Is your printer a security risk?

25 Jul 12 01:16 by imkidd57 in category General computer hardware

Print this page

Strange as it may seem, your printer could be a gateway to hackers and become a back-door entry point for malware. And what’s more, this was known over seven months ago and yet research to be published this week indicates that the vast majority of printers still remain vulnerable.

The story started last November with a proof-of-concept experiment carried out by two American academics, who hacked into a Hewlett-Packard laser printer via a bogus firmware update and installed malware that potentially could permanently damage the printer. The event was publicised, and the response from HP was to issue a deluge of official firmware updates that allegedly fixed some of the vulnerabilities.

Now, seven months later, the same academics have carried out a survey into the security of peripherals, and found that only 1-2% of HP laser printers had been updated to the more secure firmware versions, and even when they had, one in four was still using the default password settings for printer updates.

It seems likely that other brands of printer would show a similar vulnerability, since their operating systems are based on Linux routines that are commonly used. For example it is asserted that there are over 100 known vulnerabilities in the OpenSSL encryption protocols that could turn the printers into “reconnaissance devices that operate behind corporate firewalls, spread malware to internal systems, and even exfiltrate printed documents outside of a protected site”. One of the potential key flaws that many modern laser printer possess, is that they can transmit and receive emails and other documents from cloud-based sources. So don’t be surprised if you start to see “printer security” issues rising up the agenda of anti-malware companies, especially in corporate applications.

Meanwhile, you can read the background and recent results of internet sweeps for computer peripheral vulnerabilities in the paper: “A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. Ang Cui and Salvatore J. Stolfo; Department of Computer Science, Columbia University”

Freely available on the site: http://ids.cs.columbia.edu/content/quantitative-analysis-insecurity-embedded-network-devices-results-wide-area-scan.html

12 Comments on Is your printer a security risk?

Kerry56: Posts: 14416; Posted on: 25 Jul 12 02:47

My printer stays off 99% of the time. Even if it was infected, they'd have a hard time doing anything useful with it.

But this type of thing would be aimed at business printers for the most part I would think.

Mr. Belvedere: Posts: 18833; Posted on: 25 Jul 12 09:54

Why do printers have a direct connection to the internet!?!?

Examples:

HP Printers: Search Google for inurl:hp/device/this.LCDispatcher
Ricoh Printers: Google intitle:"web image monitor"
Afacio: Google inurl:"/en/sts_index.cgi"

ChristineBCW: Posts: 1299; Posted on: 25 Jul 12 14:36

We've used a lot of the little Epson direct-to-CD printers (R200 series, then the RX-5 series, now the Artisans), and after a year with the R200s (which were great little things), we discovered they were 'phoning home' and getting some kind of driver-update behind our back.

That's not so out-of-the-ordinary now, but five years ago, that was almost a 'first of its kind' behavior for printers. And of course Epson Utils didn't have a "no auto-update" switch. So, we used our firewalls to disallow this.

Why? Because the drivers appeared to be receiving "Certified Ink" updates that would reject the Clone Ink Cartridges that the R200s could use - and use very well. Perfectly, in fact.

Until a driver-update suddenly started reporting a non-Epson cartridge and therefore, "Invalid ink cartridge". Quite tricky.

We complained. Epson denied but driver-file access-dates were changed. When we invariably re-loaded Win from scratch, we started doing firewall-denials to Epson's phone-homes, and all of those once "invalid cartridges" worked again, just fine. Were our accusations correct? We'll never know for certain - but the cost of ink cartridges was chopped by 75%. And then Epson revealed those R-series printers had a lifespan fuse in them, and that fuse would blow at X-quantity printed, so for a mere $150 service and shipping, our R200s could still be used. Or buy a $99 RX-series instead. Du-uh. Hello, Landfill.

This was as nefarious an ability as we've seen, but no doubt others will have new schemes to hijack and ransom our computer services from us.

AllanDeGroot: Posts: 1440; Posted on: 25 Jul 12 23:44

I'm perfectly happy with my HP laserjet-6P, which is How Old now?

When I got it I bought three toner cartridges with it
and I just recently exhausted the first one.

When the third one goes I'll switch

All this sounds like an excellent excuse to stick with my old printer... as long as possible

BradWright: Posts: 225; Posted on: 26 Jul 12 01:44

Quote:

Originally Posted by AllanDeGroot

That's possibly one of the most durable printers HP has ever made, along with the LaserJet 4 Series. We still have several of each chugging along just fine at the office I work at.

BradWright: Posts: 225; Posted on: 26 Jul 12 01:57

Quote:

Originally Posted by Mr. Belvedere

I guess it's so you can print stuff to your printer at home when you're away from home. Although it seems it would be better to simply save the document being printed to the laptop/tablet/smart phone that's being used to send the document to the printer, and then print it when you got home. But then, I think it's weird to do text messaging on a cellphone instead of using that same device to call and actually talk to the person.

