Fixing rogue printers: don't trade one security threat for another
Researchers at Columbia University recently demonstrated that many HP printers can have their firmware reprogrammed by specially crafted print jobs. This is a real and serious security threat: now that printers have a lot of the same functionality as computers, like network connectivity and built-in storage, they can carry out similar attacks against systems that they're connected to. They can also do physical harm. At the very least, a compromised printer can waste any ink and paper you give it. At worst, malicious programming could turn it into a fire hazard.
Unfortunately, some people are advocating a cure worse than the disease. They suggest that these printers should only run code signed by the printer manufacturer. If this sounds familiar to you, there's a good reason: the same issues we discussed around PCs' Secure Boot feature Microsoft is pushing for Windows 8 Compatibility are all involved here too. Hardware that only installs or runs signed code can offer useful security, but only if the hardware's owner has the final say over which signing keys are and aren't accepted. If that control lies with someone else—like the printer manufacturer—then it's not a security feature at all. Rather the opposite: if the owner can't even decide what software to run, then they have no security, and the feature isn't Secure Boot but Restricted Boot.
This is just as true for printers as it is for PCs. Thanks to efforts like the Seeing Yellow campaign, we already know that printers have tracking features that buyers don't ask for or want. Businesses have been publicly embarrassed after they sold printers that still had sensitive information saved on internal storage, but it's often difficult to figure out how to erase that—it might not even be possible. These are all security problems too, and they exist today because major components of the printer software are proprietary. Without the freedom to study, modify, and distribute this software, owners have often learned about these problems the hard way, and would have to assemble their own replacement software from scratch—a laborious undertaking—to try to address them. Printers that only run code signed by the manufacturer exacerbate those problems by taking away one avenue owners might use to fix them in the future.
Merely restricting a printer to installing or running software signed by the manufacturer deprives the owner of both security and freedom. It might end one specific threat, but only at the much greater cost of leaving the printer's security policies under the manufacturer's control. The way to give printer owners real security—security from rogue print jobs and manufacturer antifeatures alike—is for them to have the freedom to study, modify, and replace the software the printer runs.