Schneier on Security

A blog covering security and security technology.

« Improving the Security of Four-Digit PINs on Cell Phones | Main | Friday Squid Blogging: Squid Skateboards »

January 6, 2012

Time to Patch Your HP Printers

It's a serious vulnerability. Note that this is the research that was mistakenly reported as allowing hackers to set your printer on fire.

Here's a list of all the printers affected.

Tags: firmware, hardware, HP, malware, patching, printers, zero-day

Posted on January 6, 2012 at 1:50 PM • 22 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Dom De Vitto • January 6, 2012 3:46 PM

Um, I think the list will probably get a lot bigger than this - it was possible to root LJ4s back in the day, and even the newest sub-$50 'All-in-Ones' have features like automatic update, email-to-print etc. - and those need similar scrutiny.

Oh, and what gives with publishing ftp logins in that document?
The document is available using ftp:

ftp.usa.hp.com
account: sb02728
password: Secure12

ftp://sb02728:Secure12@ftp.usa.hp.com/

???

Jon Marcus • January 6, 2012 3:57 PM

Not to trivialize this, but it seems like it'd be tough to get a malicious document to a printer. Wouldn't that require user interaction, (i.e. some pretty significant social engineering) to make that happen?

Mike • January 6, 2012 4:30 PM

HP still has lots to do in terms of securing the firmware update process, not just fixing vulnerabilities. As I mentioned in a recent piece on the issue, how many organizations and individuals monitor printers and other non-PC networked devices for potential attacks? Not many. And most do not have the ability to do so.

http://www.securityweek.com/...

Mike

Wendy M. Grossman • January 6, 2012 4:36 PM

Jon: my write-up (which mentions the fire angle because how can you not, but I hope made plain that this wasn't the biggest issue - and which was somewhat earlier than the headlines) I hope explains the vector (http://www.newswireless.net/index.cfm/article/9301) - basically, they uncovered a way to embed malware in documents being sent to the printer, which must interpret some of the more sophisticated stuff in order to print it.

kingsnake • January 6, 2012 4:54 PM

My HP laser is at least 15 years old (back when you could still trust an HP product). Do I still need to patch it?

Dom De Vitto • January 6, 2012 5:22 PM

Jon Marcus: HP have been going crazy for 'email a document to your printer' technology :-( In this case, the emailed document is converted by HP, but the resulting output document still results in breach.

kingsnake: A thing with 8k of ROM _will_ have input bugs, on top of the telnet/ftp management.

Bernd • January 6, 2012 6:10 PM

"Print Me If You Dare
Firmware Modification Attacks and the Rise of Printer Malware"
http://www.youtube.com/watch?v=gRGEnakrx9o
First hand information (technical stuff from the authors of the report) from the CCC congress 28c3 in the youtube video above.
Malware in embedded systems might be worth some attention in the future.

Steve • January 6, 2012 8:33 PM

Reminds me of one of those fanciful old Opcodes that hackers used to invent:

HCF. . . Halt and Catch Fire.

hijack my momma • January 6, 2012 9:22 PM

Let's hear it for proprietary hardware AND software!

Now get busy and use your closed source tools to scan your closed OS, plebs!

Some examples of mystery code products which are closed and source code not available for screening by the user:

Spybot
Avast
Comodo - several security programs
Hijack This!
CCleaner
Ad-aware
Malwayrebyes Antimalware
Super AntiSpyware

millions of idiots scanning their closed systems with closed code, giving all those files of theirs to a closed os and closed scanners, some using "the cloud" to reveal the files on their hard drive across the internet. brilliant.

foo • January 7, 2012 1:07 AM

This is most excellent for those who want to jailbreak their printer, remove the installed firmware and run Free Software.

Rob • January 7, 2012 3:57 AM

@hijack my momma
... and your recommended open source alternatives for CCleaner and Malwarebytes Antimalware are? I select those two because I am one of the millions of idiots who scan their machines with them. But I'm always open to learn.

Jens (the other one) • January 7, 2012 12:48 PM

Word allows the attacker to add data to a document which is directly sent to the printer. (And which is used for legitimate purposes as well...)

Send someone a hacked coupon for a free Big Mac, coffee, whatever - and you are done.

Particular Random Guy • January 7, 2012 2:13 PM

I would really patch my printer, if I had a windows machine at hand, being able to run that stupid windows update program. :-/

Natanael L • January 7, 2012 4:35 PM

@hijack my momma: Do you know of a better free HIPS like software than Comodo CIS for Windows? (And yes, I need Windows for school. AutoCAD, etc...)

Robin Bradshaw • January 8, 2012 2:32 AM

@Particular Random Guy You should be able to extract the update .rfu and print it by connecting to your printer with FTP and put the rfu to the printer, see update instructions here http://h20000.www2.hp.com/bizsupport/TechSupport/...

Alex • January 9, 2012 7:57 AM

Quite a few printers can receive e-mail...

Bill P. Godfrey • January 9, 2012 8:19 AM

Forged email from the companies CEO?

All employees please print out and sign the attached form to qualify for the annual bonus payment and send it to the national tax office. This is a new tax requirement and we will not be able to pay your bonus without this form.

Next day, the tax collectors get a load of scrap paper in the mail and no-one in management or IT realises what happened.

paul • January 9, 2012 8:32 AM

It shouldn't be too hard to conjoin this attack with one that infects all the currently-accessible Word or Excel or whatever documents on a user's machine. That way, when anything gets printed, the printer gets rooted.

The beauty of attacks like this is that they don't have to bear fruit immediately. If it takes week or months to compromise a network that's OK too.

karrde • January 9, 2012 8:42 AM

@Bill P Godfrey:

That's an effective attack vector.

Greg A • January 9, 2012 9:35 AM

Re: "Oh, and what gives with publishing ftp logins in that document?"

Clearly HP don't actually have web or file servers. It's all done by emailing the files you want served to a big printer, then publishing the printer's admin login.

Doug • January 9, 2012 2:47 PM

I'd love to patch my printer, but the patches ONLY run on Windows.

x • January 11, 2012 2:24 PM

I'll bite.

"Do you know of a better free HIPS like software than Comodo CIS for Windows? (And yes, I need Windows for school. AutoCAD, etc...)"

Yes, it's called OSSEC:
http://www.ossec.net/

and:

Suricata:
http://www.openinfosecfoundation.org/index.php/...

I don't believe you need Windows when Linux and WINE/Crossover are available:

http://www.winehq.com/
http://www.codeweavers.com/

If the programs don't run, blame it on the proprietary theology of Windows, brought to you by One Microsoft Way.

"and your recommended open source alternatives for CCleaner and Malwarebytes Antimalware are? I select those two because I am one of the millions of idiots who scan their machines with them. But I'm always open to learn."

Try one:
(and install WINE or Crossover for Windows apps)
http://www.distrowatch.com

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D