Printer Too Ready

In a December 8, 2011 post to CNET News, Elinor Mills writes, in a piece with the title “HP sued over security flaw in printers,” about how a Columbia University research team was able to compromise the embedded software in HP LaserJet printers.

First off, the photograph of a printer, which is prominently displayed at the head of Mills’ column, is that of an Officejet printer, not a LaserJet. This is odd since apparently none of the research findings actually relate to Officejets, only to LaserJets.

Ms. Mills links us to the original MSNBC column by Bob Sullivan with the title “Exclusive: Millions of printers open to devastating hack attack, researchers say,” and to an HP News Release, “HP Refutes Inaccurate Claims; Clarifies on Printer Security.” The latter then points us to the section of HP’s website about “HP Security for imaging and printing.”

While I am not in a position to know who is right or wrong here, Columbia University or HP, and since a lawsuit has been filed as described in Mills’ column, I will not comment on which claims might be true or false, rather I will examine the manner in which the apparent flaw was made public, as it is an issue common to all disclosures of vulnerabilities and malware.

For transparency’s sake … I know personally Sal Stolfo, who heads the research team at Columbia University, having participated with him in a number of workshops, and, most recently, having greeted him at the 2011 IEEE Homeland Security Technology (HST) Conference in Waltham, Massachusetts, in mid-November. Sal co-authored two papers at the conference; one on “Measuring the Human Factor of Cyber Security,” which won a Best Paper award, and the other on “Behavior-Based Network Traffic Synthesis” … both very important topics, but neither one about hacking printer firmware. In fact, my own presentation at that conference, “Assuring Software and Hardware Security and Integrity throughout the Supply Chain,” is probably much more relevant to the printer issue. Also, my poster presentation from the previous year’s IEEE HST Conference, “Risks of Unrecognized Commonalities in Information technology Supply Chains,” may also be relevant since it included a photograph of the HP printer and toner cartridge, which was discovered before the explosives hidden inside were detonated. Furthermore, I discussed another printer-related risk, namely sensitive information stored on disposed-of printer hard-drives, in my August 9, 2010 BlogInfoSec column: “Data Leak! Data Leak! … Copy.”  Clearly printers have a number of inherent issues, but dealing with such issues often requires the common tradeoff between functionality and security.

Post a Comment

Your email is never published nor shared. Required fields are marked *