MSNBC “Exclusive“:
Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com. They say there’s no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there’s no way to tell if hackers have already exploited it.
Maybe I’m just paranoid but reading an “exclusive” tech story like this on a site like MSNBC just seems wrong to me on so many levels. But there’s more:
Cui and Stolfo say they’ve reverse engineered software that controls common Hewlett-Packard LaserJet printers. Those printers allow firmware upgrades through a process called “Remote Firmware Update.” Every time the printer accepts a job, it checks to see if a software update is included in that job. But they say printers they examined don’t discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version.
In all cases, the Columbia researchers claim, duping a would-be target into printing a virus-laden document is enough to take control of that person’s printer; but in some cases, printers are configured to accept print jobs via the Internet, meaning the virus can be installed remotely, without any interaction by the printer’s owner.
Here’s another interesting part, that could be also part of the solution:
“First of all, how the hell doesn’t HP have a signature or certificate indicating that new firmware is real firmware from HP?†said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw.
As my brother points out: if it’s so easy to hack the printer with some “rogue firmware”, what’s stopping HP from releasing a new firmware that just brings signature checking to the printer?
This whole thing just seems fishy to me. Then again maybe it’s just me listening to too much No Agenda. Stuxnet’s coming home or what?
Update: This didn’t take long: HP confirms LaserJet vulnerability, firmware fix in development