Printer malware: print a malicious document, expose your whole LAN

One of the most mind-blowing presentations at this year's Chaos Communications Congress (28C3) was Ang Cui's Print Me If You Dare, in which he explained how he reverse-engineered the firmware-update process for HPs hundreds of millions of printers. Cui discovered that he could load arbitrary software into any printer by embedding it in a malicious document or by connecting to the printer online. As part of his presentation, he performed two demonstrations: in the first, he sent a document to a printer that contained a malicious version of the OS that caused it to copy the documents it printed and post them to an IP address on the Internet; in the second, he took over a remote printer with a malicious document, caused that printer to scan the LAN for vulnerable PCs, compromise a PC, and turn it into a proxy that gave him access through the firewall (I got shivers).

Cui gave HP a month to issue patches for the vulnerabilities he discovered, and HP now has new firmware available that fixes this (his initial disclosure was misreported in the press as making printers vulnerable to being overheated and turning into "flaming death bombs" -- he showed a lightly singed sheet of paper that represented the closest he could come to this claim). He urges anyone with an HP printer to apply the latest patch, because malware could be crafted to take over your printer and then falsely report that it has accepted the patch while discarding it.

Cui's tale of reverse-engineering is a fantastic look at the craft and practice of exploring security vulnerabilities. The cases he imagined for getting malware into printers were very good: send a resume to HR, wait for them to print it, take over the network and pwn the company.

Cui believes that these vulnerabilities are likely present on non-HP printers (a related talk on PostScript hacking lent support to his belief) and his main area of research is a generalized anti-malware solution for all embedded systems, including printers and routers.

Just in case this has scared the hell out of you (as it did me), be assured that there are many lulz to be had, especially when Cui described his interactions with HP, who actually had a firmware flag called "super-secret bypass of crypto-key enabled."

Print Me If You Dare


  1. I wonder how many more years until that old chain letter, where some new insidious virus infects everything from your graphics card to your monitor cable, becomes true.

    1. Then it kills your dog.  This is possible now, because the HP printer will spin its wheels to make itself whine like a cat, attracting the dog.  When the dog is nearby, the printer then self-immolates, thus taking out the dog.

  2. If you’d asked me to describe a printer-based virus before seeing this, I’d have imagined something that lived on your hard drive, scanned your network e-mail traffic for certain keywords, and then printed this document on the printer in your Accounts Payable department:

    SUBJ: Urgent billing matter

    It has come to my attention that we are delinquent in our debt to HRH Josef Abbadiah of the Nigerian Royal Family. I expect you to wire the full $10,000 USD to his Western Union account immediately. And don’t even remind me of your incompetence in this matter ever again, or so help me I’ll fire you and give your job to that schmuck [$OFFICE_SCHMUCK.ACCTS_PAY] just to spite you.

    Of course, that’d be the slick commercialized version. There would also be the regular old griefer versions that just made every document end with “P.S. You know what would be fun? Throwing a bucket of water on the server stack! You should totally do that!”

  3. HP does have firmware update software for my printer.  However, the installation instructions indicate it’s for Windows only.

    For those of us who have no Windows in our house (or Mac), can it be done?  Does anybody know if there are general firmware flashing utilities for HP printers out there that aren’t dependent on running them from a Windows machine?

    1. It’s self-extracting ZIP archive. You can use unzip(1) to extract .RFU file. Send this file to the printer like you would do with PS document. 

      1. Oh!  Thanks.  I didn’t even download the thing, because I saw the “Windows” system requirements.

        Why can’t they just say what you said?

      2. Hurm… the exe I downloaded from the HP site is not a zip file.  It’s a Windows executable of some sort, but unzip doesn’t recognize it.

  4. I’ve always hated HP printers.  Many of them over the years have been a nightmare to share over a network with Macs.

    I’d like to pile them all into the middle of a football field within a packed stadium, then send the burn-in-a-fire command for all of them to the roar of the cheering crowd screaming, “Burn! You son of a bitches! Burn!!!”

    1. I started hating them when the 4000s stopped printing certain pdfs, right when the 4050s came out.  It did get fixed about two months later, but I spent hours troubleshooting this, not knowing which way was up.  It was them all along, just being sleazy.

  5. It’s also just as easy to show up at the door dressed as the company’s technology provider and offer them a free printer, an exploit that’s been tested by security firms. It all shows that we don’t really hack machines so much as we hack people.

    Scary, but makes good LULz:

  6. Why does this set of attacks surprise anybody?   Any network device is vulnerable in one fashion or another.    It is why putting your whole house on-line is bad idea.   

    That having been said, you don’t need to hack the printer itself to cause chaos.    Imagine what happens if a computer in finance gets infected and starts printing the payroll or personnel files db  to random printers in the company.

    1. I have the same question. Most google searches seem to say that it is just for LaserJet printers, but the BB article suggests that every HP printer is vulnerable. (Most likely, every HP printer is vulnerable, just not necessarily to this particular exploit…)

  7. This is SO last century

    I remember all this sort of stuff from back in the late 1980s when people  could embed the code to reset the password on apple laser printers in a postscript file.  Then those people would watch the dumpsters for their new printer.

  8. I haven’t used an HP printer ever since the one I had refused to print a black and white document because it was out of YELLOW ink. Even worse, I’d never printed anything yellow with it.

    1. Ah. So they’re treating me like a criminal and making my printouts traceable, at MY expense.

      I don’t want to live on this planet anymore.

  9. what’s really annoying about these printers and scanners etc. is that they’re usually running Linux… you should be able to fix the code yourself but they do not provide the source for the proprietary gubbins on them… oh you can get client side drivers for them, but fixing the firmware is off-limits because of the stuff they’ve put on them to secretely mark your printouts with date, time and serial numbers and in the case of scanners, to recognise if you’re trying to copy a banknote…

    1. Stallman was right.
      Oh, grumble all you want, but at least admit that. I’m getting a t-shirt that says exactly that.

Comments are closed.