F-Secure Discovers HP Printers Loaded With Security Holes


Keep an eye out for your HP printers. They can be hacked.

On Tuesday, the security firm F-Secure, headquartered in Finland, reported that it had discovered vulnerabilities in more than 150 different HP multifunction printer (MFP) devices. As a result, HP has released fixes for these vulnerabilities, thereby boosting the security of a substantial chunk of its multifunction printers (MFPs).

While this is true, it may be a good moment for companies and consumers to reevaluate the security of their current printers and take steps to prevent the consequences of a hacking incident. If you are in the market for a new printer, the Christmas shopping season may offer some attractive discounts.

As a result of HP’s position as the world’s top producer of multifunction printers (MFPs), with an estimated 40% share of the peripheral hardware market, many firms around the globe are likely to be utilizing susceptible devices, according to the F-Secure analysis.

According to F-study, Secure’s attackers may take advantage of the flaws to take control of devices, steal information, and further enter networks to inflict various forms of harm.

Exposed physical access port vulnerabilities (CVE-2021-39237) and font parsing vulnerabilities (CVE-2021-39238) were discovered in HP’s MFP M725z, part of HP’s FutureSmart line of printers. The vulnerabilities were found by F-Secure security consultants Timo Hirvonen and Alexander Bolshev. HP has produced security warnings for approximately 150 different products potentially impacted by the vulnerabilities.

“It’s easy to overlook that contemporary multifunction printer (MFPs) are fully-functional computers that threat actors may hack in the same way that other workstations and endpoints do. Attackers may use a hacked device to do significant harm to an organization’s infrastructure and operations, just as they can with other endpoints,” according to Hirvonen.

Experienced threat actors perceive unprotected devices as possibilities to infiltrate networks. Consequently, enterprises who do not prioritize safeguarding their MFPs alongside other endpoints leave themselves vulnerable to assaults such as the ones detailed in our study, according to him.

Academic Research Led to Discovery

According to Hirvonen, the investigation into printer hacking began to further his professional growth. The two F-Secure security professionals sought to collaborate on a hardware hacking project to understand the subject better.

While HP did an excellent job of protecting the MFP in several aspects, it only took Bolshev a few hours to discover the two unprotected physical ports on the device that allowed him to get complete access to it. He said that the study was broadened to focus on stealth to produce new tools and insights for use in red teaming and other related operations.

As Bolshev said, “These vulnerabilities exclusively impact HP printers and the models that are included in the HP Security Bulletins.”

Analyzing the Attack Vector

To launch the most effective assault, a malicious website is tricked into being visited by a user from a targeted company. An assault known as a cross-site printing attack is then launched against the organization’s susceptible MFP as a result of this.

To exploit this vulnerability, the website would automatically and remotely print a document with a maliciously-crafted typeface on the affected MFP. This, in turn, would provide the attacker access to the device’s code execution capabilities.

An attacker might quietly steal any information that is run or cached by the MFP with these code execution permissions. Documents that have been printed, scanned, or faxed are included in this category. However, it influences information such as passwords and login credentials that allow the device to communicate with the rest of the network.

Attackers might utilize compromised MFPs as a launching pad to reach further into an organization’s network to accomplish other goals. These might involve stealing or altering other data and transmitting ransomware and other malware.

Also Read for More Info:   Spendesk is the fifth French startup to reach unicorn status this month

The researchers discovered that exploiting the flaws is challenging, which should stop many low-skilled attackers from using them in the first place. According to the F-Secure analysis, experienced threat actors, however, might use them in more focused operations in the future.

According to the researchers, the font parsing flaws were revealed to be wormable. As a result, attackers may develop self-propagating malware and automatically infects targeted MFPs. The hack then spreads to additional susceptible devices on the same network as the original compromised equipment.

Advice for Securing MFPs

Hirvonen and Bolshev approached HP last spring with their discoveries, and the business worked with them to remedy the vulnerabilities they discovered. HP has released firmware upgrades and security alerts for the previously impacted devices.

While the intricacy of the attack makes it impracticable for certain threat actors, the researchers assert that it is critical for enterprises targeted by sophisticated assaults to protect their susceptible MFPs to avoid being compromised.

In addition to patching, the following procedures may be taken to secure MFPs:

Physical access to multifunction printers (MFPs) should be restricted.

Putting MFPs in a different VLAN that is protected by a firewall

Using anti-tamper stickers to indicate physical tampering with electronics is becoming more popular.

Following best practices recommended by suppliers for avoiding unauthorized alterations to security configurations

placing MFPs in places with video surveillance to capture any physical use of hacked devices when they were compromised is a good idea.

‘This is something that large corporations, firms operating in key industries, and other organizations dealing with highly trained and well-resourced attackers should take seriously.’ “There is no need to worry, but people should examine their vulnerability to ensure that they are well prepared for these assaults,” Hirvonen said.

“While the attack is sophisticated, it may be avoided by implementing the fundamentals such as network segmentation, patch management, and security hardening,” he said.

Also Read for More Info:   Ghanaian fintech Float raises $17M seed to power cash flow for commerce in Africa

F-Secure Labs has published a thorough technical write-up of the findings, which can be found here.

Patching Not Automatic

HP is not delivering firmware upgrades that are sent over the air. Making sure printer firmware upgrades are performed regularly is recommended to avoid any genuine hacking efforts in the wild.

As Bolshev pointed out, “we have no proof or allegations of threat actors leveraging these vulnerabilities in attacks at this time.”

To guarantee that their HP gear is patched, consumers and IT professionals must do it manually. He explained that they would have to download and install the HP fixes manually.

Another method, according to him, is to utilize HP Web Jetadmin to remotely upgrade the firmware for several printers at the same time.

Better Safe Than Sorry

According to Bolshev, a competent attacker might abuse the physical ports in less than five minutes and get access to sensitive information. It would take a few seconds to carry out the attack that takes advantage of the font parser.

But, contrary to popular belief, they are not low-hanging fruits that numerous threat actors would be able to pick quickly. The font parsing flaw is not the most straightforward to discover or exploit. He went on to say that “everything that requires physical access creates logistical difficulties for threat actors to go around.”

The vulnerabilities have been around since at least 2013 and have impacted more than 150 different HP printers. As a result, many businesses are likely to be using susceptible MFPs.

Larger enterprises should be concerned about the vulnerability, but smaller firms should not be alarmed since it needs a relatively experienced attacker.” This is a possible attack vector, but it should only be considered by more prominent companies that are dealing with well-resourced/highly trained threat actors and organizations active in essential industries,” Bolshev said.


Please enter your comment!
Please enter your name here