This is precisely why I still use a dot matrix printer.

Luckily these are my IT guys.

Helllloooooooooooooooooo................

/comment echoes in empty thread

Impossible. Our network printer has a mind of its own, and will not be tamed.

Bring it on...

That printer in the corner and I have had a long standing feud, and I have been waiting for it to make a move so I can teach it a lesson..

Come on HP... Just say the wrong word today, and it is ON!!!

I didn't see pictures of a printer they successfully set on fire, so I'm skeptical.

As a Xerox salesperson and tech, I'm getting a kick out of this one . . .

//Common Criteria Certifications FTW

People still use printers?

Oh c'mon...totally believable

1) Take over HP printers worldwide
2) remotely set them on fire
3) ??
4) Profit!

I'd be more worried about the possibility of printers sending duplicate documents outside the firewall (with sensitive info, etc.), but honestly, the guy had to manually disassemble the unit to accomplish this - I think I'd notice if the local office printer was in pieces one morning. Pretty sure office printers don't have a 4-5 year lifecycle anyway, the one outside my office breaks down every couple of months already, and it's this year's model.

sandbar67: This is precisely why I still use a dot matrix printer.

Kind of what I was thinking as I read the article. Does a printer really need remotely installed updates? Do people have problems printing newer formats because their firmware is out of date? If not, what's the point?

I immediately thought of the onion article from when Steve Jobs stepped down-

New Apple CEO Tim Cook: 'I'm Thinking Printers' (new window)

I got as far as "heat up the printer's fuser - which is designed to dry the ink once it's applied to paper" and realized that they had no idea what they were talking about.

Call me when they can make it play the Imperial March

Wouldn't it be more fun to print out random porn on printers that are connected to the Internet?
I know I always find that amusing to do.

Is the stupid tag taking the day off?

/clicks on print... "I'm sorry, Dave, but I can't do that..."

You whippersnappers come talk to me when you figure out how to make a disk drive walk across the floor and block the server room shut.

Is the exploit using Command Line hacking (new window)?

Spirit Hammer: I got as far as "heat up the printer's fuser - which is designed to dry the ink once it's applied to paper" and realized that they had no idea what they were talking about.

You're not using the new inkjet printers with the fast-drying fuser option? Get with the times, man!

Seriously though, if my network is insecure enough that someone from the outside can access my printers at all, I have a bigger problem than some obscure security flaw in my printer.

sandbar67: This is precisely why I still use a dot matrix printer.

I don't even trust them. So I use a plotter. Nothing like all my documents being 24 inches wide.

lpr0 on fire was ahead of its' time..

You know, it's stories like this that frighten me, because eventually somebody of "importance" is going to see it, start asking questions about printers being accessible from the internet, in a moment of confusion words like "technically" and "NAT" are going to be thrown around and eventually somebody will be in my office telling me to make it so that they can print to their work printer from home without having to use VPN....

mindflayer: Is the exploit using Command Line hacking (new window)?

What? It was a video of some kid, not knowing what he was talking about, using DOS's version of traceroute (tracert). What the little numbnutz didn't understand is that he wasn't getting the IPs and response times of other people using google at the time, but the hops between his computer and Google. The only way to get the IPs of everyone using Google is to use a network sniffer installed at Google edge.

JackieRabbit: mindflayer: Is the exploit using Command Line hacking (new window)?

What? It was a video of some kid, not knowing what he was talking about, using DOS's version of traceroute (tracert). What the little numbnutz didn't understand is that he wasn't getting the IPs and response times of other people using google at the time, but the hops between his computer and Google. The only way to get the IPs of everyone using Google is to use a network sniffer installed at Google edge.

[ThatsTheJoke.jpg]

Ozone_Ranger
I'd be more worried about the possibility of printers sending duplicate documents outside the firewall (with sensitive info, etc.),

Which is what they did:
"In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker's machine."



but honestly, the guy had to manually disassemble the unit to accomplish this

That part wasn't as clear as it could have been, but I think the disassembly was just to find or confirm the real problem - that the printers accept unsigned firmware updates from remote hosts, maybe even embedded in a normal print job (HP seems to disagree on the embedding part).

