Enlarge image
Hewlett-Packard office in Böblingen (archive photo): printer as a gateway
Photo: Daniel Naupold / dpa
HP (formerly known as Hewlett-Packard) has released firmware updates for more than 150 of its multifunction printers. Companies that use one of the devices should import the corresponding update quickly, because the previous firmware has serious weaknesses. In extreme cases, they can pose a threat to operations. The two gaps were discovered by researchers at the Finnish IT security company F-Secure.
One of the vulnerabilities is in the way the affected HP printers handle certain fonts. If an attacker manages to lure his victim to his website, for example with a phishing email, and if the HP printer is directly connected, it automatically prints a prepared document. Alternatively, he has to get the victim to print out a corresponding mail attachment or a file from a USB stick. A manipulated font in the document can force a memory error in the printer and thereby enable the attacker to execute further code - and thus to hijack the device.
The attacker can then intercept and read every file that is to be printed, scanned or faxed.
It can also read out the access data with which the printer is registered in the network - and thus try to penetrate further into the network.
The vulnerability is also »wormable«: In the form of a computer worm, the malicious code can automatically take over all other unprotected printers in the network after the first infection.
In this way, for example, an attack with ransomware could be prepared.
That would be the extreme case mentioned: The printer becomes the gateway for an encryption Trojan, which more or less paralyzes operations.
According to F-Secure, it is not entirely trivial to exploit the loophole, "but more experienced threat actors can certainly use it for targeted attacks".
HP itself describes them as "critical".
Aside from the firmware update, there are other ways to prevent infection.
Among other things, the printers were to be operated in a separate subnet (VLAN) secured by a firewall, with a print server as an intermediate station to the employees' computers.
F-Secure lists the additional precautionary measures in a blog post, and HP names the affected devices on this support page.
Is the maintenance technician really from HP?
The second vulnerability discovered can only be exploited through physical access to the printer.
That makes an attack comparatively unlikely.
But criminals who are determined to do anything could pose as maintenance technicians, for example, and thus try to gain the necessary access.
You would then need to be familiar with the model, however, and tap into certain exposed connections on the board that are used for sending and receiving documents. If you manage to create a kind of bypass there, you can gain control over the printer software and thus in turn intercept all documents to be printed or spread further in the network. »The connections are large and easy to connect. The whole process - remove the circuit board, connect the connections, restart the printer, install a malicious software implant and then loosen the wires again - can be carried out in less than five minutes, ”says F-Secure.
HP lists the affected devices here and recommends protecting printers with Kensington locks.
F-Secure goes even further and suggests video surveillance of the printer room.
Of course, this only helps as long as the video cameras do not have weak points themselves and can be hacked from outside.
