Gallery

Your printer vs the hackers

Posted on 18 Jun 2009 at 11:26

Steve Cassidy has never seen a furore like that caused by HP's admission that networked printers retain hackable documents.

If you read the wording carefully, the firmware update that fixes this problem sounds as though someone found one of those annoying buffer overflows that could be triggered by the right stream of traffic - but again, we don't need to be that clever here. I haven't regularly encountered password-protected printers in small-to-medium networks anyway, so let's think about the router, which is what HP must have had in mind. This would be a device that grants an external attacker access to all the devices inside your network, for any protocol the attacker cares to use, so in my network and yours that router would have to maintain a traffic-forwarding table for every device that lies behind it. That's because our networks use private IP address ranges - normally the ones that start with 192.168 or 10.0 or 172.16 (see http://en.wikipedia.org/wiki/Private_network for a remarkably rigorous report on what these are all about) - but routers inherently won't route otherwise-unassigned traffic from outside to devices in these address ranges.

Okay, so maybe HP was thinking instead about those of us with public, globally routable IP addresses for all our internal devices including printers, but be honest now, when did you last see a network like that? There may be a few readers in the military or the civil service who've had this kind of setup foisted on them, for reasons so historic they'll shortly be dug up by Tony Robinson, but the rest of us are overwhelmingly likely to be using private address ranges - and more to the point, a router that won't pass any traffic from the outside world to any internal device unless it was solicited by that device in the first place. And all that's before you add a proper firewall, or a "personal firewall" (which I wish people would start calling "PC traffic monitors", since they fulfil only a small part of the role fulfilled by proper hardware devices worthy of the name firewall). Or a managed proxy service. Or an internal proxy server. All of these are far more commonly found services in our modern small networks than the bizarre notion of globally routed addresses sprinkled around like confetti.

I think it's pretty safe to say that nobody is going to reach into your network from Ulan Bator or the shanty towns of Belo Horizonte and target your vulnerable HP printer without so much as touching the sides of any other piece of hardware in your kit-list. Looked at in that light, HP's suggestion to delete the default gateway to inhibit return traffic crosses that difficult line between well intended over-simplification and poorly considered and irrelevant commentary. The real issue isn't about lobbing spears into a remote printer from the hacker's eyrie-cum-war-room, it's that once you have a suborned machine in your network your printers become part of the vulnerable group, although they'd have a very low priority for the kind of hacker who suborns machines in the first place, who's far more interested in using your PCs to relay spam.

Suborn again

"Suborned" is one of those lovely words that's mostly seen in spy thrillers from the 1960s (and, of course, Acts 6:11 in the King James Bible). I find that its very obscurity encourages people to ignore the simple facts of PC security as found in the wild these days. Last month, I watched a PC become infected several times. The initial infection opened a door that led back to a botnet, which meant that the PC actively solicited a connection via the router from inside the network, which isn't open to the outside world in a passive way. The PC must actively reach out to the spammers' Command and Control Centre to receive its instructions, and then some villain of lower stealth status purchases a time slot on the infected machine, through which they put on other less subtle payloads that place it under unknown, distant remote control.

Download a year of Steve Cassidy's Networks columns by heading to our Free Downloads site