Spirit Hammer: I got as far as "heat up the printer's fuser - which is designed to dry the ink once it's applied to paper" and realized that they had no idea what they were talking about.

While technically inaccurate, the end result is more or less the same. Without the fusing process, toner would sorta float around the paper, which is more or less what ink does when it's not dry.

Do they really have no idea how a laser printer works? Or are they trying to dumb the explanation down so the layman can understand it? Or, could it be that they're trying to skip a very involved technical explanation that includes describing just what toner is and what physics govern it in a laser printing environment?

A bit of all three?

In other news, I could see an out-of-control fuser spontaneously combusting. They get that hot. I'm not sure I'm clear on just how contrived the process of getting it to do that really is, and if it's even feasable.

mod3072: Spirit Hammer: I got as far as "heat up the printer's fuser - which is designed to dry the ink once it's applied to paper" and realized that they had no idea what they were talking about.

You're not using the new inkjet printers with the fast-drying fuser option? Get with the times, man!

Seriously though, if my network is insecure enough that someone from the outside can access my printers at all, I have a bigger problem than some obscure security flaw in my printer.

This is what I was thinking. How many companies have internet attached printers? Why would they? Now home users I could see, but they would be ink jets and because someone did not set up the printer properly. I am confused. Then again they stated they found 40,000 internet connected printers. That really is not that many in the grand scheme of things.

Figured HP as the main victim/culprit. I'm sure they put a bug in them to make them die at the end of the warranty.

Please, please let it be the one from the commercial with the baby rolling around in the walker. They only play it 1,000 times during Comedy Central and ABC web streams.

Also, if I'm on vacation, what possible reason do I need to be automatically printing out pictures at home?

mctwin2kman:How many companies have internet attached printers? Why would they? Now home users I could see, but they would be ink jets and because someone did not set up the printer properly. I am confused. Then again they stated they found 40,000 internet connected printers. That really is not that many in the grand scheme of things.

Many companies have networked printers. They're not networked so that they can reach the internets, they're networked so that users of the local domain can print to them without a direct (USB) connection. It allows for convenience in administration of the devices, and allows the printers within a network to be shared and used by numerous people in various locations. There are FAR more than 40,000 internet connected printers--probably in the millions.

Sline: Does a printer really need remotely installed updates? Do people have problems printing newer formats because their firmware is out of date? If not, what's the point?

Generally speaking, people don't upgrade printer/mfd firmware unless it is in order to resolve a specific issue they are encountering, such as garbled print outs due to some sort of printer language error. In some cases, as new printer driver updates are released, often times the firmware of the device needs to be upgraded as well. Some people find it incredibly useful to have the ability to remotely update firmware in a printer/mfd. It is mainly for use by IT administrators of larger companies who have a "fleet" of printers spread out across one building, a company campus, or even around the country/globe. They can sit at one central location and push the updates out to each device. It's also useful when contacting the manufacturer's support techs over the phone--our Xerox engineers can remote log-in and install firmware upgrades onto any customer's device.

Y'all feel better now?

txhitech: Wouldn't it be more fun to print out random porn on printers that are connected to the Internet?
I know I always find that amusing to do.

You would think that all the harassment suits would be way more expensive than a few fires.

/Time to start up the ole HP BBQ.

LeglessDog: Many companies have networked printers. They're not networked so that they can reach the internets, t

Damn son, you need to layoff of whatever you're doing.

mctwin2kman
This is what I was thinking. How many companies have internet attached printers?


I don't think the printers have to be accessible from the internet.
It might be enough that someone on the local network prints a document that installs a different firmware in secret.
And chances are the printer itself will be able to connect to the internet - I guess a lot of small companies only block incoming traffic (if any) and don't bother to check if an internal IP accessing the net belongs to a printer.

Then again they stated they found 40,000 internet connected printers. That really is not that many in the grand scheme of things.

Well, they also said "in a quick scan".
Since the article isn't very good (see the fuser thing others mentioned), your guess might be as good as mine what they really did.
But since it was also said that those could be infected "within minutes", those might very well have been just the ones that aren't protected at all and are directly accessible, i.e. everybody on the internet could add them as a network printer.

strangeguitar: [i327.photobucket.com image 450x300]

Luckily these are my IT guys.


