The “HP Printer Paper Burning Hack” has made headline news, but the actual video from the Intrusion Detection Systems Group at Columbia University paints a totally different story.
In the video, Professor Salvatore J. Stolfo and a senior graduate research assistant shows how a maliciously formed print job could cause an HP printer’s firmware to be reprogrammed so it acts like a copy machine – sending an exact print job to any place in the world, but also as a pivot point to attack computers on the local network.
A print job specially crafted with a replacement firmware (operating system code for printers) is sent to the printer. The original printer firmware is erased automatically, without user intervention, the malicious firmware installed and the printer comes back online. Then when a print job is sent to the printer, in this case a tax return, an exact duplicate is sent to the attackers printer (which could be located anywhere in the world). There is no notification that the extra print job is being created or where it is sent.
But that is not all, the attackers also get a tweet on their twitter page showing sensitive information parsed from the print job!
In this instance, a copy of the user’s social security number is pulled off of the printer page and sent to the attackers Twitter page. Again without notification to the end user who is just printing their tax return.
Next, the graduate student shows how the reprogrammed printer could be used as a pivot point and used to attack computers on the users local network. In this case, the simulated internet based attacker uses the printer to create a tunnel across the internet and into the local network. The student then uses the popular penetration tester tool Backtrack to send an exploit to an internal Windows XP system while pivoting through the printer and gains an administrator shell into the PC.
They do mention briefly that they could get a brown line on the paper, but state that the built in thermostat prevented the paper from actually catching fire. I just don’t get how the media focused on this part of the presentation and not on the other more serious security issues brought forth in the presentation.
According to the Columbia University research team, this type of attack would be very hard to detect or deter. There is no anti-virus or built in security feature on the printer to stop the malicious firmware update to take place. Or notification that the printer has been compromised. But the problem does not end there. They mention that this type of problem is inherent in numerous embedded devices including VoIP phones, routers, webcams etc.
Access to the devices need to be filtered and programs that monitor and record network traffic for malicious activity are always a good idea in a corporate environment.
Check out the video for yourself at http://www.hacktory.cs.columbia.edu/.
*** Update – HP has released a security document explaining recommended steps to take to secure HP printers – One of the recommended steps is to disable remote firmware update until you need to use it.