HP Disputes Printer Security Vulnerabilities
Weaknesses in printer networking software could be used to bypass authentication, deny service and retrieve documents from any user, Spanish researcher says.
Information security researcher Sebastian Guerrero said that by using HP printer language command tags, he'd been able to retrieve other people's print jobs or assign them to a different user -- thus bypassing fingerprint or smart card checks built into a printer -- as well as crash a printer by using printer-command tags containing unexpected content.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Cloud Security: It’s Not Just for IT Anymore
- The New Wave of DDoS Attacks: How to Prepare and Respond
- Unruly USB Devices Expose Networks to Malware
"Based on what was disclosed it appears that the device was intentionally sent a corrupting job -- basically to try and disable the printer," said Keith Moore, chief technologist at HP LaserJet Solutions group, speaking by phone about one of the disclosed vulnerabilities. "If you're intentionally sending corrupt print jobs, yes the printer has a hard time knowing what to do with that, but that's where rebooting [comes in]," said Moore.
[ HP is not the only vendor whose printers carry certain security risks. Read Samsung Printers Have Hidden Security Risk. ]
"The other claims don't seem to be supported, and if you properly configure the device --as we recommend -- [they] technically can't be done," said Moore.
"HP takes our customers' security very seriously," said a spokeswoman in a follow-up email. "Our team has investigated the security allegations ... and determined that the claims that someone can bypass built-in biometric defenses and recover previously printed documents are false."
The crucial point in HP's rebuttal of parts of Guerrero's research, however, hangs on printers being properly configured, and to put that into practice, Moore pointed to "HP Imaging and Printing Security Best Practices," a document HP developed for distribution by the National Institute of Standards and Technologies (NIST). One of the document's chief recommendations is that printer administrators use the free HP Web Jetadmin, which is billed as "the recommended management tool for all HP network printing and digital sending products," and which can control all of the settings that HP recommends be set to maximize security.
Those configurations boil down to one recommendation: "It's essentially setting passwords on devices, or in businesses or enterprises especially, we'd encourage people to use something like HP Access Control, where the document won't even come out until you're standing at the device," said Moore, referring to HP Access Control (HPAC) Printing Solutions, which is designed to secure sensitive and confidential information in printing environments.
Late last week, Moore said HP was still trying to contact Guerrero to ensure that it's obtained a full disclosure of all vulnerabilities. But Guerrero, who's a researcher at viaForensics, reported via email that he'd already been in touch. "I can assure you that I have been in contact with them and furthermore, they were aware of these vulnerabilities before my article was published," he said.
In fact, in his research Guerrero already had noted that some of his exploits were feasible only when the printer didn't have a password enabled. Discussing viewing someone else's print jobs, for example, "I think this one has been misunderstood," he said. "As I said before, the printer has a log, where the jobs sent are stored, and some printers include the possibility to preview these jobs. If the printer doesn't use a password you can get access to the log and see the document."
But not all of the vulnerabilities he identified revolve around passwords. For example, to assign a document to a different user, "you can set some PCL/PJL tags in order to assign a job to a user, independent of whether the printer did -- or did not -- set a password," he said. "If you send the job to its queue, the job will be registered on the log with the information stored in its tags."
Guerrero emphasized that there's no coding flaw here. "It's just a leak of security on the printer, this is not HP's bug," he said. "Furthermore, this vulnerability affects printers from more manufacturers, for example, Ricoh. I can assure you that."
Another security concern is that any printers inside the network -- from HP or otherwise -- would be vulnerable to remote attacks that retrieve documents that have been printed using the device, or install custom malicious malware, especially if the printers didn't have passwords enabled or aren't running security software such as HPAC. HP's Moore, however, dismissed the threat of remote exploits of machines running JetDirect. "Typically, a firewall blocks [external attacks], so remote attacks are unlikely," he said.
But Michael Sutton, VP of security research for Web security firm Zscaler Labs, has published research showing that embedded Web servers in devices -- such as printers and photocopiers -- are often Internet-connected and unsecured with either passwords or firewalls. That would make the devices of interest for corporate espionage purposes.
Similarly, blogger Adam Howard at Port3000 posted a Google search Friday that turns up thousands of Internet-connected printers. "A quick, well crafted Google search returns 'about 86,800 results' for publically accessible HP printers," said Howard. "There's something interesting about being able to print to a random location around the world, with no idea of the consequence. Lock down your printer :) PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network."
Likewise, a Google search for LCDispatcher ("inurl:hp/device/this.LCDispatcher") shared by the Google Dorks website -- amongst other locations -- returned 968,000 hits. LCDispatcher is a component in Internet-connected print servers running JetDirect, meaning the hits are apparently all printers that have their configuration pages available via the Internet.
InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our