The news was abuzz yesterday with coverage of a study released by Columbia University researchers warning consumers that HP laser printers are wide open to remote tampering and hacking. The researchers claim that the vast majority of printers from HP’s LaserJet line accept firmware updates without checking for any sort of digital authentication, allowing malicious users to abuse the machines remotely. The researchers go so far as to claim that modified firmware can be used to overheat the printer’s fuser, causing fires, to send sensitive documents to criminals, and even force the printers to become part of a botnet.
Officials at HP were quick to counter the claims, stating that all models built in 2009 and beyond require firmware to be digitally signed. Additionally, they say that all of the brand’s laser printers are armed with a thermal cutoff switch which would mitigate the fuser attack vector before any real fire risk would present itself. Despite HP’s statements, the researchers stand by their claims, asserting that vulnerable printers are still available for purchase at major office supply stores.
While most external attacks can easily be prevented with the use of a firewall, the fact that these printers accept unsigned firmware is undoubtedly an interesting one. We are curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities (and low toner warning overrides), or if this all simply fizzles out after a few weeks.
Interesting…….but daft. 2 words: THERMAL FUSE.
To comply with CE, FCC, UL (etc.) certification, thermal cutout must be included in machines that are designed to or have heating functions.
though pulling out documents and turning the printer over to a botnet is more believable.
I agree, all laser printers have a thermal fuse. Some of the bigger printer have several thermal fuses.
The thermal fuses will prevent the heater from melting down or shorting out and catching fire, but there’s nothing to say it can’t get stuck on a piece of paper and catch IT on fire without tripping the fuse. I would wager the fusing temp of the metal-and-plastic heater is probably higher than that at which paper burns.
To that end, I recently got some high-temp cutoff switches which trip at 300deg C. That would be plenty to burn paper.
The thermal cutoff is placed in such a way that it measures the hot surface. On classically designed laser printers the heater is a halogen lamp inside a rubber coated aluminium tube. On newer cheap models the heater can be a very long ceramic resistor. Both versions have electromechanical cut off switches that prevent the hot surface from going beyond a certain point.
Neither regular paper or laser printer transparent film should be able to autoignite at these temperatures, they are set in order to prevent such an event.
Even if a single sheet of paper were to ignite inside the printer the plastic is usually flame resistant and the space is too small to allow the paper to burn very fast.
@M4CGYV3R
*cough* Fahrenheit 451 *cough*
Sorry, but 300 degrees is not enough.
@M4CGYV3R
o.O
Didn’t see that C on th next line. NVM.
This is bollocks. While it may be possible to instruct the printer to leave the fuser “on”, it is equipped with a thermal fuse to explicitly avoid from getting hot enough to start a fire. This thermal fuse is installed in series with the heater (usually a long halogen lightbulb) and when opened cuts power to the halogen bulb. This failsafe cannot be overridden with software.
While vulnerabilities exist to send sensitive documents outside of the network, compromising the firmware,etc.. there are hardly any ways to cause the printer to start a fire.
agreed, though be wary of guys turning up saying: “I’m here to fix the printer”
“curious to see if these revelations inspire anyone to create their own homebrew LaserJet firmware with advanced capabilities”
Could someone whip up a firmware with an “extra sticky/heavy toner for circuit board iron on transfers” option?
Also you just know it that someone out there is gonna create a firmware that changes all printed large graphics bitmaps to the goatse guy or the pepper spray guy or something like that. I think that’s almost infinitely more likely than toner fires.
There are settings in my Color Laserjet to set print density for each color for highlights, contrasts, midtones, shadows, etc., and there are epically granular options, for example, you can have a print mode with More Fusing (+2), More Transfer (+5) or even to adjust the direction of the paper curl caused by the fuser.
I’m curious to try toner transfer from it, though I’d imagine my good ol’ LaserJet 4M+ set at max toner is still the epic printer of awesomeness for it.
…vulnerable printers are still available for purchase at major office supply stores.
And, more the point, already purchased and in use in millions of homes and businesses around the world.
I have Been getting into HP jetdirect cards and boxes and printers for years. 1992 called it wants the 2011 researchers to get some education.
Wow Computer science researchers are lame lately.
I fully believe what they say. I used to connect to a network printer with a PCL terminal and change the text readout on the printer to freak out coworkers. I see no reason this couldn’t be done remotely if the network itself was compromised.
