Vulnerabilities have been discovered in HP printer software potentially allowing the theft of documents and the bricking of networked machines.
The bugs affect HP's JetDirect software which allows printer set up on networks.
ViaForensics security researcher Sebastián Guerrero said attackers can knock out an array of printers by infusing tags parsed by printer control and language interpreters.
 |
"When considering threats to their computer infrastructure, most companies don’t really consider the risks that printers may pose," Guerrero said.
"Of perhaps greater worry to companies might be data theft that could easily occur on printer devices that store sensitive information.
"Consider that all the heavily encrypted documents a company has on its computers are automatically unprotected once sent to the print queue and are reflected and stored in the history. What if attackers had control or direct access to the records and could use the internal memory to reprint previous jobs?"
Affected devices include models from Canon; Fujitsu; HP; Konica Minolta; Lexmark; Xerox; Sharp; Kodak; Brother; Samsung; Toshiba; Ricoh; Kyocera Mita; Lanier; Gestetner; Infotek; OCE, and OKI.
HP has been contacted for comment.
"When we consider the the long list of manufacturers whose printers may have security vulnerabilities and look at the number of units they’ve sold in recent years, the magnitude of the issue because strikingly clear."
An authentication bypass flaw allowed printer jobs to be accessed, while the addition of unexpected characters into parameters received by the parser and interpreter of affected printer could cause a denial of service, forcing machines to be manually reset.
Other attacks against a naming size limit for a file transfer protocol function can brick printers, requiring firmware to be re-flashed.
"It is imperative that companies don’t fail to take into account their printing devices when considering their overall risk profile."
In 2011, researchers at Columbia University found vulnerabilities in HP LaserJet printers which allowed attackers to steal documents and access local networks.
They claimed that attack, which allowed custom firmware to be uploaded, could even cause the devices to catch on fire but HP denied this.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
