IMG] [​IMG]
  2. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,819 (4.22/day)
    Thanks Received:
    3,468
    Thanks to 95Viper for the tip. :toast:
    95Viper says thanks.
  3. ironwolf

    Joined:
    Apr 6, 2011
    Messages:
    247 (0.22/day)
    Thanks Received:
    31
    Location:
    Pensacola, FL, USA, Earth
    Anyone else see the irony in that? :laugh:
  4. erocker

    erocker Super Moderator Staff Member

    Joined:
    Jul 19, 2006
    Messages:
    39,138 (13.83/day)
    Thanks Received:
    13,586
    Nah, flashing a firmware doesn't take much of an O/S. Most of the time you don't need an O/S to flash firmware.
    95Viper says thanks.
  5. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,819 (4.22/day)
    Thanks Received:
    3,468
    I certainly did - that's why I made absolutely sure to put it in. :D Glad you liked it.

    True. The article simply said that the researchers disagreed on which was the more vulnerable platform, Linux/Mac or Windows, without elaborating. I think it's an important point and should have been elaborated.
    Last edited: Dec 8, 2011
  6. ironwolf

    Joined:
    Apr 6, 2011
    Messages:
    247 (0.22/day)
    Thanks Received:
    31
    Location:
    Pensacola, FL, USA, Earth
    Sorry boss, the printer shutdown and I couldn't print those reports, I swear!
  7. v12dock

    v12dock

    Joined:
    Dec 18, 2008
    Messages:
    1,509 (0.77/day)
    Thanks Received:
    286
    Who is the Whistleblower

    Kudos to anyone who gets my reference
  8. Completely Bonkers New Member

    Joined:
    Feb 6, 2007
    Messages:
    2,580 (0.98/day)
    Thanks Received:
    516
    No, we DONT want certificate signed firmwares! Just imagine... NO MODDING the firmware on your GPUs or your PC BIOS!

    If a "hacker" can get into a corporate LAN so easily, then I'm more worried about data security issues than a few printers overheating. And rather than fiddle with overheating, why not just do a remote print run and print off a 1000 pages of pr0n or wikileaks? Far more problematic than a printer under blanket corporate IT insurance.

    If the "hacker" is an internal, ie employee, then what else are they up to? If they want to cause damage, they can drop their laptop or put paperclips in the fuser.

    NONSTORY
    yogurt_21 says thanks.
  9. erocker

    erocker Super Moderator Staff Member

    Joined:
    Jul 19, 2006
    Messages:
    39,138 (13.83/day)
    Thanks Received:
    13,586
    We already have them.
  10. Kreij

    Kreij Senior Monkey Moderator Staff Member

    Joined:
    Feb 6, 2007
    Messages:
    13,881 (5.28/day)
    Thanks Received:
    5,610
    Location:
    Cheeseland (Wisconsin, USA)
    Why don't the "researchers" at Columbia University do something useful, like figure out how to save us money by creating quality printout while using less toner, instead of overheating fusers with firmware hacks?
  11. Completely Bonkers New Member

    Joined:
    Feb 6, 2007
    Messages:
    2,580 (0.98/day)
    Thanks Received:
    516
    Let me rephrase what I said earlier if my point wasnt clear. Certificate signed firmware is great so that you can check the legitimacy of the firmware file before committing it to the hardware. But at the same time, being able to install uncertified firmware with a warning sign that we can still accept is what allows us to make bios and firmware tweaks. But RESTICTING a device to ONLY accept certificate firmware will stop BIOS tweaking/modding opportunities. No more BIOS editors, no flashing edited BIOS etc.
  12. 95Viper

    95Viper

    Joined:
    Oct 12, 2008
    Messages:
    4,185 (2.08/day)
    Thanks Received:
    1,493
    Location:
    στο άλφα έως ωμέγα

    [​IMG]:laugh::toast:

    Other devices, too, are possible. :eek:

    More Press and probably got fed funding for the study they did.:)
    Chevalr1c and qubit say thanks.
  13. qubit

    qubit Overclocked quantum bit

    Joined:
    Dec 6, 2007
    Messages:
    9,819 (4.22/day)
    Thanks Received:
    3,468
    Quite. Reading between the lines of that MSNBC article, I get the impression that the researchers are trying to make a name for themselves. While what they're reporting is all true, 99% of these printers are sitting inside the corporate network which will have its own defences, so it's a matter of "weighting" for this problem. It looks like they have to infect a PC first within that network, before they can nail the printer, so it takes a double effort to do this, which reduces the chances consderably of such an attack.

