It takes a creative mind to turn an otherwise innocent gadget into a looming security threat, but what's a hacker if not exactly that? You might not be particularly concerned that your printer could spell your demise, but a research team at Columbia University has demonstrated that not only can vulnerable printers be hacked remotely to snag personal information like credit card and Social Security numbers - they could even be made to self destruct...literally.
The research team, helmed by Columbia Professor Salvatore Stolfo and student Ang Cui, demonstrated the design flaw in a number of models of LaserJet printer manufactured by Hewlett Packard. They showed how infiltrating a printer remotely and flooding it with commands could overheat the part of a printer that dries ink, causing it to smoke, melt down, and potentially even start a fire. In another test, the group swiped a Social Security number from a scanned document and auto-published it to a Twitter feed, all by controlling the compromised device remotely.
To show how real the threat is, the team reverse-engineered the printer software - essentially breaking it down and building it back up. They discovered that the automated firmware updates on some older models essentially left the devices wide open. Firmware is the software that controls the internal workings of an electronic device, and it needs to be updated occasionally. The printers in question scan for new firmware through an automated process known as a remote firmware update, but they aren't discerning about what they download. By skipping a critical step for security known as digital signing, the calling card of safe, manufacturer-approved software, any able hacker could push malicious software onto a device by disguising it as a firmware update attached to a print request.
After lacing a document with malicious code, a hacker could install a custom built version of operating software in roughly 30 seconds. And as printers operate on such remedial software (compared to a computer or a smartphone), the bait and switch would be impossible to detect without dismantling the infected device. Once compromised, there's no simple way to un-hack a printer.
The researchers briefed HP on the vulnerability last week, and the company is likely scrambling to come up with a fix that will address the exploit. HP claims that post-2009 models require the crucial digital signature step, and pointed out that since the hack applies to laser printers, which are more common in office settings for bulk black and white printing, many home users would be unaffected. The researchers are now looking into printer models made by other manufacturers, and expect to be able to replicate the hack well beyond HP's pre-2009 LaserJet line.
While the hack might be alarming, the security community has been well aware of firmware loopholes like this one for years now. According to Brandon Creighton, a security researcher at Veracode with over a decade of experience, "You can find published research going back at least ten years. At the same time, the study they're presenting is significant because they've done the work in building a proof-of-concept exploit that actually demonstrates the vulnerabilities. That's a fair amount of effort, and most people don't do that."
And printers aren't unique targets: home routers, Voice Over IP (VoIP) devices, and ISP cable and DSL boxes are among the gadgets potentially exposed to the same method. While nothing is failproof, keeping your devices up to date with software directly from the manufacturer's website is a good measure against clever exploits like this one.
6:37 PM
PRSolutions PRS
