Researchers claim that HP laser printers can be hijacked to steal data and catch fire

hp-laserprinter-security-holes

The news was abuzz yesterday with coverage of a study released by Columbia University researchers warning consumers that HP laser printers are wide open to remote tampering and hacking. The researchers claim that the vast majority of printers from HP’s LaserJet line accept firmware updates without checking for any sort of digital authentication, allowing malicious users to abuse the machines remotely. The researchers go so far as to claim that modified firmware can be used to overheat the printer’s fuser, causing fires, to send sensitive documents to criminals, and even force the printers to become part of a botnet.

Officials at HP were quick to counter the claims, stating that all models built in 2009 and beyond require firmware to be digitally signed. Additionally, they say that all of the brand’s laser printers are armed with a thermal cutoff switch which would mitigate the fuser attack vector before any real fire risk would present itself. Despite HP’s statements, the researchers stand by their claims, asserting that vulnerable printers are still available for purchase at major office supply stores.

While most external attacks can easily be prevented with the use of a firewall, the fact that these printers accept unsigned firmware is undoubtedly an interesting one. We are curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities (and low toner warning overrides), or if this all simply fizzles out after a few weeks.

Comments

  1. Tron9000 says:

    Interesting…….but daft. 2 words: THERMAL FUSE.

    To comply with CE, FCC, UL (etc.) certification, thermal cutout must be included in machines that are designed to or have heating functions.

    though pulling out documents and turning the printer over to a botnet is more believable.

    • Rodders says:

      I agree, all laser printers have a thermal fuse. Some of the bigger printer have several thermal fuses.

    • M4CGYV3R says:

      The thermal fuses will prevent the heater from melting down or shorting out and catching fire, but there’s nothing to say it can’t get stuck on a piece of paper and catch IT on fire without tripping the fuse. I would wager the fusing temp of the metal-and-plastic heater is probably higher than that at which paper burns.

      To that end, I recently got some high-temp cutoff switches which trip at 300deg C. That would be plenty to burn paper.

      • Sven says:

        The thermal cutoff is placed in such a way that it measures the hot surface. On classically designed laser printers the heater is a halogen lamp inside a rubber coated aluminium tube. On newer cheap models the heater can be a very long ceramic resistor. Both versions have electromechanical cut off switches that prevent the hot surface from going beyond a certain point.

        Neither regular paper or laser printer transparent film should be able to autoignite at these temperatures, they are set in order to prevent such an event.

        Even if a single sheet of paper were to ignite inside the printer the plastic is usually flame resistant and the space is too small to allow the paper to burn very fast.

      • MotoRider42HC says:

        @M4CGYV3R

        *cough* Fahrenheit 451 *cough*

        Sorry, but 300 degrees is not enough.

      • MotoRider42HC says:

        @M4CGYV3R

        o.O

        Didn’t see that C on th next line. NVM.

  2. firestorm_v1 says:

    This is bollocks. While it may be possible to instruct the printer to leave the fuser “on”, it is equipped with a thermal fuse to explicitly avoid from getting hot enough to start a fire. This thermal fuse is installed in series with the heater (usually a long halogen lightbulb) and when opened cuts power to the halogen bulb. This failsafe cannot be overridden with software.

    While vulnerabilities exist to send sensitive documents outside of the network, compromising the firmware,etc.. there are hardly any ways to cause the printer to start a fire.

  3. Vince Mulhollon says:

    “curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities”

    Could someone whip up a firmware with an “extra sticky/heavy toner for circuit board iron on transfers” option?

    Also you just know it that someone out there is gonna create a firmware that changes all printed large graphics bitmaps to the goatse guy or the pepper spray guy or something like that. I think that’s almost infinitely more likely than toner fires.

    • Shadyman says:

      There are settings in my Color Laserjet to set print density for each color for highlights, contrasts, midtones, shadows, etc., and there are epically granular options, for example, you can have a print mode with More Fusing (+2), More Transfer (+5) or even to adjust the direction of the paper curl caused by the fuser.

      I’m curious to try toner transfer from it, though I’d imagine my good ol’ LaserJet 4M+ set at max toner is still the epic printer of awesomeness for it.

  4. David Rysdam says:

    …vulnerable printers are still available for purchase at major office supply stores.

    And, more the point, already purchased and in use in millions of homes and businesses around the world.

  5. fartface says:

    I have Been getting into HP jetdirect cards and boxes and printers for years. 1992 called it wants the 2011 researchers to get some education.

    Wow Computer science researchers are lame lately.

  6. M4CGYV3R says:

    I fully believe what they say. I used to connect to a network printer with a PCL terminal and change the text readout on the printer to freak out coworkers. I see no reason this couldn’t be done remotely if the network itself was compromised.

