Columbia University researchers claim millions of HP printers could be open to remote attack via unsecured Remote Firmware Updates. Cybercriminals could steal personal information or attack otherwise secure networks. HP agrees there is a theoretical security problem but says no customer has ever reported unauthorized printer access. The company denies some of the claims and is still investigating others.
I’ve seen this of consumer NAS devices too, where the firmware can be flashed over the network without any password at all.
Ideally, all firmware changes would require the administrator password. And a device reset would require a physical button.
The questionmark in the article title make it seem Howard was surprised.
A printer is a network connected computer like many other devices and people don’t update their firmware. So what else do you expect ?
Here some presentations on other security problems with printers:
http://www.youtube.com/watch?v=GZgLX60U3sY#t=3m40s
( ShmooCon 2011: Printers Gone Wild! )
http://www.youtube.com/watch?v=MPhisPLwm2A
( ShmooCon 2011: Printer to PWND: Leveraging Multifunction Printers During Penetration Testing )
An other example is that many of these devices have a webinterface. Why is that a problem ? Well it is just as much a problem as a webinterface on your router.
A website on the Internet could include an image with a URL pointing at your router or printer which tries to change settings on that device. It is very common.
Many routers on sale right now have already fixed their problems. It will take years before printers will get fixed.
This is why I always help people to install NoScript, even if I put the Javascript whitelisting in “globally allow” mode.
It’s got another component named ABE (Application Boundaries Enforcer) which includes a default ruleset to prevent just that sort of thing. (Disallowing access to LAN URLs from a WAN document)
(You can also choose to have the XSS filters, clickjacking protection, and securely-implemented Flash/Java/etc. click-to-play active with “globally allow” chosen)
Actually, you can’t do that with JavaScript. As I mentioned the attacker just places an <img>-tag.
Well, I guess you can do that with JavaScript but it doesn’t have any advantage over using an image.
They might use JavaScript to generate a long list of <img>-tags to try different IP-addresses though.
Just sending a longer HTML-page is easy too ofcourse.
So the only thing you are protecting yourself against in this case is an attacker which expects JavaScript to be available and working.
You misunderstand. NoScript’s name is unfortunate because it hasn’t merely whitelisted Javascript for a very long time.
The ABE module hooks into Firefox’s HTTP subsystem and is capable of inspecting and refusing any request not made completely independently by a plugin like Java or Flash.
By design, it does intercept exploits made using <img> tags, stylesheet <link>s and @imports, and all manner of other mechanisms attackers can imagine.
(Of course, it doesn’t block exploits via Java or Flash-native HTTP, which is why I also use the securely-implemented FlashBlock-like functionality too)
Ohh, I wasn’t aware of that. That explains a lot.
I don’t use it, I think it has the wrong whitelist method.
Fair enough but, these days, it IS basically a collection of all the security features that aren’t in Firefox because they may require too much technical understanding for granny. (eg. FlashBlock-like click-to-play, ABE, an XSS filter, clickjacking protection, etc.)
Have you tried using NoScript with the whitelisting turned off (“Globally Allow Scripts” mode)? You can use the other features without it.
the professor for my data structures class at columbia would joke about his research was in trying to blow up a printer by printing something. i guess he was serious after all…
We at our company do a lot of security on HP devices. We had a few customers suffering from HP Printer exploits. Mostly they were misused as fileservers which can easily exploided by PJL. Older MFPs were suffering most of it since they also had a relatively large HDD (40-80GB).
The PJL exploits are also rather easy to do, and you cant really say its an exploid since its pretty well documented how you upload files and execute commands (except for the ASCIIHEX commands where you can do Printer internal stuff like engine commands, resetting counters and so on)
The first thing you should do is to disable PJL command execution. There are rarely cases you ever need that. There is 3rd Party software that relies on PJL to count printed pages or tray selection but then again you have to tell the devs that they should please refrain from using PJL and using SNMP and PCL instead.
