Columbia University's Intrusion Detection Systems Lab has found a significant core vulnerability in certain networked HP printers that lets a remote system infiltrate print jobs, remotely inject malware into the printer's firmware that takes control of the machine.
The lab, headed by Professor Salvatore J. Stolfo, has been doing research on the vulnerabilities of embedded systems for the last year, identifying more than 540,000 publicly accessible embedded devices configured with factory default root passwords: this includes routers, VoIP phones, webcams, digital energy systems, and IPTV/Cable boxes.
Networked printers are a part of this environment, and researcher Ang Cui discovered certain HP LaserJet printers have a critical remote firmware update vulnerability. Stolfo and Cui show how a remote system can take complete control of these printers in the video we've embedded below. It's a definite must see.
"This work started by looking at printers as a device that could harbor malicious software that could do very bad damage…physical damage, for example. So we attempted to develop malicious software that would make the printer burn," Stolfo says in the presentation. "I can't think of a better way of demonstrating the vulnerabilities that are inherent in printers…the paper only browned rather than burned. Then, however, looking at what was achieved, it became crystal clear that the problem was far worse than burning paper or burning printers. Printers are everywhere, they're reachable through email, through thumb drives, through downloads, any perimeter defenses can be pierced because documents freely flow across perimeters, and documents that are printed to these devices can harbor firmware updates that are entirely stealthy and cannot be viewed. There's just no antivirus software to stop this type of threat."
The team released this information a little more than a week ago, and HP told MSNBC that it has to verify the vulnerability itself before any comments can be made (or security bulletins can be issued.)