Sophos Cloud Optix
Yesterday, Naked Security wrote about a flaming war of words that seemed to have broken out between Columbia University and HP.
As MSNBC rather breathlessly asked, “Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire?”
[Update. As made clear in the comment below by An Cui, one of the Columbia researchers, there is no war of words between the University and HP. It just seemed that way.]
–
Smoke and fire certainly make good hacking headlines.
Charlie Miller got advance publicity by the wheelbarrowful for his 2011 Black Hat talk – he showed how the embedded microcontroller in Macbook batteries works – by sneaking the words overcharging or fire into his abstract.
And recent claims that a hacker broke into a US water treatment plant and burned out a pump by repeatedly turning it on and off made headlines worldwide.
So where does that leave your HP printer? Is it ready to combust at a remote hacker’s whim?
The truth is: almost certainly not.
With health and safety regulations being what they are in most developed countries – especially HP’s home turf, the USA – it would be surprising indeed if your printer could be tricked through software alone into malfunctioning in this way.
The facts are much more mundane than the headlines.
Macbook batteries have a physical safety fuse; the burned-out pump immediately raised an alarm (and may simply have been a burned out pump after all); HP printers have a thermal cutout which cannot be overridden in software.
As HP stated in a no-punches-pulled press release earlier today:
HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or [the researchers' claimed] vulnerability.
That’s that for the fire, then. But is there anything more we can learn from this heated narrative?
Yes.
Firstly, security researchers should be more circumspect about how they position their research in the media, and what conclusions they allow hacks to reach when their work is publicised.
I’m sure The Columbia University Intrustion [sic] Detection Systems Lab (that’s the spelling they use in the title of their web page) are delighted at the coverage they’ve had. But they might have better served the public if they’d objected to the author rather glibly adding a rider to his report saying, “the researchers believe other printers might be used as fire starters.”
[Update: the ‘Intrustion’ typo is now fixed!]
Secondly, technology writers should be more circumspect about the conclusions they invite the public to reach.
If the researchers genuinely are of the opinion – a word, incidentally, better suited to scientific reports than belief – that other printers on the market could become fireballs, then they will have supporting evidence, and the writer ought to have seen it, surveyed it, and mentioned it.
Thirdly, companies caught in security cross-fire – as HP was in this case, since the story actually makes it clear that HP’s overheating safeguard performed correctly in the demonstration – ought to aim for greater clarity in their media releases.
HP responded quickly, which is commendable, but the company’s PR statement is vague and dismissive about the underlying vulnerability – which is much more of a story than the unlikelihood of printers going up in flames.
Apparently, older HP printers allow unsigned firmware upgrades to be embedded into print jobs and accepted over the network. This does represent a risk, and it isn’t a good idea to allow firmware updates to be deployed so easily. But HP’s release only talks about “the potential security vulnerability,” without any suggestion of what sort of vulnerability is meant.
In many ways, HP has made things worse with its strongly-worded release.
Security observers with an overall interest in this issue must now be asking themselves, “Is there something else in there that we don’t know about?” That leaves them well short of being able to reach a final conclusion.
I’ve said it before, when RSA was breached earlier this year, so I may as well say it again.
Three words for security commentary. Promptness. Clarity. Openness.
So why did Sophos publish the article yesterday and add fuel to the "fire" ?
I think we focused more on the firmware security vulnerability (which is a genuine security concern) than the potential for flaming printers.
In the story we wrote, we quoted the MSNBC article which made clear that HP’s hardware correctly cut out, not allowing a fire to be created. It was the Columbia researchers who voiced the opinion that other printers may be at risk.
The good news is that HP appears to be planning an update which fixes the security vulnerability, and it’s also pouring “cold water” (ho ho..) over the fire fears.
Errrr, why not π
If you read Graham's article from yesterday – written before HP had anything to say on the matter – he does say, "The chances of printers being used as firestarters may be overhyped – but there are genuine security concerns raised by the vulnerability."
And though I can't speak for Graham, he shares the same concerns that I do – namely that unprotected firmware which can be updated "in band" during an apparently normal, unauthenticated operation, is the sort of vulnerability to be concerned about.
So I think it's stretching it a bit to say we added fuel to the fire. (Perhaps we might have toned down the headline a bit. But the idea of "printer at risk of fiery hacker attack" is surely an assonance too good to be let slip π
Come on guys — you normally do a better job than this!
The posts yesterday *and today* both used fire in the title to create a reaction, even though today's post appears to try and suggest that you were above the normal journalistic sensationalism all along. But that clearly wasn't the case.
