Security Flaws Leave Networked Printers Open To Attack

Printers that use popular print server software sold by Hewlett-Packard are vulnerable to attacks that can bypass built-in biometric defenses, recover previously printed documents and crash all vulnerable machines attached to a network.

That warning comes from viaForensics researcher Sebastian Guerrero, who said he identified the security problems in HP's JetDirect software while testing printers in his spare time.

JetDirect software is used in internal, external and embedded print servers sold by numerous printer manufacturers -- everyone from Canon and Lexmark to Samsung and Xerox. The software handles any printing request made via a network, in part by adding additional information, which then gets parsed by a printer. This additional information is in the form of tags such as UEL (universal exit language), which notes the beginning and end of data streams; PJL (printer job language), to tell the printer what to do; and PCL (printer control language), which formats pages.

But these HP printer language command tags can also be used by attackers to evade security controls built into the devices -- such as fingerprint or smart card checks -- as well as to knock the machines offline, reprint previously printed documents or even brick the device.

[ Tired of having malware punch you in the face? Take these 4 Steps For Proactive Cybersecurity. ]

"By fuzzing tags that are parsed and used by interpreters of PCL/PJL, an attacker could trigger a persistent denial of service affecting a large percentage of models and manufacturers," said Guerrero in a security analysis that outlines the flaws he discovered in JetDirect. (Note: Guerrero's analysis has been translated from Spanish.)

The tags also give attackers a way to recover documents that might otherwise be stored in encrypted form and relatively inaccessible. "All of the heavily encrypted documents a company has on its computers are automatically unprotected once sent to the print queue and are recorded and stored in the history," said Guerrero. Furthermore, he said, many of these documents can be reprinted by an attacker.

The tags can also be used to knock network-connected printers offline. "If you modify any of these parameters by inserting an unexpected character, depending on how it is implemented by the parser and interpreter for the specific printer model, you may cause a denial of service, knocking printers offline and forcing them to be reset manually," he said.

Guerrero noted that the vulnerabilities can also be exploited by using touchscreen technology -- branded as "TouchSmart" -- that's built into some printers, and which allows users to alter some settings, such as the FTP service settings. "While the number of characters entered is limited and controlled by JavaScript, once an attacker has intercepted the request," they could use false tags and characters to crash the printer," he said. Using a text string that he published, for example, Guerrero was able to brick a printer, which couldn't be used again until its firmware was reinstalled.

An HP spokeswoman didn't immediately respond to a request for comment on Guerrero's research, as well as whether there were any ways to mitigate the apparent flaws.

Guerrero has declined to detail specific printer makes and models that might be affected by these vulnerabilities, although he told ITworld that he'd confirmed the vulnerability on HP DesignJet printers, as well as some types of Ricoh printers. But he noted that any device that uses JetDirect is at least vulnerable to having its authentication bypassed by an attacker, using the security holes he'd identified.

This isn't the first security vulnerability to be found in printer firmware made by HP. In late 2011, for example, researchers exploited an HP firmware printer bug to install malware on printers, which they said could even be used to cause LaserJet devices to catch fire. HP dismissed that finding as "sensational and inaccurate," though it did release 56 firmware updates as a result of the research. Seven months later, however, a follow-up study by the same researchers found that only 1% to 2% of vulnerable, Internet-connected LaserJet printers had installed the firmware updates.