Skip to Content

Startup Offers to Protect Printers, Phones, and Other Devices from Hackers

The first device running the defensive code, a Cisco IP phone, will be unveiled this week.
February 21, 2013

To most people, office printers are innocuous workplace gathering points—places to complain about the ever-disappearing toner or that colleague who apparently loves killing trees. To Ang Cui, they are high-value targets that give hackers a way to breach sensitive systems and steal trade secrets.

Red Balloon Security, a startup cofounded by Cui, has developed technology that can protect such equipment from hackers. This involves watching for signs of tampering with the low-level code—or firmware—that runs on these devices. The company plans to demonstrate the first device injected with the defensive code, a Cisco IP phone, this week.

“Printers are low-hanging fruit,” says Cui, a 30-year-old PhD student at Columbia University, who has demonstrated numerous techniques for hacking into printers and other office hardware. “Most firmware was written a decade ago, when attacks against them weren’t envisioned,” he says.

Ordinary office equipment is increasingly computerized and connected to the corporate network. Office phones, for example, are often networked, allowing calls to be rerouted and voice-mail messages to be e-mailed. This hardware represents an attractive target for hackers, but because the machines were never perceived as a potential vulnerability, there is no way to run conventional antivirus software on them.

In late 2011, Cui showed how sending carefully crafted commands to a Hewlett-Packard LaserJet printer could give an attacker remote control over the machine, thereby providing a way to collect sensitive data and sneak past normal corporate security measures. Cui scanned the Internet for vulnerable printers and found 201 unprotected machines at the Department of Defense. HP was prompted to release firmware updates for 56 different printer models.

Millions more machines, including routers, network switches, and industrial equipment, rely on the kind of embedded software that Cui’s work focuses on. “The issue about printer vulnerabilities is but the tip of the proverbial iceberg,” says Salvatore Stolfo, Cui’s advisor at Columbia and a cofounder of Red Balloon Security.

The startup is refining an idea Cui came up with in 2009, when he created so-called symbiote code, which can be added to firmware to modify it without disrupting its normal behavior. Once meshed with the firmware, this code can help prevent a malicious attack.

Last year, Cui demonstrated an automated way to unpack and modify firmware, making it easier to add this symbiote code to different types of hardware. The researchers plan to release more details of the technology later this month. “We’re not ‘installing’ symbiotes into embedded devices in the traditional sense, like you install a program onto your laptop,” Cui explains. “We are modifying the actual binary of the embedded program itself.”

The symbiote code modifies a machine’s firmware in a random way, which means that “what an attacker may learn about one instance of a specific device will not be useful to attack the entire set of such devices,” says Stolfo. “As it now stands today, any exploit an attacker develops for a particular embedded device works for all of those devices.”

Red Balloon’s cofounders say they have contracted with several companies and U.S. government agencies but have not disclosed who they are working with; the startup doesn’t have a formal relationship with Cisco for now.

“There’s probably interest in this technology from the military, governments, and banks concerned about state-connected authors using malware as a launching-off point to carry espionage and steal trade secrets,” says Justin Cappos, a systems security professor at NYU-Poly’s Department of Computer Science. But he adds that vendors will need to feel that demand justifies the extra cost of hardening devices across their product lines.

Widespread adoption will hinge on whether manufacturers like HP believe the technology will help them sell more printers. “I’m not sure if your typical end user would be worrying about their printers being remotely ‘hackable,’” Cappos says.

Keep Reading

Most Popular

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

pig kidney transplant surgery
pig kidney transplant surgery

Surgeons have successfully tested a pig’s kidney in a human patient

The test, in a brain-dead patient, was very short but represents a milestone in the long quest to use animal organs in human transplants.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.