Schneier on Security
A blog covering security and security technology.
« Walls as Security Theater |
| I Received an Honorary Doctorate »
December 2, 2011
Hacking Printers and Setting Them on Fire
It's the kind of research result that screams hype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we'll learn more about what's actually possible in the coming weeks.
HP has issued a rebuttal.
Posted on December 2, 2011 at 1:17 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
lp0 on fire ... no really
That reminds me that I haven't updated any printers at work with the status "Can haz moar tonar?" in a while.
This particular exploit may be hype-like, however one must realize that many of these printers are computers within themselves and they are often running many open services including telnet, www, ftp, etc. I have found printers without so much as a password, and I could change anything I wanted, including starting other services or installing drivers. In short, if you have an open path to be able to exploit these services then you can get a foothold inside the security perimeter, and thus a stepping stone to launch attacks against other machines of more significance.
Yes a prudent person should have their printer behind a firewall and the default password changed.
Every print I can remember has a thermal shutdown switch to prevent a malfunction. The researcher was unable to set a printer on fire and is spreading FUD on that subject.
At this web page to the address placed at the bottom,
I sent this reply to HP:
I read with interest the web page:
Ostensibly, you completely ignored earlier HP marketing campaigns for selling "network enabled" printers, so they could be use for "print anywhere" or "print from anywhere" activity. Tsk, tsk.
Making a printer available on the public network to be used for "print anywhere" or "print from anywhere", has got to be the worst product idea ever to come out of your company. This invites attack, or most certainly use of the device as a potential target for malware (a printer available on the public network is effectively a router which allows access to the local network, when compromised).
If HP is no longer providing this feature, then tell everyone. If you know how to disable this feature, then TELL everyone. If HP was using this feature for their own benefit, then get out of the business.
Printer on fire - that is a Linux joke. I remember when LPD error messages asked "Printer on fire ?"
Seems some people are tech humour impaired ;-)
This is such an obvious grab for some headlines by these researchers. "We haven't managed to set one on fire, but we're sure we can" "We haven't managed to exploit this on any other manufacturer's printers, but we're sure we can." They are theorizing their way through too many conclusions without proving them out then using those for sensationalism. They quote "millions" of weaknesses, though the weakness depends on having a laserjet AND it not being behind a secured firewall. Since most home users have an inkjet rather than the more expesive laserjet there will be limited home users who are at risk. Also, since most businesses protect themselves by limiting external access rather than securing every device there will be limited exposure there as well. Not only does this scream hype, it's sensationlist hype to try to get the researchers some headlines. How much do you want to bet it's nearly time to renew their grant?
I think you mean s/Hacking/Jailbreaking/
So, this is the same HP that allows (or used to) telnet to the broadcast address? The one that sells (sold) a "networked" all-in-one that would blue-screen (albeit, a tiny screen, but blue, and full of hex digits) if you had the temerity to plug it into a network?
They used to have pretty good mechanical designers, and I'd expect those folks to make sure they indeed have a thermal cutout not exposed to suppression by the software. But the software has pretty much always been crap. I was seriously relieved when it wouldn't run at all after my "Lion" upgrade.
Not to pick on only HP. The console printer on the IBM 1130 could be damaged by printing a certain character string repeatedly. But, like many other security issues, exploiting it remotely might may been an issue. Hmmm, as I wrote that I wondered if there was a way to sneak enough copies of that string into a log message...
I had a computer catch on fire due to (I think) fan failure. Overuse. Pre-WWW. Not networked. Not relevant I guess.....
"printer behind a firewall" - I see what you did there...
It would be great to install a "print-logger" that mails all the printer documents to my own mail :-)
Wasn´t that an episode of The Office where the printers all caught on fire? Got inspired by it? :) Although if I remember well that had nothing to do with hackers controlling the printers from afar.....
Is it that they are setting the printers on fire or do modern hp printers simply burst into fire on their own?
I used to be the worlds biggest hp fan. Their products cost more, but they were so thoroughly engineered they were worth it. I loved their oscillosopes. I have an hp-11c that I have carried on me every day since I bought it in June '83. I loved my hp laser printer and my hp deskjet and my hp photo printer(s). But about 10 years ago they seem to have said "hey our price/performance ratio has given us 80% market share in printers, but now we can increase profit by 3% and all we have to do is utterly eliminate utility, reliability and ruggedness!" and they have turned out nothing but rubbish ever since.
I replaced my mono laserjet with a network aware color laserjet and it failed within 1 year. I bought an hp rechargeable battery for my portable hp photo printer and it did not last to its first outing.
Fiction so easily believed and becomes dangerous fact!
In Sept 2011 my beautiful house in New Zealand was burnt down whilst we were 300Km away!
The investigation found nothing to explain it, no accelerants, trigger device or other arson indicators but Insurance company doesn't like the $2.5M claim!
Three weeks ago I was arrested! Charged because they claim I used remote access computer software installed on my laptop computer to remotely access a printer located at the insured property, which had been set up so as to be an ignition device when the printer was activated. Once ignition occurred, the fire spread throughout the house.
Now, I'm a 63 yo seriously ill retired man, admittedly with a lot of micro experience but not current in any way!
I had two Brother inkjet printers, identical but one was the wireless model.
It is clearly impossible to do anything to an inkjet to make it into an ignition device! Problem is proving it!
I wrote to Prof Stolfo at Columbia who published the research that obviously triggered this claim, HP and Brother but no replies at all!
I face a long jail term and the insurance company will walk away free all due to a myth being accepted as reality!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.