Imagine your tax return with all kinds of your personal information printing out not just on your printer but also on a criminal's in another country thousands of miles away. Is this really possible?
After months of research, Computer Science Professor Salvatore J. Stolfo
and his Ph.D. student, Ang Cui
, at Columbia University’s School of Engineering and Applied Science say it is. Hewlett-Packard LaserJet printers, for one, have a major security flaw, they’ve discovered. Most likely other printers do, too, and this problem is not an easy fix.
"We've discovered a whole new class of flaws that could impact all of us, consumers, businesses, universities, government agencies," Stolfo said. "The primary flaw we found is that the HP 2055DN printer allows any firmware update without checking the authenticity of that firmware—the firmware isn't digitally signed to determine whether it is legitimate HP-issued firmware or not. This means that the printer’s operating system could be entirely replaced by anyone, including malicious attackers.
“While we tested just three models of HP printers, not all models, it’s pretty clear that even home printers that aren't directly connected to the Internet are at risk—as long as your printer is hooked up to a computer, it could be used to launch attacks or as part of a botnet. These devices are completely open and ready to be exploited.”
Stolfo and Cui were working on developing new advanced security technology to protect embedded systems widely deployed on the Internet, such as routers, VOIP phones, and printer firmware, andhow they might inject this new technology—called Software Symbiotes—into existing embedded systems. Several months ago, they successfully injected Symbiotes into Cisco routers to protect them from hacker attacks. While studying how to embed Symbiotes into HP printers, they discovered the major flaw.
“It is fortunate that we discovered the flaw and alerted HP,” Stolfo noted. “We provided the technical details we uncovered, and have offered a number of strategies for HP to develop specific solutions to mitigate the risks. We are looking forward to working with them.”
Stolfo’s group discovered the security flaw involving the firmware that runs most of these devices. HP LaserJet printers allow firmware upgrades, and each time a printer accepts a job, it checks to see if a software update is included. So Cui figured out how the firmware upgrade feature worked and noted that the printer accepted any firmware that was unsigned. This permits the printer to erase its operating software and install a booby-trapped version.
“This security vulnerability is so fundamental that it may impact tens of millions of printers,” said Cui. “And it could affect other devices that use similarly flawed firmware update mechanisms. We did a quick scan of unprotected printers available on the internet left open to Internet attack and found more than 40,000 that could be infected within minutes.”
Now is the time to alert printer manufacturers and to get them to think more seriously about their existing security architectures, say the researchers. The primary goal of their research is to identify weaknesses and improve the security of a large body of deployed embedded systems, including printers, which represent only one kind of embedded system.
“It’s conceivable that most of the printers that are currently deployed are vulnerable,” Stolfo added. “Printers that permit unsigned software upgrades from print jobs are open to this kind of hack. The question is how can we push out fixes to ensure these devices are not successfully attacked by malicious adversaries? This is a fundamental industry-wide call to arms to protect embedded systems in much the same way our PCs and servers are automatically updated with patches and fixes. Alerting industry to focus on securing embedded systems will ultimately benefit all home and office users, and make the internet safer than it is today.”
“Yes, we urge vendors in the industry to review their existing products for similar flaws,” said Cui.