MSNBC reports Exclusive: Millions of printers open to devastating hack attack, researchers say. The article, particularly the headline, is hyperbole. The attack is via something called Remote Firmware Update on some HP LaserJet (not InkJet) printers.
"Every time the printer accepts a job, it checks to see if a software update is included in that job. But they say printers they examined don't discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version. In all cases, the Columbia researchers claim, duping a would-be target into printing a virus-laden document is enough to take control of that person's printer; but in some cases, printers are configured to accept print jobs via the Internet, meaning the virus can be installed remotely, without any interaction by the printer's owner."
I guess anything called "Remote Firmware Update" is a bad idea. And not signing the firmware is dumb, but apparently HP fixed that in 2009.
No comments:
Post a Comment