Printers can be a source of troublesome internet security issues
Nov. 29, 2011
While the overall majority of computer users tend to think of printers as unintelligent boxes sitting by your desk, new research performed by Columbia University researchers has found that they may be surprisingly vulnerable to sophisticated hacking attacks.
The researchers said that Internet-connected printers could be used to steal personal data, access supposedly secure corporate networks, or worse, cause a fire through deliberate overheating of the device.
The researchers, who studied HP's networked LaserJet printers, say that the printers' "Remote Firmware Update" feature is acutely vulnerable to attacks from the outside, and it's a lot easier than some initially believed.
That feature, which checks for software updates whenever a new printing job starts, could allow hackers to install customized firmware that would grant them full control of the printer. The printers studied by the Columbia team lack digital signatures and thus don't check the source of a firmware update, which makes it relatively easy for hackers to spoof the printer with malicious firmware.
And the stakes are very high in deed. And it gets worse-- according to the researchers, there is no easy way to initially detect the breach in the first place, and since security software doesn't analyze printers, hackers could have near-complete freedom of action after seizing control of a printer.
And further compounding matters, removing the malicious firmware is nearly impossible. As worrisome as that might sound, printer security woes have been around for years-- many years in fact. So much time is devoted to securing the computers themselves, laptops and then servers, but no attention is ever given to printers, and hackers know that, and they are capitalizing on it in a very big way.
Just five short years ago at the Black Hat security conference, security expert Brendan O'Connor demonstrated how easy it is for hackers to gain access to a printer and cause several security issues in a typical office setting. O'Connor demonstrated how just two hackers, within minutes, can perform all kinds of tasks, including mapping an organization's network and accessing previously printed documents.
"Stop treating them as printers," O'Connor warned IT managers during his presentation. "Treat them as servers, as workstations and as any other computer connected to your network. Look at them in the same way you do any other peripheral that is attached to your corporate network, because that's exactly what they are, plain and simple."
O'Connor's findings came at a time when networked printers were mostly found in the enterprise segment. Nowadays, they're just about everywhere. And the Columbia researchers say that due to the sheer number of networked printers in the wild, the flaw it discovered could affect millions of people around the globe, not just in your office. After all, remember that your printer is directly connected to the public internet, so just about anything is possible.
But before you jump to turn off your printer, the security hole that the researchers found is only an issue in older printer models. Since 2009, printers have included digital signature technology, which addresses the flaw.
But that still doesn't make the researchers feel any safer, nevertheless. As they pointed out, the number of printers suffering from the flaw "could be much more than 100 million. That's a LOT of printers."
Keith Moore, HP's chief technologist for the company's printer division, said in an interview that although his company takes the flaw "very seriously," he's suspect that it could be as widespread as the researchers say, adding that his initial studies reveal a low likelihood that hackers would exploit it. But not everybody agrees with Moore, namely the researchers that produced the report.
"This security vulnerability is probably not as broad as what I had heard in their first announcement," Moore said, citing his assertion that, contrary to what the researchers say, HP printers don't look for new firmware on typical print jobs. "It sounds like we disagree on what the exposure might be."
In other internet security news
With the simple decrypting of a protected PayPal browser cookie at a security conference on September 23, it became official-- the internet's foundation of trust has suffered another serious fracture that will require the attention of the industry's best minds if SSL technology is to be trusted at all.
Within just a few hours of the demonstration by internet security researchers Juliano Rizzo and Thai Duong, Google researcher Adam Langley signaled his growing acceptance that SSL (secure sockets layer), the decade-old cryptographic standard that protects web sites and eCommerce sites using the https prefix, was susceptible to an attack that previously was considered impractical.
The result: by tampering with with an encryption algorithm's CBC (cipher block chaining) mode, hackers could easily and secretly decrypt portions of the encrypted traffic, representing a serious security breach to a technology that up until today was believed to be secure by everybody in the internet community.
“The CBC attacks were believed to be largely theoretical but, as Duong and Rizzo have pointed out Friday, that's no longer the case,” Langley wrote.
He went on say that, as previously reported, developers of Google's Chrome browser are currently experimenting with a work-around but are not yet sure if it will create incompatibilities with various websites that are still using SSL.
He added that Google's SSL technology is highly resistant to the attack because it favors the RC4 cipher, which doesn't use CBC, therefore it's more secure. But up to which point still isn't certain at this time.
