Linked by Howard Fosdick on Sat 31st Dec 2011 07:57 UTC
Bugs & Viruses Columbia University researchers claim millions of HP printers could be open to remote attack via unsecured Remote Firmware Updates. Cybercriminals could steal personal information or attack otherwise secure networks. HP agrees there is a theoretical security problem but says no customer has ever reported unauthorized printer access. The company denies some of the claims and is still investigating others.
Order by: Score:
Not just printers
by Alfman on Sat 31st Dec 2011 09:24 UTC
Alfman
Member since:
2011-01-28

I've seen this of consumer NAS devices too, where the firmware can be flashed over the network without any password at all.

Ideally, all firmware changes would require the administrator password. And a device reset would require a physical button.

Reply Score: 6

Surprised ?
by Lennie on Sat 31st Dec 2011 09:35 UTC
Lennie
Member since:
2007-09-22

The questionmark in the article title make it seem Howard was surprised.

A printer is a network connected computer like many other devices and people don't update their firmware. So what else do you expect ?

Here some presentations on other security problems with printers:

http://www.youtube.com/watch?v=GZgLX60U3sY#t=3m40s
( ShmooCon 2011: Printers Gone Wild! )

http://www.youtube.com/watch?v=MPhisPLwm2A
( ShmooCon 2011: Printer to PWND: Leveraging Multifunction Printers During Penetration Testing )

An other example is that many of these devices have a webinterface. Why is that a problem ? Well it is just as much a problem as a webinterface on your router.

A website on the Internet could include an image with a URL pointing at your router or printer which tries to change settings on that device. It is very common.

Many routers on sale right now have already fixed their problems. It will take years before printers will get fixed.

Reply Score: 7

RE: Surprised ?
by ssokolow on Sat 31st Dec 2011 15:37 UTC in reply to "Surprised ?"
ssokolow Member since:
2010-01-21

A website on the Internet could include an image with a URL pointing at your router or printer which tries to change settings on that device. It is very common.

Many routers on sale right now have already fixed their problems. It will take years before printers will get fixed.</span>


This is why I always help people to install NoScript, even if I put the Javascript whitelisting in "globally allow" mode.

It's got another component named ABE (Application Boundaries Enforcer) which includes a default ruleset to prevent just that sort of thing. (Disallowing access to LAN URLs from a WAN document)

(You can also choose to have the XSS filters, clickjacking protection, and securely-implemented Flash/Java/etc. click-to-play active with "globally allow" chosen)

Reply Score: 3

RE[2]: Surprised ?
by Lennie on Sat 31st Dec 2011 16:09 UTC in reply to "RE: Surprised ?"
Lennie Member since:
2007-09-22

Actually, you can't do that with JavaScript. As I mentioned the attacker just places an <img>-tag.

Well, I guess you can do that with JavaScript but it doesn't have any advantage over using an image.

They might use JavaScript to generate a long list of <img>-tags to try different IP-addresses though.

Just sending a longer HTML-page is easy too ofcourse.

So the only thing you are protecting yourself against in this case is an attacker which expects JavaScript to be available and working.

Reply Score: 4

RE[3]: Surprised ?
by ssokolow on Sat 31st Dec 2011 17:55 UTC in reply to "RE[2]: Surprised ?"
ssokolow Member since:
2010-01-21

Actually, you can't do that with JavaScript. As I mentioned the attacker just places an -tag.

Well, I guess you can do that with JavaScript but it doesn't have any advantage over using an image.

They might use JavaScript to generate a long list of -tags to try different IP-addresses though.

Just sending a longer HTML-page is easy too ofcourse.

So the only thing you are protecting yourself against in this case is an attacker which expects JavaScript to be available and working.


You misunderstand. NoScript's name is unfortunate because it hasn't merely whitelisted Javascript for a very long time.

The ABE module hooks into Firefox's HTTP subsystem and is capable of inspecting and refusing any request not made completely independently by a plugin like Java or Flash.

By design, it does intercept exploits made using <img> tags, stylesheet <link>s and @imports, and all manner of other mechanisms attackers can imagine.