There were some frightening settings in there, as well, such as toner dispense amounts, laser charge duration, laser pass counts, and coronal voltages.
It’s not the laser printers I’m particularly afraid of but the use of off-the-shelf operating system in life critical systems such as remote surgery robots…
I agree with the claims. I started researching the same thing a couple of years ago. Thermal fuses will limit the chance of it starting fire, but flashing it with a firmware upgrade is definately a security risk, and it’s not just HP. Virtually all modern printers pose the same risks.
Printers are still computers. They have a processor, storage, memory, operating system, and networked printers have advanced communications.
Printers usually have telnet services running, FTP services running, and HTTP services running.
The network printer is a excellent attack vector. It is a device where communication traffic is expected, where privledged access is often provided, is often on it’s on VLAN not monitored for malicious traffic, not usually suspected by security experts, is immune to virtually all anti-virus software, and it can sit dormant for specific events to come in.
Additional notes
I want to add, that not only can these activities take place on printers, but there are Monitors that meet all the same requirements, and Keyboards, and even Mice.
And NAS boxes, and routers, and set-top boxes, and TVs, etc, etc. And that’s just in the home. Outside the home there are countless internet-connected devices that probably rarely ever get security patches. From industrial controllers, to media devices and communication devices in the public, to lab equipment and medical devices. It’s the wild west on the internet.
I’d love to see a video of someone uploading hacked firmware to one of the printers that would cause it to overheat and catch fire.
I believe everyone else that there’s probably a thermal fuse in there, but if it has never been tested, how do we know it works?
The thing about fuses is you can’t test them without destroying them. Then again, they’re extremely reliable, being based on simple physical principles such as the melting point of a metal. Thermal fuses are just as reliable as electrical fuses.
You could simplify the test by sticking a piece of paper in the fuser, and running it at full power until it either shuts down or starts on fire.
Nice work by these guys, but I would say they are wasting their talent focusing on something that is of a minimal risk.
Excellent use of the ol’ HCF instruction.
Unsigned firmware updates?
I’ve got a vulerable one. In foo2zjs package, you have an open source example way on how to push firmware into them (performed automatically in its udev hook when the printer gets connected).
Is it possible to add support for wifi for a printer that does not support it (ie: the hardware is there, its just a firmware difference)
On custom firmware: I used to work for HP. They sell several printers that are “families,” where the same printer mechanicals have a cheap, mid & expensive models, differing in the pages per minute (and sometimes quality) they can print. There were disks floating around the office that would allow you to flash the firmware of the cheap model & make it have the features, including speed, of the expensive models…
Hope some one more knowledgeable than I can use this little tidbit…
another printer hacking pdf
http://archive.hack.lu/2010/Costin-HackingPrintersForFunAndProfit-slides.pdf
This is exactly why I use my trusty ole’ dot matrix printer……
This is equivalent to having windows update set to Auto-Update with no verification of what is downloaded. With a simple hack, you could redirect countless printers to your serves to install custom software. Imagine what an state actor like China could do with this kind of flaw. How many senators have printers in their office?
with HP greedy tactics on cartridges why anyone bother buying HP printers?
Obvious troll is obvious.
welcome to 2005 hackaday
http://www.irongeek.com/i.php?page=security/networkprinterhacking#DoSing%20the%20network%20or%20the%20printer
>welcome to 2005 hackaday
pOwned long before that. It seems that the postscript password to the onboard interperter is an open secret. I recall at least one practical joke that would tumble random letters or something. It was published in hardcopy in a zine decades ago.
Of course, no one programs in postscript nowadays. Except for Don Lancaster.
Enough of this BS. Where the hell is the *actual* research study publication? I can’t seem to find any listing of the study or journal it was published in (unless it’s unpublished?)
Here’s one paper, though I don’t think it’s the one that this article was based off of:
http://ids.cs.columbia.edu/sites/default/files/paper-acsac.pdf
While I highly doubt the fuser can be tampered with at firmware level (you always add hardwired safety circuitry), everything containing an embedded board can be hacked to make it do what you want. Multifunction printers can send what you scan or print to a 3rd party, mini printer/scan servers can do that too, routers can be hacked too, etc. Nothing new.
Congrats for the first printer ever to have built in remote privacy protection. Just put it close to paper file racks and make sure office is ensured.