How convenient
Was this research paid for by HP to show how necessary digitally signed firmware is? The last thing they want is a version of firmware which doesn't lie about toner levels.
Researchers claim to have discovered a security flaw in HP LaserJet printers that permits the installation of malicious firmware that might be capable of disabling safety controls. In a demo, Columbia University's Professor Salvatore Stolfo and Ang Cui show how it might be possible to instruct a hacked printer to overheat a …
As the article clearly states they are referring to "laserjet" series machines, they are toner based machines with a fuser to melt the toner onto the page.
Ink based machines are deskjets or officejets.
The clue is in the LASERjet, ie LASER printer utilising a laser to modify the charge on a drum, which is then used to transfer toner to the page in a set pattern.
Every NAS device I've used was basically a UNIX box, and could have it's firmware completely replaced by another (unsigned or easily forged signature) OS. One example (amongst many) is replacing the D-Link DNS-323's firmware with "Alt F" firmware ( http://code.google.com/p/alt-f/ ).
The point being that NAS devices are, due to their larger processing power and the fact that they are the network storage, larger potential problems for this type of embedded spying.
While most NAS devices seem to be unix based, they typically are password protected and the firmware update can only be done through the console, web management or an updater software, all of which require a password - which the admin changed from the default. (right...)
If D-Links accept fw updates without any credential checking that would cause a huge storm.
I have updated many HP printer firmwares in the past and they all accept the firmware as a print job or through anonymous FTP. There is no password protection whatsoever even if the Jetdirect or web management was password protected. I've never enabled printing from outside the corporate network by opening ports or enabling receiving email on the printers. No-one should.
Also, I'm not sure whether the NAS devices in general have better processing power than printers. Usually they NAS devices comprises of an under-powered ARM's with the minimum memory needed to have the device do its job. Sure there are Atom devices with a reasonable processing power but the heavy duty printers are also very fast at processing complex printouts.
I'm pretty sure there are more HP laser printers out there than there are NAS devices. And the "beauty" of this particular attack, as I understand it, is that it can be achieved with DNS poisoning - the claim is that the printers look for updates and install them without requiring intervention from a user. Most NAS devices probably as vulnerable to this kind of attack.
I call bullshit on the thermal fuse claims, I have never seen a fuser or dryer that had a thermal fuse that could be bypassed by firmware. You could tell the controller to turn on the fuser and keep it on but when the thermal fuse or trip opens it either has to be replaced or cool down enough to reset.
I would be very surprised if you could disable the thermal switch through firmware.
It is there as a last resort; it protects against the software crashing or having bugs for example (like that would ever happen!). It is probably a purely hardware device wired in series with the heater and possibly other circuits too.
Sounds to me like someone just trying to get 5 minutes of fame (or trying to justify that the breach really is dangerous, despite this little component that they forgot to check).
The claim of fire was added on by the media to sensationalize the story, and had very little to do with the actual security implications of this type of vulnerability. You should watch the original disclosure video to decide if this is a real problem or just hype.
http://www.youtube.com/watch?feature=player_embedded&v=dXDF0-2c1zc
These doom and gloom glass half empty researchers are not looking at this correctly, they have just found a way to modify the firmware to not care about toner levels reported by the cartridge, enabling you to happily refill the cart with no additional hackery required.
They have just saved the planet, and saved you a small fortune :)
You beat me to it. My printer wouldn't use the colour toners which had reached "0 pages left". When I swapped the two "empty" toner cartridges, the other suddenly needed replacing, despite previously showing some pages left. Added to this, the printer refused to print B&W, once it had decided it didn't have enough of the colour toners. I'd love to have firmware that would allow me to continue printing until I decide the printouts are too faint.
The "fire" is just a sensationalist story. What is more fun is adding a network sniffer, then pumping the results out across the network, hiding as website requests.
I used to work in a company who developed these kinds of printer NICs and we often thought of stuff even those old turn of the century devices we worked with were capable of. Especially as there was zero locks on the firmware updates.
We knew the printers were in use in Banks, Military and Government locations and often thought of the kind of passwords we could easily sniff from the network.
Everyone worries about the PCs on a network - they all forget that little NAS in the corner. Or the network scanner. etc etc...
And I had to repair a laser printer that some plod and sent an ink-jet only iron-on transfer page through that decided to melt and wrap itself around the fuser roller.
laser printers use a halogen bulb to heat the fuser roller to a couple hundred degrees, enough to soften the toner enough to melt into the paper when it's passed through the fuser itself (the second part of that equation is pressure, which is the lower roller of the fuser.)
Having seem ordinary copy paper get jammed in a fuser, I can tell you that at worst, it'll turn brown, but *not* catch fire. and forcing the bulb on? there's a current limiter fuse and a temperature cutout in the fusing assembly that will turn the bulb off if it gets too hot, causing the printer to display an error (50 service error for those interested) until it cools down, or until the assembly is replaced.
I call the article a helping of FUD for the most part.
I mean really, do they really have a business lease for 5 public IPs and a hub distributing it from their modem? Who puts their printer, or anything for that matter, on a internet IP? Even the cheapest router out there from 10 years ago will let you put your internal network on a private network using NAT.
Even if I had only one computer in my house, I would still use a router and NAT. My firewall logs show various China IPs trying to log into various ports at the rate of at least one every two minutes, I can't imagine what would happen if I didn't have even my simple router/firewall/NAT setup. Your new PC would be owned by script-kiddies before it could finish downloading security updates.
The most interesting thing I learned was HP admitting that a malformed print job from an Apple or U/Linux box could flash the firmware. That is scary.
I realise this comment comes a bit late to the story but the researcher involved in this will be presenting at this years CCC and releasing a printer firmware unpacking/repacking tool and they are currently looking for the yellow dot tracking code.
So you might want to watch the presentation if you fancy having a go at removing those annoying toner level checks :)
http://events.ccc.de/congress/2011/Fahrplan/events/4780.en.html