Courtesy of Dan Bowman: You may have seen the brief writeup on Slashdot about how to set printers on fire by messing with the fuser, but in Germany next month there’s going to be a security engineer’s nightmare unleashed, courtesy of the HP printer that’s probably sitting a few feet outside your cubicle and mine.
And there’s a whole lot more to it than just messing with the fuser in hopes of killing a printer or (perhaps) starting a fire. There’s a lot more to a printer than toner and a fuser. As the link above says, a printer contains an embedded Linux or Vxworks system that’s trivially easy to install a rootkit on and that nobody’s paying attention to. Seriously, who watches traffic coming from the printer?
The possibilities are endless.
Yes, endless. An attacker can sit there and map out the network. It can mount attacks from inside the network, using exploits to try to gain more access. Companies are much faster to patch their Internet-facing servers than their internal servers, right? But an attacker can just sit there on the printer, waiting for an opportunity.
And in the meantime, if any interesting print jobs come through, the attacker can grab those, too.
You’re an idiot if you have your HP printer direct-connected to the Internet of course, but that just means you have to get at it another way. Send a document to somebody with booby-trapped firmware buried in it, entice them to print it, and the printer is pwned. And if the person who created the firmware did it right, nobody will ever know, because the printer is just sitting there, printing jobs just like it always did. Maybe nobody will notice the other jobs it’s doing when it’s supposed to be idle. Nobody pays attention to printers, after all.
At smart shops, the job description of printer administrator is about to change dramatically.
There is, perhaps, a silver lining. If there’s intelligent life left somewhere at HP, a crash project to implement the recommended security mitigations needs to be happening now. Perhaps it can be retrofitted into existing printers and distributed as a goodwill gesture. HP hasn’t had a very good year and could use some goodwill.
The security features certainly need to be implemented in the current line of printers and marketed as such, heavily.
That’s the opportunity. Some people upgrade their printers out of habit, but I had to get used to seeing 20-year-old HP Laserjets in offices sometimes. I’ve seen it often enough that I don’t question it anymore. It’s possible to wear an HP laser printer out–I’ve seen offices run entire cases of paper through the printer per day and then complain when it breaks after a week–but when the printer gets medium or light use, it can last for years or even decades, and if there’s no good reason to replace them, they don’t get replaced.
This is HP’s opportunity to sell replacements for all of those decade-old printers (or older) that are still in service somewhere. Along with lucrative supplies like toner cartridges.
And if HP fumbles that? I have three words for you: Buy Lexmark stock. Ticker symbol LXK.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.