Yesterday, Naked Security wrote about a flaming war of words that seemed to have broken out between Columbia University and HP.
As MSNBC rather breathlessly asked, “Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire?”
[Update. As made clear in the comment below by An Cui, one of the Columbia researchers, there is no war of words between the University and HP. It just seemed that way.]
Smoke and fire certainly make good hacking headlines.
Charlie Miller got advance publicity by the wheelbarrowful for his 2011 Black Hat talk – he showed how the embedded microcontroller in Macbook batteries works – by sneaking the words overcharging or fire into his abstract.
And recent claims that a hacker broke into a US water treatment plant and burned out a pump by repeatedly turning it on and off made headlines worldwide.
So where does that leave your HP printer? Is it ready to combust at a remote hacker’s whim?
The truth is: almost certainly not.
With health and safety regulations being what they are in most developed countries – especially HP’s home turf, the USA – it would be surprising indeed if your printer could be tricked through software alone into malfunctioning in this way.
The facts are much more mundane than the headlines.
Macbook batteries have a physical safety fuse; the burned-out pump immediately raised an alarm (and may simply have been a burned out pump after all); HP printers have a thermal cutout which cannot be overridden in software.
As HP stated in a no-punches-pulled press release earlier today:
HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or [the researchers' claimed] vulnerability.
That’s that for the fire, then. But is there anything more we can learn from this heated narrative?
Firstly, security researchers should be more circumspect about how they position their research in the media, and what conclusions they allow hacks to reach when their work is publicised.
I’m sure The Columbia University Intrustion [sic] Detection Systems Lab (that’s the spelling they use in the title of their web page) are delighted at the coverage they’ve had. But they might have better served the public if they’d objected to the author rather glibly adding a rider to his report saying, “the researchers believe other printers might be used as fire starters.”
[Update: the ‘Intrustion’ typo is now fixed!]
Secondly, technology writers should be more circumspect about the conclusions they invite the public to reach.
If the researchers genuinely are of the opinion – a word, incidentally, better suited to scientific reports than belief – that other printers on the market could become fireballs, then they will have supporting evidence, and the writer ought to have seen it, surveyed it, and mentioned it.
Thirdly, companies caught in security cross-fire – as HP was in this case, since the story actually makes it clear that HP’s overheating safeguard performed correctly in the demonstration – ought to aim for greater clarity in their media releases.
HP responded quickly, which is commendable, but the company’s PR statement is vague and dismissive about the underlying vulnerability – which is much more of a story than the unlikelihood of printers going up in flames.
Apparently, older HP printers allow unsigned firmware upgrades to be embedded into print jobs and accepted over the network. This does represent a risk, and it isn’t a good idea to allow firmware updates to be deployed so easily. But HP’s release only talks about “the potential security vulnerability,” without any suggestion of what sort of vulnerability is meant.
In many ways, HP has made things worse with its strongly-worded release.
Security observers with an overall interest in this issue must now be asking themselves, “Is there something else in there that we don’t know about?” That leaves them well short of being able to reach a final conclusion.
I’ve said it before, when RSA was breached earlier this year, so I may as well say it again.
Three words for security commentary. Promptness. Clarity. Openness.