(Of course, it doesn't block exploits via Java or Flash-native HTTP, which is why I also use the securely-implemented FlashBlock-like functionality too)

Reply Score: 4

RE[4]: Surprised ?
by Lennie on Sun 1st Jan 2012 01:55 UTC in reply to "RE[3]: Surprised ?"
Lennie Member since:
2007-09-22

Ohh, I wasn't aware of that. That explains a lot.

I don't use it, I think it has the wrong whitelist method.

Reply Score: 2

RE[5]: Surprised ?
by ssokolow on Sun 1st Jan 2012 16:30 UTC in reply to "RE[4]: Surprised ?"
ssokolow Member since:
2010-01-21

Ohh, I wasn't aware of that. That explains a lot.

I don't use it, I think it has the wrong whitelist method.


Fair enough but, these days, it IS basically a collection of all the security features that aren't in Firefox because they may require too much technical understanding for granny. (eg. FlashBlock-like click-to-play, ABE, an XSS filter, clickjacking protection, etc.)

Have you tried using NoScript with the whitelisting turned off ("Globally Allow Scripts" mode)? You can use the other features without it.

Reply Score: 2

Comment by broken_symlink
by broken_symlink on Sat 31st Dec 2011 14:28 UTC
broken_symlink
Member since:
2005-07-06

the professor for my data structures class at columbia would joke about his research was in trying to blow up a printer by printing something. i guess he was serious after all...

Reply Score: 4

PJL Issues
by Gestahlt on Sat 31st Dec 2011 14:36 UTC
Gestahlt
Member since:
2011-10-17

We at our company do a lot of security on HP devices. We had a few customers suffering from HP Printer exploits. Mostly they were misused as fileservers which can easily exploided by PJL. Older MFPs were suffering most of it since they also had a relatively large HDD (40-80GB).

The PJL exploits are also rather easy to do, and you cant really say its an exploid since its pretty well documented how you upload files and execute commands (except for the ASCIIHEX commands where you can do Printer internal stuff like engine commands, resetting counters and so on)

The first thing you should do is to disable PJL command execution. There are rarely cases you ever need that. There is 3rd Party software that relies on PJL to count printed pages or tray selection but then again you have to tell the devs that they should please refrain from using PJL and using SNMP and PCL instead.

Also this is not an HP only issue. There are a lot of other devices where you can do this kind of exploiting and executing code. Certain Beamers for an instance or also some cheap NAS devices (which can actually be more dangerous since you often have a full Linux shell beneath it). Without proper network security you are at your own fault anyway.

Reply Score: 4

RE: PJL Issues
by Lennie on Sat 31st Dec 2011 16:11 UTC in reply to "PJL Issues"
Lennie Member since:
2007-09-22

Funny you should mention SNMP as a workaround.

Because that was mentioned in a video I posted above as a really easy way to break into those printers if I'm not mistaken:

http://www.youtube.com/watch?v=MPhisPLwm2A

Reply Score: 4

RE[2]: PJL Issues
by Gestahlt on Sun 1st Jan 2012 12:05 UTC in reply to "RE: PJL Issues"
Gestahlt Member since:
2011-10-17

Ha! You are right. You can execute PJL code via SNMP. With SNMPv3 we also got some nice security features but most printers have only v2 and for older MFP models only v1.

Reply Score: 2

RE: report exploits to HP please!
by kateline on Sun 1st Jan 2012 20:45 UTC in reply to "PJL Issues"
kateline Member since:
2011-05-19

Tell your customers to report their HP printer incidents to HP! HP is publicly saying that no customer has ever reported a successful exploit against their printers (as per the posting and referenced article). They need to hear otherwise if this is not the case.

Reply Score: 2

Gestahlt Member since:
2011-10-17

This is known to HP and customers have reported it...

Reply Score: 1

driver update
by fran on Sat 31st Dec 2011 14:43 UTC
fran
Member since:
2010-08-06

The drivers has been hardened with an update just a few days ago.

http://news.cnet.com/8301-1009_3-57347817-83/hp-firmware-to-mitigat...