    Of course, you do get printers and other systems that are directly connected to the internet and these are much more at risk.

    One big hint that the problem isn't so bad? These vulnerable devices have been around for the last 15 years or so, so you'd think that the criminal malware writers would have exploited them widely by now if it had been profitable for them to do so.

    You cynic! :laugh:
    95Viper says thanks.
  14. Completely Bonkers New Member

    Joined:
    Feb 6, 2007
    Messages:
    2,580 (0.98/day)
    Thanks Received:
    516
    Wall of cynicism

    [​IMG]
    [​IMG]
    [​IMG]

    Er, time for me to go to bed!
    Last edited: Dec 9, 2011
    95Viper and qubit say thanks.
  15. A Cheese Danish

    A Cheese Danish

    Joined:
    Nov 18, 2006
    Messages:
    2,957 (1.09/day)
    Thanks Received:
    412
    Location:
    your local vending machine
    So that's why I've had to replace so many fusers at work :rolleyes:
  16. Rhyseh

    Joined:
    Jul 3, 2008
    Messages:
    73 (0.03/day)
    Thanks Received:
    17
    Printer hacking has been a pretty known security hole for many years. Simply securing your printer with a password will prevent many attacks, also changing SNMP . However if you want to have a play on your own printer there's an article dating back to 2005 that details many printer exploits and how to perform them. Many of them no longer work, but many are still current:

    http://www.irongeek.com/i.php?page=security/networkprinterhacking

    Last update was four years ago but there is still alot of useful information in there for Sys Admins.
  17. ensabrenoir

    ensabrenoir

    Joined:
    Apr 16, 2010
    Messages:
    1,094 (0.75/day)
    Thanks Received:
    163
    Who thought of this? Man.... thin line between genius and madness...
  18. Mussels

    Mussels Moderprator Staff Member

    Joined:
    Oct 6, 2004
    Messages:
    41,681 (11.97/day)
    Thanks Received:
    9,210
    using a printer to spread viruses... ack, when dumb devices can be used to spread malware, we're in trouble - because they're also too dumb/low powered for anti virus.
  19. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,340 (1.76/day)
    Thanks Received:
    1,057
    Location:
    Hell
    Wasn't it in the news 2 or 3 weeks ago? :confused:


    The problem is they should make firmware digitally signed, and it'd be even better if firmware could be updated only locally
  20. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    14,544 (4.01/day)
    Thanks Received:
    11,217
    who has digitally signed firmware and enforces it ? (other than apple)
    there is firmware that has a checksum to protect against transmission error, but i can't think of much that is protected against attacks from evil people(tm)
  21. Drone

    Drone

    Joined:
    Sep 1, 2010
    Messages:
    2,340 (1.76/day)
    Thanks Received:
    1,057
    Location:
    Hell
    What's wrong with that? As if it violates any freedom :rolleyes:

    I'm no Apple fan but I also hate when any son of a bitch can write some malicious driver or firmware to screw things up and can easily spread that shit.
  22. micropage7

    micropage7

    Joined:
    Mar 26, 2010
    Messages:
    5,278 (3.56/day)
    Thanks Received:
    1,195
    Location:
    Jakarta, Indonesia
    cool
    if you hate your boss use that after you go home
  23. Bjorn_Of_Iceland

    Bjorn_Of_Iceland

    Joined:
    Jan 2, 2008
    Messages:
    3,171 (1.38/day)
    Thanks Received:
    375
    doubt if boss uses printers though. They just walk around looking at people's monitors and send memos.
  24. yogurt_21

    Joined:
    Feb 18, 2006
    Messages:
    4,277 (1.43/day)
    Thanks Received:
    537
    lol at the firewall jab.

    If they can get access to your networked printer they've either already gotten around the firewall or they're an internal employee.

    in either of those sceanrios there's far worse things they would be doing.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page