Vulnerabilities / Threats
12/5/2011
12:42 PM
Connect Directly
RSS
E-Mail
50%
50%

HP Denies Exploit Could Trigger Printer Fire

Security researchers warned that zero-day printer vulnerability could be exploited to overheat printers, or worse.

HP last week denied reports that a bug in its printer firmware could be remotely exploited by an attacker to cause the device to burst into flames.

"There has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers," according to a statement released by HP. "Speculation regarding potential for devices to catch fire due to a firmware change is false."

HP's statement came in response to an MSNBC report about a demonstration by Columbia University researchers, who exploited a vulnerability they discovered in HP LaserJet firmware to load custom firmware, which was set to cause the printer's fuser--which heats up toner to cause it to bond to paper--to overheat.

"These devices are completely open and available to be exploited," Salvatore Stolfo, a professor who directs research in Columbia University's computer science department, told MSNBC. He estimated that millions of printers might be affected.

[ From Apple To CarrierIQ, it seems companies don't wait long to punish researchers who disclose vulnerabilities. See Vendors Quick To Hit Back At Security Researchers. ]

Thankfully, however, while the HP printers may be vulnerable to hacking, getting them to catch fire doesn't appear to be easy, if it's even possible. That's because HP printers have a thermal breaker that's set to trip and shut down the device if it overheats for any reason. In fact, this is precisely what happened to the HP printer during the Columbia researchers' demonstration. Furthermore, HP said that its thermal breakers "cannot be overcome by a firmware change or this proposed vulnerability."

While using online attacks to cause device meltdowns might be difficult, actually exploiting devices to steal information would appear to be a much easier task. Notably, the Columbia researchers discovered that HP LaserJet firmware--which they reverse-engineered--doesn't validate software updates to confirm that they're legitimate. Furthermore, many of the printers are Internet-connected. As a result, they said, attackers could remotely load custom firmware, not just to damage the device, but also, for example, to send copies of everything that a device printed or scanned to an external server.

HP said it's working on a firmware upgrade for that vulnerability--which hasn't been exploited in the wild--and recommended that all Internet-enabled printers be placed behind firewalls, and that "where possible" existing users disable remote firmware updates. Interestingly, HP said that the vulnerability could sometimes also be exploited in Linux or Mac environments, using "a specially formatted corrupt print job to trigger a firmware upgrade."

Of course, attackers might not even have to bother writing custom firmware. According to research presented by Michael Sutton, VP of security research for Web security firm Zscaler Labs, at the Black Hat security conference earlier this year, many printers, photocopiers, and voice-over-IP systems are Internet-connected, and use well-known default passwords or firmware with known vulnerabilities. Either could be exploited by attackers to gain remote access to the devices, and in some cases, simply update their settings to copy all documents scanned or phone calls facilitated, using built-in management software.

If hacking into a device and attempting to make it catch on fire sounds familiar, that's because Charlie Miller of Accuvant, earlier this year, demonstrated at the Black Hat conference in Las Vegas how Apple laptop batteries' firmware could be hacked. Such hacks could be used to turn batteries into bricks, introduce malware onto laptops, or even overcharge the battery, which Miller warned might cause it to catch fire. But industry watchers said that high-quality laptop batteries typically sport numerous safety features that can't be disabled via firmware, including circuit interrupters that prevent overcharging or undercharging.

Companies that have implemented or are evaluating managed print services look to the model for its ability to reduce costs and increase end user productivity. However, IT teams need to be aware of security and scalability when selecting a partner. Here's how two large companies in diverse industries got a handle on printing. Read our report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.