TL;DR: In the scope of academic research on printer security, various vulnerabilities in network printers and MFPs have been discovered. This is advisory 6 of 6 of the `Hacking Printers' series. Each advisory discusses multiple issues of the same category. This post is about putting printers out of their misery and destorying the NVRAM through ordinary print jobs. The attack can be performed by anyone who can print, for example through USB or network. Given enough time, it can even be carried out by a malicious website, using cross-site printing techniques (see http://hacking-printers.net/wiki/index.php/Cross-site_printing). =====================[ Physical NVRAM Damage ]======================== -------------------------[ Affected Devices ]------------------------- Various printers are likely to be affected as the vulnerability is based on PJL, a generic printing language supported by most laser printers. The vulnerability has been verfied for the devices listed below: - Brother MFC-9120CN (Firmware version: K.1.06) - Brother DCP-9045CDN (Firmware version: G.1.10) - Konica Minolta bizhub 20p (Firmware version: 3.11) - Lexmark E360dn (Firmware version: NR.APS.N645) - Lexmark C736dn (Firmware version: NR.APS.N644) - Dell 5130cdn (Firmware version: 201402240935) - Dell 1720n (Firmware version: NM.NA.N099) - HP LaserJet M2727nfs (Firmware version: 20140702) Vendors informed: 2016-10-17 --------------------[ Vulnerability Description ]--------------------- Long-term settings for printers and other embedded devices are stored in non-volatile memory (NVRAM) which is traditionally implemented either as EEPROM or as flash memory. Both components have a limited lifetime (at least about 100,000 write cycles). However, PJL print jobs themselves can change long-term settings like the number of copies: ---------------------------------------------------------------------- @PJL DEFAULT COPIES=X ---------------------------------------------------------------------- Doing this a lot of times on purpose can lead to physical destruction of the NVRAM. By continuously setting the long-term value for the number of copies (with different values for X each time) for 24 hours, eight out of twenty tested printer indicated a corrupt NVRAM: The Brother MFC-9120CN, the Brother DCP-9045CDN and the Konica bizhub 20p showed error code E6 (EEPROM error), but everything worked fine after a reboot. The Lexmark E360dn and the Lexmark C736dn became unresponsive and showed error code 959.24 (EEPROM retention error). After a restart, both devices recovered but only accepted between a dozen and several hundreds of long-term values to be set until the same behaviour could be observed again. The Dell 5130cdn, the Dell 1720n and the HP LaserJet M2727nfs completely refused to set any long-term values anymore. Note that PostScript also allows an attacker to write to the NVRAM using ordinary print jobs by setting values like /WaitTimeout or /StartJobPassword using the `setpagedevice' operator. This can even be done in a PostScript program loop, making things extremely fast... -------------------------[ Proof of Concept ]------------------------- A Python based proof of concept software entitled Printer Exploitation Toolkit (PRET) has been published. The attack can be reproduced as follows: $ git clone https://github.com/RUB-NDS/PRET.git $ cd PRET $ ./pret.py -q printer pjl Connection to printer established Welcome to the pret shell. Type help or ? to list commands. printer:/> destroy Warning: This command tries to cause physical damage to the printer NVRAM. Use at your own risk. Press CTRL+C to abort. Starting NVRAM write cycle loop in... 10 9 8 7 6 5 4 3 2 1 KABOOM! Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave? [... wait for about 24 hours ...] I'm afraid. I'm afraid, Dave. Dave, my mind is going... NVRAM died after 543894 cycles, 18:46:11 -----------------------[ Further Information ]------------------------ Information on this bug/feature of PJL and PostScript can be found at: http://hacking-printers.net/wiki/index.php/Physical_damage