Printer Vulnerabilites Almost as Bad as IoT

Recently ZDNet and Gizmodo published articles outlining a critical flaw in a large array of personal printers. While the number of printers with this flaw is staggering, the ramifications are even more impressive. Ultimately, any of these printers could have documents sent to them stolen even if the document was only intended to be printed as a hard copy.

Luckily the people responsible for this discovery are white-hat in nature, and the release of this information has been made public so the responsible parties can fix the security flaws. Whether or not the “responsible party” is the manufacturer of the printer, though, is still somewhat unclear because part of the exploit takes advantage of a standard that is part of almost all consumer-grade printers. The standard itself may need to be patched.

Right now, however, it doesn’t seem clear exactly how deep the rabbit hole goes. We all remember the DDoS attack that was caused by Internet of Things devices that were poorly secured, and it seems feasible that networked printers could take some part in a similar botnet if a dedicated user really needed them. At the very least, however, your printed documents might not be secure at all, and you may be seeing a patch for your printer’s firmware in the near future.

 

30 thoughts on “Printer Vulnerabilites Almost as Bad as IoT

    1. Unless the flaw is in the raster image processor implementation; in which case you just need to find some sucker on the LAN to print a suitably bugged document for you.

      I think that they do some sort of verification now(in response to somebody pointing out the insanity of not doing so); but HP’s firmware update process involves merely sending the printer a suitably crafted piece of PJL as an ordinary print job. Most users don’t know or care; but there is zero access control: if you can print to the printer, you can update the printer’s firmware. And that is the official, by-design, method; no exploits involved.

    2. Well if you happen to work in IT at a large company no external firewall is going to save you. You now have to consider that any printer that is network-accessible by both high level and low level employees is rife with the potential for data theft. Maybe not a big deal for a lot of companies — someone might get access to someone else’s salary info, for example — but if you think about a financial ratings company like Moody’s or Standard & Poor’s you’ve got a problem much larger than just the physical security of every printer in the network. Have fun trying to secure that.

      1. You could vet personnel, and have physical barriers to certain areas for those not approved.
        That’s what they do in sensitive information handling organizations that have any kind of sense – or accountability.

  1. Whether or not the “responsible party” is the manufacturer of the printer, it doesn’t really matter if the end user cannot or will not or doesn’t know how to or doesn’t care to or doesn’t know about how to even start trying to patch these. Let alone the fact that they largely should not be responsible for doing so to begin with. Compliance rates of patching of these in a household environment are going to be atrociously low.

    Interesting link %5D you have going on there as well.

    1. Its mostly about PostScript exploits, so it works over USB as well.

      But let’s be real, if you can access the printer through USB, you already can get the documents directly. And if you are on a network with it, you can also likely dump the document from the network.

      1. Networks are encrypted though. a printjob itself isn’t.
        I wonder if there are printers that receive something like PGP encrypted stuff and the internally decrypt it (with stored keys maybe) before print. You know, at the NSA/CIA or some such maybe.

          1. Q 1.5: How is Wireshark pronounced, spelled and capitalized?

            A: Wireshark is pronounced as the word wire followed immediately by the word shark. Exact pronunciation and emphasis may vary depending on your locale (e.g. Arkansas).

  2. And that’s why printers should live on their own VLAN with restrictive router/firewall rules in place. Even my lowly LaserJet 4 is off on its own VLAN, and can’t initiate connections to anything else.

    W.R.T. the suggestion that, if a printer has a routable IP, you’re doing it wrong — don’t forget that a lot of stuff supports IPv6 now, NAT was never a replacement for firewalls, and even if you’ve got the printer on a public IPv4, appropriate firewalling and access control can make it safe.

      1. By routable IP @glitch means reachable from the Internet. When using IPv4 only your router gets a routable IP, your inner network gets private IPs. That’s what NAT is. This makes printers on the internal network automatically unreachable from the Internet, therefore it’s (somewhat) safe from attacks. IPv6 is capable of delegating an entire subnet of public addresses to your router so that everything on your internal network can get its own, publicly routable IPv6 address. @glitch’s point is not that IPv6 is more secure, but just the opposite: you don’t get the automatic “protection” you get with IPv4 NAT.

    1. When was the last time you audited your printer’s Postscript interpreter for vulnerabilities?

      Ah, thought so.

      Based on your comment I have the hunch that you don’t even begin to understand the depth and ramifications of this.

  3. Hopefully the firmwares being pushed (If ever) are for IP/network printers only and won’t affect my portable HP dj450 printer as it’s current firmware allows forced printing, even if the cartridges are bone dry (literally, when I got it, both cartridges were reported by the printer as being empty, and it happily printed blanks, as many as I wished for!!!).

    They were targeted to lawyers, solicitors, insurance Co. So I guess back when HP and other major manufacturers cared, they were making sure the end-user had full control

  4. This reminds me of my I mean my friends younger days, He worked in a call centre this was quite a big call centre with massive staff turnover, Calling people selling them windows, doors, kitchens, etc. Well part of the job was to build interest for a call back with an appointment booker. All interested calls were printed on the same printer to be taken over to the appointment bookers. Anyway my friend played around with the print spooler on the network blocking prints and redirecting them to his computer to reprint them under his name. Worked well he made a lot of commission while it lasted.

  5. As an undergrad I had a campus job at my university in the administrative computer center where they had a 370 MVS system. I couldn’t see any student data, but I could see the print spool as jobs were being printed. The print job of the student grade reports was very long and stayed in the spool a long time. So I could see my and my friends grades (well I guess everyone’s grades but I didn’t look) even before they were printed.

  6. Isn’t it about time someone kickstarted an open-source printer? Even lasers suck these days, our office one (which wasn’t cheap) demanded a new imaging unit after only a year or two of minimal use.

    If someone could open-source / kick-start an HP Laserjet 4 era clone I’d buy several.

    1. At home where there is no tax incentive to buy new printers, I use old HP’s. I am currently using a HP LaserJet Q1334A which is circa 2005 or 12 odd years old. It works fine with Windows 7. I do have a newer but still old color laser.

      I just had to rough up the paper separator on the old HP with some emery paper so it should be good for another four years. On the other hand a new printer wont last 4 years, you just use them until their first failure and bin them and then go get another one.

      The first laser I had lasted about 17 years. On it’s last failure a plastic gear broke. All of the plastic has started to decompose so when I tried to disassemble it, it was simply crumbling and falling apart in my hands so I retired it.

  7. Back when I was at school, our biggest fun was to send 100 blank pages to print in the (no credentials required) shared printer in someone’s room and then pass by the windows to laugh of his “wtf!?” face looking at the mad printer spitting out all pages.

  8. A number of comments here about ‘fixing’ networked printers so they can’t be accessed from outside a WAN.

    Unfortunately the way printers are networked on a LAN subset of a WAN is already the best that can be done without fixing the firmware.

    For example there was a suggestion of fire-walling them. On a WAN things break from time to time. The causes of the most disruption are broken WAN links and the failure of LAN boundary devices because of a very high dependency on these things.

    With boundary devices you only need small quantity unit failure (perhaps a single router) and it falls in a heap. There’s not a lot that can be done about that (apart from redundancy) because you need a place to put the firewall rules.

    Printers have a more or less autonomous network connection with a built in server to bridge TCP/IP back to something useful for the printer.

    If you want to firewall printers then you back to the problem of low quantity unit failures bringing ALL the printers on a LAN down.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s