Multifunction printer
Serious security vulnerabilities discovered in HP printers
The logo of the computer company Hewlett-Packard at the office in Böblingen. Photo: Daniel Naupold / dpa
© dpa-infocom GmbH
Cyber attackers are always finding new ways to break into the networks of companies and larger organizations. Now, apparently, multifunction printers could serve as a gateway.
Serious security gaps have been discovered in over 150 multifunction printer models from world market leader HP.
Attackers could use the vulnerabilities to gain control of unprotected printers and steal information, said the Finnish security company F-Secure on Tuesday. In the worst case, the networks could be infiltrated in such a way that further damage could be caused.
HP could not be reached on Tuesday for comment. According to F-Secure, the US group has now released software updates that can close the security gaps. Multifunction printers are mainly used in companies and organizations. However, some of the affected models are also likely to be found in private households.
Gateway font files
The HP devices can be attacked via manipulated font files that contain malicious code. The attackers could try to trick their victims into visiting a malicious website, which would automatically trigger a print command. The malicious font contained in the document enables the attacker to execute additional code on the printer.
In this way, attackers could unnoticed steal all data that is running through the multifunction device (printer, scanner, fax) or is temporarily stored on it. “This not only includes documents that are printed, scanned or faxed, but also sensitive information such as passwords and access data, via which the device is connected to the rest of the network,” said F-Secure.
Attackers could also use the infected HP printer as a starting point to penetrate further into a company’s network. This could cause additional damage. In a cyber attack, for example, data could be stolen or changed. It is also possible to install encryption software in order to then blackmail the victims.
According to the company, the researchers at F-Secure approached HP with their findings in the spring and worked together with the manufacturer to remedy the weaknesses. HP has now published firmware updates and safety information for the affected devices. However, these now have to be installed across the board by the IT administrators in order to avoid a wave of cyber attacks.
The Federal Office for Information Security (BSI) stated that the authority did not yet have any further technical information. It will therefore take a while before the BSI can make a well-founded assessment.