Boing-Boing has an interesting article up, regarding a presentation at the recent Chaos Communications Congress, Ang Cui’s “Print Me If You Dare“. Ang explained how he reverse-engineered the firmware-update process for HP printers. He discovered that he could load arbitrary code into any printer by embedding it in a document. As part of his presentation, he sent a document to a printer that contained malicious code that copied the documents it printed and posted them to the Internet. In his second demo, he took over a remote printer with a malicious document, causing that printer to scan and compromise vulnerable PCs, turning the printer into a proxy that gave him access through the firewall.
Printers are everywhere. We use them and ignore them daily. They are sitting on our networks and are intended to be shared resources. They contain some pretty powerful server components, a fairly substantial amount of RAM and disk space, and are virtually ignored when we consider patch and vulnerability management. I have been involved in at least one incident that involved using a network connected printer as the hub of malicious operations. Hiding in plain site is a pretty clever strategy.
I would encourage anyone that has an HP printer to apply the latest firmware patch ASAP, because malware could be crafted to take over your printer, and then falsely report that it has already had the patch applied. This is not just an HP problem though. Got printers? Get ’em up-to-date, and create a plan to keep them that way.