HP LaserJet printers at risk of fiery hacker attack

Filed Under: Data loss, Malware, Privacy, Vulnerability

Printer on fireResearchers at Columbia University claim to have discovered a security vulnerability in "tens of millions" of HP LaserJet printers that could allow a remote hacker to install malicious firmware.

In a demonstration of the physical damage that could be done by the hack, Columbia researchers Professor Salvatore Stolfo and Ang Cui showed how a compromised PC could tell a hacked printer to continually heat up a component, eventually causing paper to turn brown and smoke.

"In that demonstration, a thermal switch shut the printer down - basically, causing it to self-destruct - before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc." - Source: MSNBC

The chances of printers being used as firestarters may be overhyped - but there are genuine security concerns raised by the vulnerability.

In another demonstration, Cui showed how printing a tax return on a compromised printer could lead to the information being sent to a second computer under the control of a hacker. The second PC then scanned the document for sensitive data and published it to a Twitter feed.

How would a printer be compromised? The most obvious way would be by tricking a computer user into printing a booby-trapped document, but if a printer is configured to accept jobs via the internet then the firmware could be updated with a malicious version remotely, without the printer's owner necessarily realising.

According to the researchers, Hewlett Packard's LaserJet printers check to see if a firmware upgrade is included in the data being sent to them everytime they receive a print job.

But, crucially, the printers do not look for a digital signature to verify the firmware update's authenticity opening the door for attackers to install malicious code onto the devices.

According to MSNBC, who broke news of the vulnerability, HP claims that since 2009 their LaserJet printers have required digitally signed firmware updates and the researchers must have used older models.

The researchers, however, maintain that they bought one of the hacked printers in September at a major office supply store in New York City.

Regardless of whether HP is right that newer LaserJet printers are protected against the vulnerability or not, it's clear that there may be many devices which are potentially at risk of attack.

HP says it is currently investigating the issue and that it is too early to say which products are affected or what consumers should do about it.

Update: HP has now issued a press release pouring cold water on the claims that printers might catch fire, and advising that it is working on a firmware upgrade to resolve the security vulnerability. Read what Naked Security's Paul Ducklin has to say on the developing story in "FLAMING RETORT: Putting out the HP printer fires".

Hat tip: Bob Sullivan, MSNBC's Red Tape Chronicles.

, , , , , , ,

You might like

One Response to HP LaserJet printers at risk of fiery hacker attack

  1. Tom Stone · 869 days ago

    The other and much more pervasive problem is that almost all network printers are shipped with snmp enabled. Moreover, the default snmp put strings are either set to public or without a community string entered at all. I have seen large corporations and university campuses that could be completely disabled by simply changing IP addresses on printers to that of the default router or to the address of a mission critical server. There is no error checking mechanism on those networked printers to prevent duplicate IP addresses. You could also change the MAC address as well.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.