Also this is not an HP only issue. There are a lot of other devices where you can do this kind of exploiting and executing code. Certain Beamers for an instance or also some cheap NAS devices (which can actually be more dangerous since you often have a full Linux shell beneath it). Without proper network security you are at your own fault anyway.
Funny you should mention SNMP as a workaround.
Because that was mentioned in a video I posted above as a really easy way to break into those printers if I’m not mistaken:
http://www.youtube.com/watch?v=MPhisPLwm2A
Ha! You are right. You can execute PJL code via SNMP. With SNMPv3 we also got some nice security features but most printers have only v2 and for older MFP models only v1.
Tell your customers to report their HP printer incidents to HP! HP is publicly saying that no customer has ever reported a successful exploit against their printers (as per the posting and referenced article). They need to hear otherwise if this is not the case.
This is known to HP and customers have reported it…
The drivers has been hardened with an update just a few days ago.
http://news.cnet.com/8301-1009_3-57347817-83/hp-firmware-to-mitigat…
I submitted a posting to Slashdot a few months back that basically got ignored – HP printers have a Web interface on them that many places (especially academic institutions it seems) actually put on the *public internet* with no password protection or anything!
There is a simple Google search that scarily finds literally millions of them all around the world. Whilst the Web interface doesn’t let you erase firmware, you can certainly change the printer config, print test pages etc.
BTW, how many people ever upgrade the firmware on their laser printer? Probably a tiny percentage I suspect, so HP’s release of a firmware fix (which probably won’t solve the issue of many HP printers being publicly available on the Net without a password) will probably help with new models purchased and not existing ones already out there.
Edited 2012-01-01 10:40 UTC
Its scary how many people, especially some overpayed Administrators are not aware of that.
You can find even more devices like Beamers, Cams, NAS and so on. You just have to google for a sentence in the Webinterface or any other distinguishable stuff and you find boatloads of devices with public IP.. and even default user/pass settings.
A lot of devices can even be accessed via telnet or SSH. Depending on the kind of device you got your entry point to their local network and wreak havoc.
Nowadays we have to worry about some stupid printer being a security issue? This is progress, right?
It’s a printer people! Why does shit have to be so complicated these days?
-Kevin
Because whatever you produce nowadays got a small little computer in it. Since this makes the whole thing quite complex you can exploit it.
Yes there is progress. But these are the dangers of advancing technology. Everything can be exploited and abused. More features = more holes.
MCUs and SoCs have been used in all kinds of equipment since ages.
The real danger lies in tacking on all kinds of unneeded functionality.
Do you need your television to run linux? Should your microwave oven need to run a full OS?
If so, does your microwave oven need to be connected to the cloud? Do you need instant-anywhere food preparation using a fancy html5 webapp? Perhaps a catchy^H^H^Hshitty name will be invented for it such as foodster or snackbook.
This could be somewhat okay, but of course your microwave/dishwasher/hairdryer wants to know what you like on facebook. Perhaps your garage door opener would like to follow you on twitter as well.
This is a massive, partly misguided rant. I admit this, and for this i offer you my apologies.
…
I just think things are going to get a lot worse for our privacy/security.
-Kevin
Edited 2012-01-03 12:47 UTC
I suppose just another reflection of the drive to lower overall costs. Not strictly coming from “complicated” or “complex” – in a way quite the contrary, the deal with tightly integrated MCUs & SOCs is, after all, how they ultimately make things massively simpler, on the manufacturing etc. level.
So it starts with basics (essentially a “move” of old functionality into MCU), cheap & simple – but after some time, it’s quite straightforward and cheap to add ever more features; additional costs are quickly marginal.
Then it goes further, some “bling” which can draw perhaps a relatively small, but still important group of consumers (especially since this group might be among most eager to buy new stuff, new toys). By that time, it’s still only marginally more expensive in production. And it’s actually getting less expensive, via economies of scale, to just use the same “complex” unit in essentially entire line of products.
Edited 2012-01-08 00:06 UTC