Greetings from Washington, DC – the home of corrupt politicians, sleazy lobbyists, democracy destroying SuperPACs and Moby Dick House of Kebab. I’m here to attend ShmooCon, which is (IMHO) one of the better security cons out there. I’ll be blogging about what I learn over the next few days, so stay tuned for some cutting edge security goodness. Interested in anything specific on the schedule? Drop me a line at email@example.com or DM me at @alberg on the Twitter.
So, remember a few weeks back, when the tech press got really silly, warning us that hackers could set our HP printers on fire remotely? Well, it turns out that there was a security story about HP printers, but the press really missed the boat on what was actually important. At the 28th Chaos Communications Congress (held in Berlin last week), the Columbia University researchers whose work was totally misconstrued by the press presented their work. No, hackers cannot set your printer on fire – but they can install malware on hundreds of millions HP printers shipped since 2005, either by connecting to the printer and replacing its normal firmware with evil firmware or by getting one of your users to print out a specially crafted document which also carries their nefarious code. Once this hack is done, your printer will become a silent (but deadly) bridgehead into your network.
UPDATE: Here’s a list of all of the printers affected by this vulnerability.
The researchers had two demos. In the first, they caused the infected printer to silently send a copy of every document it printed to an attacker’s printer out on the Internet. Demo two had the infected printer acting looking for internal systems vulnerable to a Windows XP exploit and then acting as a relay for the attacker to control them from outside the firewall. This was pretty scary stuff… let’s say I send a crafted document purporting to contain a 50% off coupon for a local restaurant to your users… how many times (and on how many printers) would this get printed?
This hack is made possible by the fact that some HP printers allow their firmware to be updated without any authentication or digital signature and that all of the code within the printer runs as a super user. It also points out the need for anti malware protections for embedded devices like printers, routers and the like. The guys at Columbia are working on a project to do this.
As an aside, these same researchers scanned the Internet for accessible HP printers – they found over 75,000 of them, located at private companies, governments, educational institutions and in other places. Infecting just a small percentage of these systems would provide someone with a very stealthy botnet that would be extremely difficult to remove. The researchers feel that it may be possible for the attackers to install their code permanently, so that the only ways to get rid of the infection would be by replacing (soldered on surface mount) hardware components or trashing the printer altogether,
So… what to do?
First, update your HP printers’ firmware to the latest (December 2011 or later) firmware version, which can be found over on the HP support website. The new drivers require printer firmware updates to be digitally signed by HP.
Next, make sure that your printers cannot be accessed from the Internet. For most of my readers, I don’t think this will be an issue, but you never know… scan your Internet facing IPs for port 9100, which is used to submit print jobs and firmware updates to HP printers.
Third, limit where your printers can send traffic to… is there any good reason to allow a printer outbound access to the Internet? Not that I can think of. Putting printers on an isolated VLAN which can ONLY talk to the print server limits the damage that can be done using this attack. Of course you really need to make sure that your print servers are patched and properly isolated as well – and when eas the last time you took a look at your print servers?
We’ve all got some work to do, people but more importantly, we need to look at embedded systems like printers, routers, access points, and the like in a new way – as potential malware targets with the computing power to take down our networks and no antivirus protection. I can just about guarantee that the bad guys will be researching this in 2012 – it is just too juicy a target to ignore.
If you are a security pro or are responsible for printers in your organization, I’d recommend spending an hour watching the video of this presentation to get the full story.
Happy New Year, all.