There's a huge difference in my mind (at least I was of the opinion that there was) between what's sensationalised by general media channels (MSNBC and other non-industry-specific entities) and what's presented here in a blog clearly aimed for the security community. I subscribe to and read the Sophos articles precisely because they offer what I hope to be non-sensational and accurate summaries of the current issues in data/network security. I do not expect that in the mainstream media so I do not look there for daily information to help me in my job.
If today's commentary on why this threat is so mundane was presented yesterday I would have had no issue with this. I know about thermal breakers in fuser units and am not in the slightest bit concerned that my workplace will go up in smoke because of a hacker from Eastern Europe. But I AM concerned that I've been reading Sophos's news articles as if they were well-balanced and factual when clearly there is as nearly much media hype here as anywhere else.
Apparently I got burned after all.
Hmm. I'm not sure the threat *is* mundane. It does sound as if there is a serious security vulnerability which could allow a bad guy to install malicious firmware on your printer. That vulnerability could be exploited, for example, to steal information from your organisation.
Yes, HP printers exploding into flames doesn't appear to be an issue – as our article (and MSNBC's original report) did point out, but the "browning" of paper was clearly a more dramatic example of what could be achieved.
But nowhere did Sophos/Naked Security warn of workplaces going up in smoke. π
I accept that the headline and accompanying image may have given the wrong impression, and I do apologise for that.
FYI, "FLAMING RETORT" is the name of an occasional op-ed column (approximately one every six weeks) I publish on Naked Security. The name is meant to be mildly amusing, as is the imagery of the alchemist's alembic (a retort, geddit? π which I've used as the image for every installment, including this, the sixth. And I think "flaming retort" just happens to fit this article perfectly – no apologies for that π
There are some important lessons to be learned here – not least that HP has now gone public with what amounts to an _unidentified_ vulnerability (is it the same one that the Columbia guys used or not, and if it is, why not simply say so?) which it declares to be an non-issue without helping us understand why.
So they seem to have confused things further when they had a great opportunity to clarify the situation.
Apologies if you were offended. I hope you'll accept that it's hard to interest people in other angles on and opinions about a "printer on fire" story without using the words "printer on fire" in the headline. And if you don't interest them in those other angles and opinions, then the "printer on fire" brigade (sorry, couldn't resist that) win anyway.
Hi there
I am Ang from Columbia. I wish folks would do a little more fact checking before publishing what other people write on the internet. Instead, I am writing this in the comment section. But please pay attention -)
We never claimed that we can turn printers into firebombs of doom. There is no "war of words" between Columbia and HP. Sal and I have been working closely with the folks at HP to mitigate the actual vulnerability we disclosed to them, which is actually serious. HP is trying to put an end to these claims that HP printers are death machines, as are we, because it isn't true, and it has nothing to do with my recent research.
Now, for those who care about the real security implications of this vulnerability, please watch this demo video. It was made a week prior to the MSNBC article and given to MSNBC as a non-technical explanation of what we found. All this hype around this non-existent fire has directed attention away from the actual problem. Want to better serve the public? Please take the time to consult primary sources and help the public understand how embedded devices like network printers can be used to compromise "protected" networks.
Also, nice catch on the typo -)
best;
Ang
Demo video:
Errrr, I think we agree on everything π
You might disagree a bit with my first point about whether your Lab was circumspect enough in how it chose to present the research. But with hindsight, perhaps you will agree that you could have toned a few things down (ha! a printer joke!) slightly, e.g. the OMG I'M ON FIRE sheet in the video, the intro "after you watch this video, you'll never look at a printer the same way again", and the video title "Print me if you dare."
We certainly agree on your comment that "this hype around this non-existent fire has directed attention away from the actual problem." Indeed, that's what this article is about, and why I wrote, "HP['s] PR statement is vague and dismissive about the underlying vulnerability – which is much more of a story than the unlikelihood of printers going up in flames."
As an aside, if you know the answer and can reply, where did the journo get the idea that "the researchers believe other printers might be used as fire starters?" He presented that almost as if you guys had conveyed some sort of religious conviction it might be possible, but without any evidence of any sort. If I were you, I'd be pretty unhappy about that little remark, throwaway though it might seem…
PS. If you're ever in Sydney, stop by and say G'day!
On the subject of typos…
"The facts are much more mundane that the headlines."
"Those who live by the sword," etc.
Thanks. Fixed it π
What is commendable about HP's quick response? A printer should not overheat and start an office fire. They went on stating about a printer's technical make-up to prevent overheating…That said, should we put our HP printers in safety cabinets?