Networked Printers Open to Attack

Monday, January 28, 2013 @ 07:01 PM gHale


Printers that use Hewlett-Packard print server software are vulnerable to attacks that can bypass built-in biometric defenses, recover previously printed documents and crash all vulnerable machines attached to a network.

That warning comes from viaForensics researcher Sebastian Guerrero, who said he identified the security problems in HP’s JetDirect software while testing printers in his spare time.

RELATED STORIES
Fix for VoIP Phone Vulnerabilities
Secure Communication Technology
Converting Natural Gas to Chemicals
Peel-and-Stick Solar Panels

JetDirect software works in internal, external and embedded print servers sold by numerous printer manufacturers — everyone from Canon and Lexmark to Samsung and Xerox. The software handles any printing request made via a network, in part by adding additional information, which the printer then parses. This additional information is in the form of tags such as UEL (universal exit language), which notes the beginning and end of data streams; PJL (printer job language), to tell the printer what to do; and PCL (printer control language), which formats pages.

But attackers can also use these HP printer language command tags to evade security controls built into the devices — such as fingerprint or smart card checks — as well as to knock the machines offline, reprint previously printed documents or even brick the device.

“By fuzzing tags that are parsed and used by interpreters of PCL/PJL, an attacker could trigger a persistent denial of service affecting a large percentage of models and manufacturers,” said Guerrero in a security analysis that outlines the flaws he discovered in JetDirect.

The tags also give attackers a way to recover documents that might otherwise store in encrypted form and relatively inaccessible.

“All of the heavily encrypted documents a company has on its computers are automatically unprotected once sent to the print queue and are recorded and stored in the history,” said Guerrero. Furthermore, he said, an attacker can reprint these documents.

The tags can also work to knock network-connected printers offline. “If you modify any of these parameters by inserting an unexpected character, depending on how it is implemented by the parser and interpreter for the specific printer model, you may cause a denial of service, knocking printers offline and forcing them to be reset manually,” he said.

Guerrero said an attacker can also exploit the vulnerabilities by using touchscreen technology — branded as “TouchSmart” — that’s built into some printers, and which allows users to alter some settings, such as the FTP service settings. “While the number of characters entered is limited and controlled by JavaScript, once an attacker has intercepted the request,” they could use false tags and characters to crash the printer,” he said. Using a text string he published, for example, Guerrero was able to brick a printer, which would not work again until until someone reinstalled its firmware.

An HP spokeswoman didn’t immediately comment.

Guerrero declined to detail specific printer makes and models that might suffer from these vulnerabilities, although he said he confirmed the vulnerability on HP DesignJet printers, as well as some types of Ricoh printers. But he noted any device that uses JetDirect is at least vulnerable to having its authentication bypassed by an attacker, using the security holes he identified.



Leave a Reply

You must be logged in to post a comment.