Although computers and mobile devices seem to be at the top of cybercriminals hacking to-dolists nowadays, researchers from Columbia University are warning of a devastating hack attacktargeting local printers.
Compared to the problem that mobile phones and tablets pose to corporate networks, this is smallpotatoes
Ed Skoudis, senior security consultant, InGuardians
A new study from Columbia Universitys Department of Computer Science claims tens of millions ofHewlett-Packard printers are vulnerable to attack. According to HP, the flaws exist in its LaserJetprinters made before 2009, but researchers claim other brands could possibly harbor thevulnerabilities as well.
Few details have leaked regarding the printerattack research. According to an Internet Storm Center(ISC) blog entry, before installing a firmware update, the printers in question dont checkdigital signatures. The devices Remote Firmware Update feature doesnt require authentication oreven a password for the update to commence, making it easy for hackers to compromise the machines.Long story short, for an embedded system (or any system for that matter) if you can rewrite theoperating system you can control the device and make it do all sorts of unintended things, wroteJohn Bambenek, one of the ISCs blog handlers.
The researchers demonstrated an attacker theoretically could remotely set a printer on fire byoverheating a fuser, penetrating computer networks and erasing code. HP, however, released astatement claiming the charges are sensational and the possibility of the machines catchingfire is false, saying the LaserJet printers contain a thermal breaker is designed to prevent thisfrom happening.
However, the company did admit it has identified a potential security vulnerability but onlyif placed on a public Internet without a firewall.
Organizations shouldnt panic because the technical details havent yet been released, said EdSkoudis, a SANS instructor and a founder and senior security consultant with InGuardians, aWashington, D.C.-based information security consulting firm. Skoudis said enterprises shouldalready be monitoring their printers and ensuring they are not connected to the Internet. Keep the devices patched and set some network filtering to constrain the printer to a limited setof connections, Skoudis said.
Compared to the problem that mobile phones and tablets pose to corporate networks, this issmall potatoes, Skoudis said. This is interesting and unique because of the physical threat posedvia cyber-means, but we need more details before we can assess the risk.
The Columbia University researchers are also claiming there is no easy way to detect abreach. Best practices are likely sufficient to prevent against this attack, namely, you shouldnever have printers (or any other embedded device for that matter) exposed to the Internet,Bambenek wrote. He added that other than firewalling the device, monitoring traffic to and from themachine for anything other than its print jobs should give users a sign that something isawry.
HP said it is working on a firmware upgrade to mitigate the issue, but in the meantime, usersshould, like Bambenek explained, secure the machines with a firewall and disable remote firmwareupload on exposed printers.
Networkprinters, scanners and copiers have long been identified as a potential attack vector becausethey often store sensitive documents in their print spool. A CBS News report in 2009 highlightedthe problem of digitalimages stored on photocopiers. The news organization pulled hundreds of student names, homeaddresses, cell phone and Social Security numbers stored in the copiers hard drive.
~SearchSecurity.com News Director Robert Westervelt contributed to this report.
1 comments:
makes me nervous for owning a HP printer
Post a Comment