Yesterday, both Microsoft and Mozilla acknowledged that their software were also affected. An advisory issued by Microsoft recommends that websites follow Google's lead to favor the RC4 cipher while Redmond's engineers develop a Windows update to patch the underlying weakness.
For its part, Mozilla made public a three-month old discussion of the underlying security vulnerability and the best way to repair it without breaking a huge numbers of websites that have been running for so many years.
And Duong and Rizzo's exploit isn't the easiest to pull off either. Attackers must already control the network used by the intended victim, and they can only recover secret information that's transmitted repeatedly and in a predictable location of the encrypted data stream.
Then they must also have a means to subvert a safety mechanism built into the internet known as the SOP (same-origin policy), which dictates that a data set by one domain name can't be read or modified by a different IP address.
To get around the SOP, the security researchers used a specific Java applet, but they said there are other methods for achieving the same purpose.
But as Duong and Rizzo demonstrated Friday, those constraints weren't enough to stop them from revealing the plain text of a supposedly SSL-protected browser cookie transmitted with each request that a logged-in PayPal user makes on the payments website.
Using what is presumed to be a broadband connection somewhere in Mountain View, California, Duong was able to recover the authentication in about two minutes, giving him everything he needed to gain unauthorized access to someone else's account.
Moxie Marlinspike, a security researcher who has repeatedly made some holes in the SSL protocol and its transport-layer security successor, put it this way: “As it stands now, given the number of difficult conditions necessary for deploying such an attack, as well as the dependency on leveraging a Java applet for violating SOP, it seems extremely unlikely that individual browser users will be personally affected by this vulnerability.”
BEAST, short for Browser Exploit Against SSL/TLS, isn't the only reason to question the adequacy of the SSL cryptographic system the entire internet uses to prevent eavesdroppers from accessing your private accounts. And remember that a patch introduced by OpenSSL in 2002 to fix this very vulnerability was turned off because it introduced incompatibilities in software from Microsoft, further complicating matters even more.
SSL encryption may have dodged a bullet for now, but as the recent DigiNotar debacle demonstrated, the system itself isn't immune to real-world attacks that have very real consequences for those who depend on it. As we always do, we will keep you posted on this and on other news that affect the security of the internet.
In other internet security news
The University of Sydney in Australia and technical publisher Elsevier said earlier this morning that they are holding their first official competitive hackathon for security students and professional software developers.
The Sydney Hackathon allows teams of up to five, a twenty-four hour time frame to develop an application to improve content delivery for scientific, technical and medical publisher Elsevier, publisher of The Lancet and SciVerse Science Direct.
"The hackathon is designed to encourage students and internet security professionals to build creative and innovative software applications for science, using data from open application program interfaces," said SUITS (Sydney Uni IT Society) president James Alexander.
The inaugural Sydney Hackathon is being held this weekend, and will offer cash prizes of up to $1500 AU to the winning team. What's more, competitors can even retain the official ownership of any intellectual property developed during the event.
Entrants have from 2.00 PM Saturday to develop an application of any kind as long as it's from Elsevier’s SciVerse and ScienceDirect platforms, which include over 10 million scientific publications from 2600 journals.
Application developers and security software designers, students from any University in Australia or full time programmers are invited to enter the hackathon.
In other internet security news
Over the past weekend, Oracle broke away from tradition with the publication of an unscheduled security patch. The security update addresses a DDoS (distributed denial of service) vulnerability in its Apache web server software.
This represents only the fifth time that Oracle has published a security update outside its quarterly patch schedule it began at the start of 2005.
The security patch provides an updated Apache web server and a new http daemon to Oracle's Fusion Middleware and Application Server products.
The former product includes Apache httpd 2.2. The latter includes Apache httpd 2.0.
The new security vulnerability is cataloged as CVE-2011-3192 and it creates a method to trick web clients into requesting multiple parts of the same file at the same time, causing systems to get hopelessly tied up in a loop and crash altogether.
The Apache Foundation addressed the same underlying byte-range flaw first with an 2.2.20 update at the end of August. Last week, it ironed out a few glitches in this bug fix with a further update, 2.2.21.
At this time, it isn't exactly clear which code base Oracle has used, although giving testing schedules and the like, the earlier patch seems more likely.
Whatever code base used, the database giant is emphatic that system admins need to apply the patch sooner rather than later.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible," it said in its advisory.
Source: The Columbia University.
You can link to the Internet Security web site as much as you like.