Is the Potential of an Attacker Setting a Printer on Fire Really What IT Security Departments Should be Worried About?
Last week, news surfaced that researchers from Columbia University had discovered vulnerabilities in upgradeable firmware in HP laser printers that could be compromised and modified by an attacker, enabling them to do anything from overheating the printer, to compromising a network, with some speculating that the devices could even be set up in flames.
HP responded with a statement, saying the reports were “sensational and inaccurate,” and that “speculation regarding potential for devices to catch fire due to a firmware change is false.” The company explained that HP LaserJet printers have a hardware element called a “thermal breaker” that’s designed to prevent the fuser from overheating and causing a fire. “It cannot be overcome by a firmware change or this proposed vulnerability,” the company said.
But is the potential of a printer fire the real threat that IT security department should be worried about? Security expert Kurt Stammberger, VP of Market Development at device security firm Mocana doesn’t think so.
“The focus of HP is on the fire issue, but they don't say anything to address the real issue, which is the fairly indefensible position of not cryptographically authenticating their printer software updates,” Stammberger told SecurityWeek. “Fires notwithstanding, printers are still a great place to launch and attack against a network, because they are so broadly connected.”
While HP refuted claims that its printers could be set on fire remotely by an attacker, it did acknowledge existence of potential security vulnerability related to the firmware in some its LaserJet printers.
“The specific vulnerability exists for some HP LaserJet devices if placed on a public Internet without a firewall,” the company said it a statement. “In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.”
The company followed in saying that “no customer has reported unauthorized access.” But how many organizations and individuals monitor printers and other non-PC networked devices for potential attacks? Not many. And most do not have the ability to do so.
Stammberger believes HP's statement that ‘no customer has reported unauthorized access’ is a bit interesting and somewhat concerning. “That is a pretty cheeky statement, considering HP doesn't provide any facility to diagnose the health of their printers' firmware images, or report on whether or not it has been infected,” he said.
“HP is only stoking the controversy by reacting this way. This is a they ‘doth protest too much’ type of denial, typical of companies that don't have a lot of experience in security issues,” he added. “In fact, this sounds a lot like the way Microsoft would have reacted in the late 90's,” noting that Microsoft has made great strides and its security organization, and takes all vulnerability reports seriously and doesn't try to minimize vulnerabilities through PR.
HP currently provides software that enables admins to set configurations and security policies for devices, and provides IT infrastructure and filtering technology to help remove suspicious files and devices on a network, but being able to monitor the health of the firmware on its printers is lacking.
“First of all, how the hell doesn’t HP have a signature or certificate indicating that new firmware is real firmware from HP?” asked Mikko Hypponen, head of research at F-Secure, speaking to MSNBC.Com's Bob Sullivan.
HP is by no means alone. This trend extends far beyond printers, to devices including as Internet-capable televisions, cars and many more. The security of such embedded devices is often ignored – not just by consumers, but by network administrators, because they often don’t consider these devices to be at risk since there is no data to lose. This is far from the truth.
“Even if I couldn't start a fire in this particular printer line, I might be able to, for example, introduce malware that sends a copy of every document printed to China,” Mocana’s Stammberger explained.
HP said it is working on a firmware upgrade to mitigate the issue and will reach out customers and partners who may be impacted. In the meantime, HP suggests that customers place printers behind a firewall and, when possible, disable remote firmware upload functionality on exposed printers.