Researchers at Columbia University claim to have discovered a security vulnerability in “tens of millions” of HP LaserJet printers that could allow a remote hacker to install malicious firmware.
In a demonstration of the physical damage that could be done by the hack, Columbia researchers Professor Salvatore Stolfo and Ang Cui showed how a compromised PC could tell a hacked printer to continually heat up a component, eventually causing paper to turn brown and smoke.
"In that demonstration, a thermal switch shut the printer down - basically, causing it to self-destruct - before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc." – Source: MSNBC
The chances of printers being used as firestarters may be overhyped – but there are genuine security concerns raised by the vulnerability.
[youtube=http://www.youtube.com/watch?v=w-otgRCx6rA&w=500&h=311&rel=0]
In another demonstration, Cui showed how printing a tax return on a compromised printer could lead to the information being sent to a second computer under the control of a hacker. The second PC then scanned the document for sensitive data and published it to a Twitter feed.
How would a printer be compromised? The most obvious way would be by tricking a computer user into printing a booby-trapped document, but if a printer is configured to accept jobs via the internet then the firmware could be updated with a malicious version remotely, without the printer’s owner necessarily realising.
According to the researchers, Hewlett Packard’s LaserJet printers check to see if a firmware upgrade is included in the data being sent to them everytime they receive a print job.
But, crucially, the printers do not look for a digital signature to verify the firmware update’s authenticity opening the door for attackers to install malicious code onto the devices.
According to MSNBC, who broke news of the vulnerability, HP claims that since 2009 their LaserJet printers have required digitally signed firmware updates and the researchers must have used older models.
The researchers, however, maintain that they bought one of the hacked printers in September at a major office supply store in New York City.
Regardless of whether HP is right that newer LaserJet printers are protected against the vulnerability or not, it’s clear that there may be many devices which are potentially at risk of attack.
HP says it is currently investigating the issue and that it is too early to say which products are affected or what consumers should do about it.
Update: HP has now issued a press release pouring cold water on the claims that printers might catch fire, and advising that it is working on a firmware upgrade to resolve the security vulnerability. Read what Naked Security’s Paul Ducklin has to say on the developing story in “FLAMING RETORT: Putting out the HP printer fires”.
Hat tip: Bob Sullivan, MSNBC’s Red Tape Chronicles.