One of the most mind-blowing presentations at this year’s Chaos Communications Congress (28C3) was Ang Cui’s Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers. Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to a printer that contained a malicious version of the OS that caused it to copy the documents it printed and post them to an IP address on the Internet; in the second, he took over a remote printer with a malicious document, caused that printer to scan the LAN for vulnerable PCs, compromise a PC, and turn it into a proxy that gave him access through the firewall (I got shivers).
Cui gave HP a month to issue patches for the vulnerabilities he discovered, and HP now has new firmware available that fixes this (his initial disclosure was misreported in the press as making printers vulnerable to being overheated and turning into “flaming death bombs” — he showed a lightly singed sheet of paper that represented the closest he could come to this claim). He urges anyone with an HP printer to apply the latest patch, because malware could be crafted to take over your printer and then falsely report that it has accepted the patch while discarding it.
Cui’s tale of reverse-engineering is a fantastic look at the craft and practice of exploring security vulnerabilities. The cases he imagined for getting malware into printers were very good: send a resume to HR, wait for them to print it, take over the network and pwn the company.
Cui believes that these vulnerabilities are likely present on non-HP printers (a related talk on PostScript hacking lent support to his belief) and his main area of research is a generalized anti-malware solution for all embedded systems, including printers and routers.
Just in case this has scared the hell out of you (as it did me), be assured that there are many lulz to be had, especially when Cui described his interactions with HP, who actually had a firmware flag called “super-secret bypass of crypto-key enabled.”