Update on HP LaserJet Security Issue Dec 07, 2011 13:00 by Mike Derges
Last week I wrote about how researchers at the
University of Culombia had found a security flaw
in some HP LaserJets that enabled them to completely re-write the operating system for those affected printers. Well since then there’ve been a couple of advancements in the story.
Firstly, Professor Salvatore Stolfo has made another statement and gone into more detail about the extent of the vulnerability and secondly that HP have had a class action lawsuit taken against them for allowing the flaw in the first place.
In a second press release Stolfo mentions that one of the affected models is the popular HP laserjet 2055DN. This is a highly popular printer and if the hack is as easy as the Columbia team believe then there could be thousands of printers sitting on desks just waiting to be attacked. Indeed researcher Ang Cui said that he “did a quick scan of unprotected printers available on the Internet left open to attack and found more than 40,000 that could be infected”.
The team went further in explaining the nature of the exploit, according to Stolfo, the printers don’t even need to be directly connected to the Internet to be infected, a simple connection to a computer would be enough. Clarifying the nature of the trick Ang said that the printers, when presented with a print job, check for an update to their firmware. The problem occurs because the printers don’t check that any update they find has a certificate from HP. This allows any software to run on the system and replace the legitimate firmware with firmware written by a potential attacker.
The researchers explained that they found the flaw while working on a new security technology to protect embedded systems, a class of technology that refers to routers, VOIP phones, printers and other online aware systems. They have previously worked on improving routers made by Cisco by injecting them with what they call Software Symbiotes to protect them from online hackers. The researchers said that “It is fortunate that we discovered the flaw and alerted HP, we provided the technical details we uncovered, and have offered a number of strategies for HP to develop specific solutions to mitigate the risks. We are looking forward to working with them.”
In a recently filed California Lawsuit, HP is being sued by a Mr David Goldblatt. In the suit it claims that HP had known about security flaws in their printers for over a year and had done nothing to either fix the problem or even to warn consumers.
He alleges that back in April of 2010 HP commissioned a report called “Think print, Think Security” which went into depth about the security risks of HP printers. The report is quoted as saying that:
“Data can be intercepted and sent to a third party using a number
of methods. Software on some printers could be modified to add
this ability or either special features such as a network sniffer.
This could be done by either uploading modified software or by
modifying and replacing a chin on the printer’s circuit board.”
While this does initially look pretty damning it’s worth pointing out that the report doesn’t explicitly state that firmware updates do not require digital signing.
HP are keeping tight lipped about this area saying that they “cannot provide any comment on pending litigation”
As always we’ll keep you abreast of all the developments with this issue, if you’ve been affected or need to know more please leave us a comment below.