This week was Microsoft Patch Tuesday and you are probably all working now on getting the appropriate updates out to your PCs. But how well are you covering other software vendors, say Adobe, who also published a critical update this week, or Oracle who will be giving us their Critical Patch Update (CPU) next week. You are good? Great ! How about your printers?
Over the holidays, the 28th Chaos Computer Congress (CCC) was held in Berlin, Germany. Ang Cui from Columbia University presented his research that focused on problems in HP printer firmware. While that sounded initially pretty dry, it turned out to be very a engaging and practical talk. In a nutshell many (>50) current HP printers are vulnerable to a Remote Firmware Update (RFU) exploit, where an attacker can install a new and malicious firmware by printing a document on the printer in question.
Ang demonstrated live onstage what can be done with this vulnerability. A colleague printed a document (his tax return, web generated), and it infected his printer with a new backdoored version of firmware. The firmware installed itself in under two minutes and then started sending every document printed on this printer to Ang’s personal printer. It also acted as a reverse IP proxy connecting out to the Internet, allowing Ang to attack internal, neighboring machines through the printer – in the demo he uses MS08-067 to control a demo workstation through Metasploit.
HP has since fixed the vulnerabilities and new firmware packages are available here.
Overall one of my favorite talks of the CCC and well worth watching in its entirety. Congratulations to Ang and his team at Columbia. By the way, Ang’s research is not focused on printers, but on all kinds of embedded devices. This is a good reminder that in our efforts to use technology to enhance our daily lives by equipping more things with processing and networking capabilities, we are also increasing the ways that a malicious party could gain entry into our lives.
PS: If you are ready to fix your printers, QualysGuard helps you to identify this vulnerability in your network through QID 78050, "HP Printers and HP Digital Senders Remote Firmware Update Enabled by Default".