The ability to update firmware is a feature that is found in nearly all modern embedded systems. In this article we demonstrate how this feature can be exploited to allow attackers to inject malicious firmware modifications into vulnerable embedded devices.
Discussed are techniques for exploiting such vulnerable functionality and the implementation of a proof of concept printer malware capable of network reconnaissance, data exfiltration and propagation to general purpose computers and other embedded device types.
We present a case study of the HP-RFU (Remote Firmware Update) LaserJet printer firmware modification vulnerability, which allows arbitrary injection of malware into the printer’s firmware via standard printed documents. We show vulnerable population data gathered by continuously tracking all publicly accessible printers discovered through an exhaustive scan of IPv4 space.
To show that firmware update signing is not the panacea of embedded defense, we present an analysis of known vulnerabilities found in third-party libraries in 373 LaserJet firmware images.
Prior research has shown that the design flaws and vulnerabilities presented in this paper are found in other modern embedded systems. Thus, the exploitation techniques presented in this paper can be generalized to compromise other embedded systems.
Firmware update signing can mitigate the HP-RFU vulnerability. However, it should not be used as the sole security mechanism on embedded systems.
We present the results of the analysis of all available firmware for 63 HP LaserJet printer models that identify third-party libraries with known vulnerabilities within the signed codebase.
We have identifed vulnerable third-party libraries in 80.4% of all firmware images analyzed. Furthermore, we have identified libraries containing vulnerabilities that have been known for over eight years in several of the most recently released firmware images.
The scientific evidence, quantitative analysis and the proof of concept HP-RFU vulnerability exploitation presented in this paper demonstrate the importance of introducing effective host-based defense into vulnerable embedded devices.
To read this external content in full, download the complete article from the authors’ article archives at Columbia University.