Reply Score: 4

I spotted this a few months ago...
by rklrkl on Sun 1st Jan 2012 10:35 UTC
rklrkl
Member since:
2005-07-06

I submitted a posting to Slashdot a few months back that basically got ignored - HP printers have a Web interface on them that many places (especially academic institutions it seems) actually put on the *public internet* with no password protection or anything!

There is a simple Google search that scarily finds literally millions of them all around the world. Whilst the Web interface doesn't let you erase firmware, you can certainly change the printer config, print test pages etc.

BTW, how many people ever upgrade the firmware on their laser printer? Probably a tiny percentage I suspect, so HP's release of a firmware fix (which probably won't solve the issue of many HP printers being publicly available on the Net without a password) will probably help with new models purchased and not existing ones already out there.

Edited 2012-01-01 10:40 UTC

Reply Score: 4

Gestahlt Member since:
2011-10-17

Its scary how many people, especially some overpayed Administrators are not aware of that.

You can find even more devices like Beamers, Cams, NAS and so on. You just have to google for a sentence in the Webinterface or any other distinguishable stuff and you find boatloads of devices with public IP.. and even default user/pass settings.

A lot of devices can even be accessed via telnet or SSH. Depending on the kind of device you got your entry point to their local network and wreak havoc.

Reply Score: 2

This is sad
by p13. on Mon 2nd Jan 2012 13:50 UTC
p13.
Member since:
2005-07-10

Nowadays we have to worry about some stupid printer being a security issue? This is progress, right?
It's a printer people! Why does shit have to be so complicated these days?

-Kevin

Reply Score: 2

RE: This is sad
by Gestahlt on Tue 3rd Jan 2012 04:11 UTC in reply to "This is sad"
Gestahlt Member since:
2011-10-17

Because whatever you produce nowadays got a small little computer in it. Since this makes the whole thing quite complex you can exploit it.

Yes there is progress. But these are the dangers of advancing technology. Everything can be exploited and abused. More features = more holes.

Reply Score: 2

RE[2]: This is sad
by p13. on Tue 3rd Jan 2012 12:47 UTC in reply to "RE: This is sad"
p13. Member since:
2005-07-10

MCUs and SoCs have been used in all kinds of equipment since ages.
The real danger lies in tacking on all kinds of unneeded functionality.

Do you need your television to run linux? Should your microwave oven need to run a full OS?
If so, does your microwave oven need to be connected to the cloud? Do you need instant-anywhere food preparation using a fancy html5 webapp? Perhaps a catchy^H^H^Hshitty name will be invented for it such as foodster or snackbook.

This could be somewhat okay, but of course your microwave/dishwasher/hairdryer wants to know what you like on facebook. Perhaps your garage door opener would like to follow you on twitter as well.

This is a massive, partly misguided rant. I admit this, and for this i offer you my apologies.

...

I just think things are going to get a lot worse for our privacy/security.

-Kevin

Edited 2012-01-03 12:47 UTC

Reply Score: 1

RE[3]: This is sad
by zima on Sat 7th Jan 2012 23:59 UTC in reply to "RE[2]: This is sad"
zima Member since:
2005-07-06

I suppose just another reflection of the drive to lower overall costs. Not strictly coming from "complicated" or "complex" - in a way quite the contrary, the deal with tightly integrated MCUs & SOCs is, after all, how they ultimately make things massively simpler, on the manufacturing etc. level.

So it starts with basics (essentially a "move" of old functionality into MCU), cheap & simple - but after some time, it's quite straightforward and cheap to add ever more features; additional costs are quickly marginal.

Then it goes further, some "bling" which can draw perhaps a relatively small, but still important group of consumers (especially since this group might be among most eager to buy new stuff, new toys). By that time, it's still only marginally more expensive in production. And it's actually getting less expensive, via economies of scale, to just use the same "complex" unit in essentially entire line of products.

Edited 2012-01-08 00:06 UTC

Reply Score: 2