HP LaserJet Pwned By Hackers Gets Turned Into An AC/DC Cranking Boombox
It's easy to think of hackers in the colloquial sense as being the enemies of society. People who break into computer systems and sabotage electronics to gain control of them or steal data; how could someone like that be of benefit to society at large? The answer is that a great many so-called "hackers" are in fact security experts who know from experience where to look for security holes, and are also often consulted for help in closing them.
These "white hat" hackers hunt for security holes and application exploits, then report them to vendors to claim bug bounties, but some vendors are either unwilling to pay for such services or are simply difficult to contact. Back in 2005, Trend Micro set up the Zero Day Initiative for exactly that reason. It's a group that works with security researchers to identify "zero-day" vulnerabilities in tech products and then act as an intermediary with the vendors to see them fixed.
The Zero Day Initiative sponsors multiple yearly events called Pwn2Own, where hackers gather to make time-limited attempts to exploit specific products. This year's event in Austin was the largest-ever, with 58 total entries from 22 different security teams. Contestants have 30 minutes to deploy their exploit and gain unapproved privileges, remote code execution, or other unauthorized access to their targets.
The Initiative has a list up on its blog of all of the entries and their results, and there's some good stuff in there, but by far the most entertaining result has to be F-Secure Labs' 11:00 submission on Thursday where the three experts hacked an HP Color Laserjet Pro MFP M283fdw and turned it into a jukebox, playing AC/DC's "Thunderstruck" through its tiny (and tinny) speaker. You can see/hear a brief clip of that in action, in the tweet below...
(Sound On) Confirmed! The team from @FSecureLabs used a stack-based buffer overflow to take over an HP LaserJet and turn it into a jukebox. Their efforts earn them $20,000 and 2 Master of Pwn points. #Pwn2Own https://t.co/3kqn5Cr7Y4
— Zero Day Initiative (@thezdi) November 4, 2021
Other targeted devices at this year's Pwn2Own event include NAS devices from WD, routers and home gateways from Netgear, Cisco, and TP-Link, printers from Canon and Lexmark, the Sonos One speaker, and notably, Samsung's Galaxy S21 smartphone. All of these devices were running the latest firmware and security patches, yet all of them were hacked.
Not to worry, though; the ZDI doesn't disclose or publish the exploits used. Instead, it will contact the vendors and make sure these holes are closed up as soon as possible. The contestants took home a total of $886,250 among them, with French security team Synacktiv claiming the "Masters of Pwn" trophy this year by earning some $197,500 and fully 20 points in the competition.
Not to worry, though; the ZDI doesn't disclose or publish the exploits used. Instead, it will contact the vendors and make sure these holes are closed up as soon as possible. The contestants took home a total of $886,250 among them, with French security team Synacktiv claiming the "Masters of Pwn" trophy this year by earning some $197,500 and fully 20 points in the competition.
