HP is calling an “industry first” by launching a print security bug bounty program providing rewards up to $10,000. It’s backed by Bugcrowd, a crowdsourced security platform that manages bug bounties, vulnerability disclosures, and more. The program will focus on bugs related to printers, which can be an entry point for hackers.
“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” Shivaun Albright, HP’s Chief Technologist of Print Security, said in a statement. “HP is committed to engineering the most secure printers in the world.”
According to HP, researchers participating in the program will report their findings directly to Bugcrowd. HP will evaluate any vulnerability that was already unearthed by the company and may reward the researcher “as a good faith payment.” Bugcrowd will verify all submitted bugs and reward researchers according to the severity of the flaw.
Why would hackers choose a printer as their attack vector? In the home or corporate environment, it can be connected directly to the local network and even shared across the internet. Even more, they could contain confidential data in memory as they print sensitive documents. In the case of 3D printers, hackers could steal prototype designs.
To make the problem more severe, the printer is typically the last device you’d think would be susceptible to hackers. Homes and corporation alike place the PC at the top of the security list, but flaws in printer software and firmware can enable hackers to access sensitive data stored in the printer – not in the PC – from another location on the network.
Hackers have various ways they can attack and even use a printer, such as installing a chip that can forward information to a remote location. They can bypass the authentication process that controls access to the device, modify the data residing in the printer’s memory, or create malware on a personal device that connects to the printer and gains access to the entire network.
“Multi-Function Printers can be hacked by concentrating on security problems from most of the brands,” reports Infosec. “In most printers, when we search the address (not technical) http://your-printers-ip:9100, it will not lead to any location, but it reads a print job. It gives a request for root document by https. This gives access to the LCD display, through which the attacker enters. This proves no need of any tools or code for access.”
That’s where HP’s new program comes in. Researchers can hunt down potential problems, have the vulnerabilities verified, and get rewarded for their effort. A report released by Bugcrowd claims that the firm saw more than 37,000 bug submissions over the past year, 69 percent of which were actually valid. That’s a 21 percent increase over the vulnerabilities discovered last year.
Unfortunately, HP and Bugcrowd aren’t pointing to an actual page where researchers can find more information. Instead, they point to HP’s Printer Device Security page where you can learn more about HP’s “secure” printer portfolio.