By daveism2000 at 2011-11-29

1) If my network is so insecure that my printers are visible to the outside, I deserve it.
2) If my printers have such a vulnerability that allows paper to normally stop in the fuser, and also allows the fuser to overheat to 451°F or greater for an extended period of time, I think Underwriters Laboratories may have something to say about that.
3) My printers barely function on a good day- how would anyone tell the difference? I mean seriously- what is with Win7 and printing?
4) Bring on the robot uprising- I have my ClueBat right next to my desk...

LeglessDog: mctwin2kman:How many companies have internet attached printers? Why would they? Now home users I could see, but they would be ink jets and because someone did not set up the printer properly. I am confused. Then again they stated they found 40,000 internet connected printers. That really is not that many in the grand scheme of things.

Many companies have networked printers. They're not networked so that they can reach the internets, they're networked so that users of the local domain can print to them without a direct (USB) connection. It allows for convenience in administration of the devices, and allows the printers within a network to be shared and used by numerous people in various locations. There are FAR more than 40,000 internet connected printers--probably in the millions.

Sline: Does a printer really need remotely installed updates? Do people have problems printing newer formats because their firmware is out of date? If not, what's the point?

Generally speaking, people don't upgrade printer/mfd firmware unless it is in order to resolve a specific issue they are encountering, such as garbled print outs due to some sort of printer language error. In some cases, as new printer driver updates are released, often times the firmware of the device needs to be upgraded as well. Some people find it incredibly useful to have the ability to remotely update firmware in a printer/mfd. It is mainly for use by IT administrators of larger companies who have a "fleet" of printers spread out across one building, a company campus, or even around the country/globe. They can sit at one central location and push the updates out to each device. It's also useful when contacting the manufacturer's support techs over the phone--our Xerox engineers can remote log-in and install firmware upgrades onto any customer's device.

Y'all feel better now?

Just because a printer is networked does not mean it is internet connected. Our printers are all on a private IP range so not accessable through the internet. Unless you VPN in and print but then it is still secure so to speak. They all sit behind a firewall. There is no access to them from the outside world, without VPN. Just because a device has an IP does not mean it is on the internet.

/IT

LeglessDog: mctwin2kman:How many companies have internet attached printers? Why would they? Now home users I could see, but they would be ink jets and because someone did not set up the printer properly. I am confused. Then again they stated they found 40,000 internet connected printers. That really is not that many in the grand scheme of things.

Many companies have networked printers. They're not networked so that they can reach the internets, they're networked so that users of the local domain can print to them without a direct (USB) connection. It allows for convenience in administration of the devices, and allows the printers within a network to be shared and used by numerous people in various locations. There are FAR more than 40,000 internet connected printers--probably in the millions.


You don't know what NAT means, do you? Be quiet and let the big people talk now.

Speaking of accessible network printers, back when most wireless routers had unencrypted networks as default and GPS in consumer devices wasn't as widespread, a few guys I knew went wardriving for fun and put wireless networks on a city map (a bit like what Google did later with its streetview cars).
When they hit an unsecured one with an ID that sounded like a doctor's office, they pondered about using the office's network printer to print a message and a guide on how to secure the wireless network.

The Voice of Doom: mctwin2kman
This is what I was thinking. How many companies have internet attached printers?


I don't think the printers have to be accessible from the internet.
It might be enough that someone on the local network prints a document that installs a different firmware in secret.
And chances are the printer itself will be able to connect to the internet - I guess a lot of small companies only block incoming traffic (if any) and don't bother to check if an internal IP accessing the net belongs to a printer.

Then again they stated they found 40,000 internet connected printers. That really is not that many in the grand scheme of things.

Well, they also said "in a quick scan".
Since the article isn't very good (see the fuser thing others mentioned), your guess might be as good as mine what they really did.
But since it was also said that those could be infected "within minutes", those might very well have been just the ones that aren't protected at all and are directly accessible, i.e. everybody on the internet could add them as a network printer.

Did you RTFA? It specifically states that the printers vulnerable are on the Internet and not behind a firewall, meaning someone has a device that has an internet IP that anyone can basically print to. Probably someone with a router at home with a printer attached that has allowed open access to it. But yeah sure I imagine one behind a firewall could be affected if someone has an infected PC behind the firewall that the hackers can use. Or a user from behind the firewall does the attack.

