When Salvatore Stolfo and Ang Cui discovered something wrong with a printer, they decided to try to set it on fire.
Out of context, it sounds like a scene from an Office Space sequel. Stolfo and Cui aren't disgruntled office workers, however. They're researchers at Columbia University's Intrusion Detections Systems Lab. They have been conducting research on vulnerabilities in embedded devices.
Through their research, they discovered a critical vulnerability in certain HP LaserJet printers that were built before 2009 -- specifically, that the printers accept remote firmware updates without proper authentication.
Through this core vulnerability, a hacker would be able to trick one of the subject printers into believing a piece of malware to be a firmware update and installing it accordingly. The hacker could then take control of the printer remotely -- stealing information, accessing connected machines, using the printer in botnet attacks, and even causing physical damage to the printer.
In a disturbing video chillingly titled "Print Me If You Dare," Stolfo and Cui share a couple of the possible exploits of this vulnerability.
In the first example, a demonstrator working in a secure private network prints his tax return. Simultaneously, the tax return is printed on the attacker's printer while a program locates and tweets the demonstrator's Social Security number from the tax return.
Next, Cui explains and demonstrates how the vulnerability can be exploited to use a compromised printer to bypass a network firewall and gain root shell access to a computer on the network.
Later, Stolfo tells us, "This work started by looking at printers as a device that could harbor malicious software that could do very bad damage -- physical damage, for example. So we attempted to develop malicious software that would make the printer burn."
Stolfo then holds up the (mildly disappointing) fruits of their labor: a partially browned document. (Before true ignition could be achieved, the printer's thermal breaker was activated, shutting down the printer upon detecting that it was overheating.)
According to Stolfo, no antivirus software or other host-based security solutions exist to detect, stop, or prevent these exploits. Such exploits are so stealthy that, according to Cui, the only way to discover whether a printer has been compromised is to open it up, remove the embedded chips, and test them.
When Stolfo and Cui shared their findings one week ago, the news media promptly picked up the story. Since then, the repercussions have already been significant. One computer security specialist, F-Secure head of research Mikko Hypponen, blasted, "How the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?"
HP has had to conduct major damage control. On the day the story broke, HP released a statement in which it downplayed the vulnerability while announcing that it was working on a firmware upgrade to fix the problem.
But Cui says any printers that have already been compromised would not benefit from the fix. "This is nothing like fixing a virus on your PC."
Two days after Stolfo and Cui made their announcement, a class-action lawsuit was filed against HP for violations of California state consumer protection and unfair competition laws. (HP is headquartered in California.) The complaint accuses HP of knowing about but not disclosing the vulnerability when it sold the affected printers.
It's too early to tell how the suit will fare, but it may be a good indicator of the ramifications of the discovery by Stolfo and Cui that are yet to come.
ó Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.