Holes in common component could leave office printers open to attack
Forget "PC LOAD LETTER," a vulnerability in a standard component of modern office printers may make hardware from a wide range of vendors vulnerable to denial of service attacks and data theft, according to a researcher for security firm ViaForensics.
Forget about "PC LOAD LETTER" - the HP Printer error made famous in the cult film Office Space. According to a researcher a vulnerability in a standard component of modern office printers could allow attackers to disable printers from a wide range of vendors and, in some cases, leave data stored on the device subject to theft.
According to Guerrero, flaws in the JetDirect technology allows an attacker with knowledge of the JetDirect Printer Job Language (PJL) to bypass any device security by sending instructions directly to an open port on the printer. In his blog post (translated from Spanish to English by ViaForensics here) Guerrero demonstrated how an unauthenticated attacker could use PJL commands to insert a print job onto a password protected printer, and even reassign the job to a known user account.
Furthermore, JetDirect printers appear to be vulnerable to various injection attacks that can be launched using a document that includes malicious Printer Control Language (PCL) commands. By sending unexpected values to the JetDirect parsing engine, Guerrero was able to crash an HP DesignJet printer, requiring a total reinstallation of the firmware. Guerrero said similar attacks could be used to access data stored in memory on the printer, he said.
Guerrero said he was able to verify the attacks on HP DesignJet printers and on some printers manufactured by Ricoh. Not all printers that use JetDirect are vulnerable to all the possible attacks he outlined, Guerrero said in an e-mail. However, all versions of JetDirect are vulnerable to the authentication bypass and to having print jobs added and manipulated. The denial of service attack only works on some printers that support the JetDirect protocol. Guerrero said the problem wasn't with JetDirect, but the parsers for the PCL and PJL components.
Networked printers are the workhorses of almost every office. Plunked in empty cubicles, or wedged into hallway alcoves, they hum away all day, taking orders and printing, faxing, scanning and copying. We tend to forget they even exist, until they stop working, at which point we realize that they're critical.
But printers are deceptive. They're just as much network "endpoints" as the laptops, desktops and servers. They run full fledged operating systems and talk to the network, just like other systems. And, with the advent of multi-function devices, many now contain substantial hard drives for storing scanned images, faxes and copied pages: making them rich targets for hackers.
Guerrero said that, while most network printers sit behind perimeter defenses such as firewalls, others might be reachable over the Internet using device-centric search engines like Shodan.
HP is no stranger to security issues with its printers, either. The company was forced to update 56 versions of its printer firmware in late 2011 after researchers affiliated with Columbia University reported that the devices were vulnerable to crippling attacks. Seven months later, the same researchers found that only 1 - 2% had applied the updated firmware. And they estimated that many other models had similar vulnerabilities stemming from outdated operating systems or other components.
Guerrero said that he had contacted HP about the security holes, but couldn't speak publicly about what response he'd received. He said that organizations should take printer security account when assessing the risks to their network security and the security of sensitive data. Printers can be hardened by closing down unnecessary ports, making sure that printers are not accessible over Internet and making sure the latest version of the device firmware is installed.