Mr. Belvedere: Posts: 18833; Posted on: 26 Jul 12 10:41

Quote:

Originally Posted by BradWright

I guess it's so you can print stuff to your printer at home when you're away from home.

I understand that, but it does not justify the access to the configuration page of the printer via the internet. It's pretty easy to configure it in such a way that you cannot remotely upgrade firmware or access the webconfig page of the printer.

ChristineBCW: Posts: 1299; Posted on: 26 Jul 12 11:41

Allan, we've got Deskjet 722 and 972 still running. The 722 has a great "continuous form sheetfeed" ability so we can do full-color banners. Tear off Continuous Form paper-tracks (which the cats love to drag around and pounce on)... If we need a 24-page banner, tear off a 24-sheet length. And the DJ 722 still feeds it in. I might run out of an ink-cartridge in that process, but it pleasantly sits there for a replacement.

This might take an hour to complete, but it's a cool banner anyway - a bit soggy at first, yeah.

The DJ 972 offers the same thing but has never had the 722's certainty of paper-feeding on continuous form paper. If it fails, though, it fails at first - not being able to 'pick up' that first page's leading edge.

As long as we can get ink-cartridges, we'll keep using them and, when those disappear, we'll use the Junkie-Needle method, I suppose. "Where do you wrap the rubber hose around to expose the vein?"

musukebba: Posts: 8; Posted on: 26 Jul 12 15:54

Quote:

Originally Posted by Mr. Belvedere

That's an absolutely shocking finding Mr B. Just asking for trouble! Presumably the location of individual machines can be found?

My proof of concept would be to send it a print job of my Christmas cards for next year, complete with addressed envelopes.

Mr. Belvedere: Posts: 18833; Posted on: 26 Jul 12 20:50

Quote:

Originally Posted by musukebba

Presumably the location of individual machines can be found?

Most ip adresses are region bases, so that should be not a big issue. It's a very old trick though. If you look closely enough you can even find printer web pages that have not been protected. You could print anything you want to it.

tmc8080: Posts: 965; Posted on: 29 Jul 12 04:23

I've got the Officejet 7210xi... and the POS document feeder died on me about 2 years after I got it., then if it's not that.. it's check cartridge b/s sporadically bothers me..

I'm fed up with HP... next time, I buy I different printer mfg. Brother & Epson are becoming better than HP in both laser & inkjet. They barely stand behind their products anymore since spinning off the PC hardware division.. so who's going to buy a $300+ printer from them now? printers dont' seem to ever fully die.. but after 10 years I'm through with this one (2005-2015)

Leaving the printer off is as good a security measure as any... plus, hackers have to traverse the router's security & firewall security first...

ChristineBCW: Posts: 1299; Posted on: 29 Jul 12 13:20

I once saw someone's office fax get 'junk mail' and it consumed a lot of toner. That secretary got the sending fax's number and sent them, oh, 200 pages of solid black. It was great. Waste my toner? I waste yours. Of course, with wireless access wasting someone's toner, there SHOULD be more severe action. Hopefully, the Zebra Mentality ("one in a kajillion") and firewalls, share permissions set to specific UserIDs - hopefully that will protect wireless printers in the future.

We still recommend HPs for one class of users: the Only Occasionally Printing types, because Epson-Canon engines WILL result in costly, time-hardened ink-clogs in the print-head, and eventually, no amount of 'cleaning cycles' fixes that. Our HPs don't suffer from that nearly as much but at least a new ink-cartridge is also a new, clean printhead. The ultlimate 'fix'. It's more expensive per cartridge, but after we've gone thru 2 or 3 Canon-Blacks and perhaps 6 hours of sitting there, "Clean Again" cycles, even a year's worth of HP cartridge cost difference becomes reversed.

If you do any On-Disc-Printing, however, and do it daily-weekly, I can definitely recommend the Epson Artisan series. The Epson Store will have refurb units in the sub-$100 range, and those are great units BUT we always buy in multiples of 2 so that, when the first one dies (and they eventually will - rollers, color-blend engines, or those print-head tiny-clogs turn into uncleanable big ones), then there's no need to waste the leftover ink-cartridges. Our Epsons have lasted years each, and we usually have a few extra cartridges on-hand. With a 2nd unit sitting in its box in the closet, poof, now we have a few more years of good life before skipping one or two generations and finally getting the latest-greatest.

Is your printer a security risk?

12 Comments on Is your printer a security risk?

Is your printer a security risk?

Most popular headlines

Windows Blue to allow boot to desktop and brings start menu back? (3)

Jobs in US entertainment industry on all-time high - piracy?! (8)

The Piratebay domain moves to Greenland - circumvents blockade (3)

Intel 9 series chipset has native SATA Express (SATA over PCIe) support (2)

Active Commenters