I am sure it may be possible to e-mail an infected printable file to someone that by chance gets by Virus scanning but time will only tell on that one.

Sline: sandbar67: Does a printer really need remotely installed updates?

Well, sometimes yes.

One of our printers wouldn't wake up when new print jobs were sent to it, requiring a user to get up, turn the printer on, wait for it to warm up, then wait for the printouts. The firmware update fixed this behavior so the printer now automatically wakes up when a print job is sent to it.

So yes, sometimes it's needed.

The Voice of Doom: Speaking of accessible network printers, back when most wireless routers had unencrypted networks as default and GPS in consumer devices wasn't as widespread, a few guys I knew went wardriving for fun and put wireless networks on a city map (a bit like what Google did later with its streetview cars).
When they hit an unsecured one with an ID that sounded like a doctor's office, they pondered about using the office's network printer to print a message and a guide on how to secure the wireless network.

That is about the only way I see this as being bad. But that is not large companies. But something like a doctors office or lawyers and the whole copying of print jobs would be a serious problem. Then again I would say those idiots deserve it. I doubt any doctors offices leave their wifi open now.

mctwin2kman: The Voice of Doom: Speaking of accessible network printers, back when most wireless routers had unencrypted networks as default and GPS in consumer devices wasn't as widespread, a few guys I knew went wardriving for fun and put wireless networks on a city map (a bit like what Google did later with its streetview cars).
When they hit an unsecured one with an ID that sounded like a doctor's office, they pondered about using the office's network printer to print a message and a guide on how to secure the wireless network.

That is about the only way I see this as being bad. But that is not large companies. But something like a doctors office or lawyers and the whole copying of print jobs would be a serious problem. Then again I would say those idiots deserve it. I doubt any doctors offices leave their wifi open now.

Never misunderestimate the ignorance of the end user who "knows" how to do it himself. Doctors are the worst... "If I can save a life, I can surely configure this routerwall thingy."

Badmonkey82009: mctwin2kman: The Voice of Doom: Speaking of accessible network printers, back when most wireless routers had unencrypted networks as default and GPS in consumer devices wasn't as widespread, a few guys I knew went wardriving for fun and put wireless networks on a city map (a bit like what Google did later with its streetview cars).
When they hit an unsecured one with an ID that sounded like a doctor's office, they pondered about using the office's network printer to print a message and a guide on how to secure the wireless network.

That is about the only way I see this as being bad. But that is not large companies. But something like a doctors office or lawyers and the whole copying of print jobs would be a serious problem. Then again I would say those idiots deserve it. I doubt any doctors offices leave their wifi open now.

Never misunderestimate the ignorance of the end user who "knows" how to do it himself. Doctors are the worst... "If I can save a life, I can surely configure this routerwall thingy."

The smaller ones yeah. But the larger ones that all use tablets now normally have an IT Person, contractor, set them up. But yeah this is where the bad stuff will happen and they could be targets for exploitation.

HA! I don't have a network printer. You fail, criminal hax0rs!

mctwin2kman
Did you RTFA? It specifically states that the printers vulnerable are on the Internet and not behind a firewall, meaning someone has a device that has an internet IP

Well, yeah, I did RTFA and I don't think we or the article actually disagree.
It's just that the real vulnerability is that the printers accept unsigned remote firmware updates (maybe embedded in a print job), so a printer behind a firewall is still vulnerable, just not as easy or fast to infect in a "SQL Slammer/MS Blaster"-way as one of the 40,000 their "quick scan" found.

"the Columbia researchers claim, duping a would-be target into printing a virus-laden document is enough to take control of that person's printer; but in some cases, printers are configured to accept print jobs via the Internet, meaning the virus can be installed remotely, without any interaction by the printer's owner."



I am sure it may be possible to e-mail an infected printable file to someone that by chance gets by Virus scanning but time will only tell on that one.

Yepp (though missing a virus that can brick the printer would suck; some network printers actually still cost money).
Or in other words:
"[F-Secure's] Hypponen said that the anti-virus industry could develop software tools that would detect booby-trapped print jobs in word processing documents or emails, and thwart attempts to update printers with rogue software that way. But such an approach would hardly be foolproof."

eek!