MSNBC's Bob Sullivan, author of The Red Tape Chronicles, posted an interesting writeup examining research from a team at Columbia University who may have revealed one of the most widespread hardware vulnerabilities to date.
The inherent flaw in printer firmware represents a new class of vulnerability that could have a significant impact on the majority of printer owners - including consumers, enterprise, and government entities.
The researchers indicate that exploits could allow network intruders the ability to harvest sensitive data from network printers, and potentially allow an attacker to cause a printer’s fuser to heat up and cause a fire.
"Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com. They say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there's no way to tell if hackers have already exploited it," Sullivan writes.
The researchers first alerted several federal agencies of the vulnerability before notifying Hewlett Packard of their findings. The extent of the vulnerability beyond HP printers is as of yet unknown, and the research team indicated they would be continuing their investigation.
“It is conceivable that all printers are vulnerable... Printers that are 3-, 4-, 5-years-old and older, I’d think, all used unsigned software. The question is, ‘How many of those printers are out there?’ It could be much more than 100 million," said Columbia's Salvatore Stolfo, who supervised the research.
HP has been cautious in their reaction to the researchers findings. “Until we verify the security issue, it is difficult to comment,” said Keith Moore, chief technologist for HP's printer division, who also stated that HP "takes this very seriously."
The researchers reverse-engineered the software code that works to control the printers examined, and they found that the automated update mechanisms fail to authenticate the origin of the firmware updates that are summoned automatically upon use of the device.
This allows an attacker the opportunity to update a unit with malicious code for data exfiltration or to cause physical damage to the device. Such firmware attacks are a relatively unmitigated aspect to systems security, according to the researchers.
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are. The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited," Stolfo said.
Some well-known security experts have expressed shock and dismay at the revelation that the firmware updates are not protected by some sort of authentication protocol, and warn that those susceptible to the vulnerability are probably not even aware of this threat vector.
“First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP? Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact,” said F-Secure's Mikko Hypponen.
The Columbia researchers further warn that mitigating this vulnerability may be extremely complicated, and the fix will not be as easy as rolling out a patch.
“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different. This is nothing like fixing a virus on your PC,” Columbia researcher Ang Cui said.
The worst case scenario may include the necessity to scrap millions of vulnerable devices at great cost to companies and organizations across all industry sectors.
“It may ultimately lead to telling everyone they just have to throw their printers out and start over. Fixing this is going to require a very coordinated effort by the industry," Stolfo asserted.