Hackers Could Set Your Printer on Fire from a Distance
Ron Czapala
Posts: 2,418
http://shine.yahoo.com/at-home/strange-security-hackers-could-set-printer-fire-distance-235900935.html
It takes a creative mind to turn an otherwise innocent gadget into a looming security threat, but what's a hacker if not exactly that? You might not be particularly concerned that your printer could spell your demise, but a research team at Columbia University has demonstrated that not only can vulnerable printers be hacked remotely to snag personal information like credit card and Social Security numbers - they could even be made to self destruct...literally.
The research team, helmed by Columbia Professor Salvatore Stolfo and student Ang Cui, demonstrated the design flaw in a number of models of LaserJet printer manufactured by Hewlett Packard. They showed how infiltrating a printer remotely and flooding it with commands could overheat the part of a printer that dries ink, causing it to smoke, melt down, and potentially even start a fire. In another test, the group swiped a Social Security number from a scanned document and auto-published it to a Twitter feed, all by controlling the compromised device remotely.
To show how real the threat is, the team reverse-engineered the printer software - essentially breaking it down and building it back up. They discovered that the automated firmware updates on some older models essentially left the devices wide open. Firmware is the software that controls the internal workings of an electronic device, and it needs to be updated occasionally. The printers in question scan for new firmware through an automated process known as a remote firmware update, but they aren't discerning about what they download. By skipping a critical step for security known as digital signing, the calling card of safe, manufacturer-approved software, any able hacker could push malicious software onto a device by disguising it as a firmware update attached to a print request.
After lacing a document with malicious code, a hacker could install a custom built version of operating software in roughly 30 seconds. And as printers operate on such remedial software (compared to a computer or a smartphone), the bait and switch would be impossible to detect without dismantling the infected device. Once compromised, there's no simple way to un-hack a printer.
The researchers briefed HP on the vulnerability last week, and the company is likely scrambling to come up with a fix that will address the exploit. HP claims that post-2009 models require the crucial digital signature step, and pointed out that since the hack applies to laser printers, which are more common in office settings for bulk black and white printing, many home users would be unaffected. The researchers are now looking into printer models made by other manufacturers, and expect to be able to replicate the hack well beyond HP's pre-2009 LaserJet line.
While the hack might be alarming, the security community has been well aware of firmware loopholes like this one for years now. According to Brandon Creighton, a security researcher at Veracode with over a decade of experience, "You can find published research going back at least ten years. At the same time, the study they're presenting is significant because they've done the work in building a proof-of-concept exploit that actually demonstrates the vulnerabilities. That's a fair amount of effort, and most people don't do that."
And printers aren't unique targets: home routers, Voice Over IP (VoIP) devices, and ISP cable and DSL boxes are among the gadgets potentially exposed to the same method. While nothing is failproof, keeping your devices up to date with software directly from the manufacturer's website is a good measure against clever exploits like this one.
It takes a creative mind to turn an otherwise innocent gadget into a looming security threat, but what's a hacker if not exactly that? You might not be particularly concerned that your printer could spell your demise, but a research team at Columbia University has demonstrated that not only can vulnerable printers be hacked remotely to snag personal information like credit card and Social Security numbers - they could even be made to self destruct...literally.
The research team, helmed by Columbia Professor Salvatore Stolfo and student Ang Cui, demonstrated the design flaw in a number of models of LaserJet printer manufactured by Hewlett Packard. They showed how infiltrating a printer remotely and flooding it with commands could overheat the part of a printer that dries ink, causing it to smoke, melt down, and potentially even start a fire. In another test, the group swiped a Social Security number from a scanned document and auto-published it to a Twitter feed, all by controlling the compromised device remotely.
To show how real the threat is, the team reverse-engineered the printer software - essentially breaking it down and building it back up. They discovered that the automated firmware updates on some older models essentially left the devices wide open. Firmware is the software that controls the internal workings of an electronic device, and it needs to be updated occasionally. The printers in question scan for new firmware through an automated process known as a remote firmware update, but they aren't discerning about what they download. By skipping a critical step for security known as digital signing, the calling card of safe, manufacturer-approved software, any able hacker could push malicious software onto a device by disguising it as a firmware update attached to a print request.
After lacing a document with malicious code, a hacker could install a custom built version of operating software in roughly 30 seconds. And as printers operate on such remedial software (compared to a computer or a smartphone), the bait and switch would be impossible to detect without dismantling the infected device. Once compromised, there's no simple way to un-hack a printer.
The researchers briefed HP on the vulnerability last week, and the company is likely scrambling to come up with a fix that will address the exploit. HP claims that post-2009 models require the crucial digital signature step, and pointed out that since the hack applies to laser printers, which are more common in office settings for bulk black and white printing, many home users would be unaffected. The researchers are now looking into printer models made by other manufacturers, and expect to be able to replicate the hack well beyond HP's pre-2009 LaserJet line.
While the hack might be alarming, the security community has been well aware of firmware loopholes like this one for years now. According to Brandon Creighton, a security researcher at Veracode with over a decade of experience, "You can find published research going back at least ten years. At the same time, the study they're presenting is significant because they've done the work in building a proof-of-concept exploit that actually demonstrates the vulnerabilities. That's a fair amount of effort, and most people don't do that."
And printers aren't unique targets: home routers, Voice Over IP (VoIP) devices, and ISP cable and DSL boxes are among the gadgets potentially exposed to the same method. While nothing is failproof, keeping your devices up to date with software directly from the manufacturer's website is a good measure against clever exploits like this one.
Comments
In other words...
I suppose the university professor provided it was possible. But I don't that this is going to be a significant hazard to most of us. If you are really worried - only turn on the printer when you are at the computer (That's what I do anyway). If you cannot remember to turn on and off the printer, take the +12 off one of the extra hard drive power plugs and use it to power a 12 VDC relay (outboard of the PC). That relay will turn on your printer when you turn on your computer; and turn it off when the computer is turned off.
I have better things to worry about - like who stole the battery out of my motor scooter 5 years ago.
Why would they want to locate YOU in particular? They just put malacious trojans, viruses, etc out there for anyone who stumbles upon it.
It was a poor security decision from HP to not digitally sign updates. Infecting you PC is bad enough, but potentially causing a fire in your home is extreme.
But, now you know why my computer club considers me to be a howling paranoid. I have two computers. One exclusively for browsing, and the other for everything else and it CAN NOT connect to the web. I also have (ahem) a manual A/B switch to disconnect anything I'm not actually using at the moment.
But, I AM NOT PARANOID. merely realistic
Meanwhile I am blissfully using Linux. This is very close to an urban legend.