    There were some frightening settings in there, as well, such as toner dispense amounts, laser charge duration, laser pass counts, and coronal voltages.

  7. DanJ says:

    It’s not the laser printers I’m particularly afraid of but the use of off-the-shelf operating system in life critical systems such as remote surgery robots…

  8. Ted Smiles says:

    I agree with the claims. I started researching the same thing a couple of years ago. Thermal fuses will limit the chance of it starting fire, but flashing it with a firmware upgrade is definately a security risk, and it’s not just HP. Virtually all modern printers pose the same risks.

    Printers are still computers. They have a processor, storage, memory, operating system, and networked printers have advanced communications.

    Printers usually have telnet services running, FTP services running, and HTTP services running.

    The network printer is a excellent attack vector. It is a device where communication traffic is expected, where privledged access is often provided, is often on it’s on VLAN not monitored for malicious traffic, not usually suspected by security experts, is immune to virtually all anti-virus software, and it can sit dormant for specific events to come in.

  9. Ted Smiles says:

    Additional notes

    I want to add, that not only can these activities take place on printers, but there are Monitors that meet all the same requirements, and Keyboards, and even Mice.

    • DanJ says:

      And NAS boxes, and routers, and set-top boxes, and TVs, etc, etc. And that’s just in the home. Outside the home there are countless internet-connected devices that probably rarely ever get security patches. From industrial controllers, to media devices and communication devices in the public, to lab equipment and medical devices. It’s the wild west on the internet.

  10. Andrew says:

    I’d love to see a video of someone uploading hacked firmware to one of the printers that would cause it to overheat and catch fire.

    I believe everyone else that there’s probably a thermal fuse in there, but if it has never been tested, how do we know it works?

    • Rachie says:

      The thing about fuses is you can’t test them without destroying them. Then again, they’re extremely reliable, being based on simple physical principles such as the melting point of a metal. Thermal fuses are just as reliable as electrical fuses.

      You could simplify the test by sticking a piece of paper in the fuser, and running it at full power until it either shuts down or starts on fire.

  11. Nice work by these guys, but I would say they are wasting their talent focusing on something that is of a minimal risk.

  12. Smeeg says:

    Excellent use of the ol’ HCF instruction.

  13. jcroll says:

    Unsigned firmware updates?

  14. jc says:

    I’ve got a vulerable one. In foo2zjs package, you have an open source example way on how to push firmware into them (performed automatically in its udev hook when the printer gets connected).

  15. kocoman says:

    Is it possible to add support for wifi for a printer that does not support it (ie: the hardware is there, its just a firmware difference)

  16. o4tuna says:

    On custom firmware: I used to work for HP. They sell several printers that are “families,” where the same printer mechanicals have a cheap, mid & expensive models, differing in the pages per minute (and sometimes quality) they can print. There were disks floating around the office that would allow you to flash the firmware of the cheap model & make it have the features, including speed, of the expensive models…
    Hope some one more knowledgeable than I can use this little tidbit…

  17. kocoman says:
  18. Chris says:

    This is exactly why I use my trusty ole’ dot matrix printer……

  19. Mark says:

    This is equivalent to having windows update set to Auto-Update with no verification of what is downloaded. With a simple hack, you could redirect countless printers to your serves to install custom software. Imagine what an state actor like China could do with this kind of flaw. How many senators have printers in their office?

  20. therian says:

    with HP greedy tactics on cartridges why anyone bother buying HP printers?

  21. anyone says:
    • >welcome to 2005 hackaday

      pOwned long before that. It seems that the postscript password to the onboard interperter is an open secret. I recall at least one practical joke that would tumble random letters or something. It was published in hardcopy in a zine decades ago.

      Of course, no one programs in postscript nowadays. Except for Don Lancaster.

  22. medix says:

    Enough of this BS. Where the hell is the *actual* research study publication? I can’t seem to find any listing of the study or journal it was published in (unless it’s unpublished?)

  23. medix says:

    Here’s one paper, though I don’t think it’s the one that this article was based off of:

    http://ids.cs.columbia.edu/sites/default/files/paper-acsac.pdf

  24. qwerty says:

    While I highly doubt the fuser can be tampered with at firmware level (you always add hardwired safety circuitry), everything containing an embedded board can be hacked to make it do what you want. Multifunction printers can send what you scan or print to a 3rd party, mini printer/scan servers can do that too, routers can be hacked too, etc. Nothing new.

  25. space says:

    Congrats for the first printer ever to have built in remote privacy protection. Just put it close to paper file racks and make sure office is ensured.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,598 other followers