Sophos Cloud Optix
There’s a serious security vulnerability on some HP LaserJet printers.
The good news is that it’s been patched. The bad news is that you don’t know if your HP LaserJet printer needs the fix – because HP hasn’t told you.
Late last year, owners of HP LaserJet printers were warned that their confidential data could be at risk, because of a security vulnerability in the devices.
Researchers at Columbia University demonstrated to reporters that it was possible for remote hackers to install malicious firmware on certain HP printers, without the owner necessarily realising that they were under attack.
Although there was speculation that affected printers could also be fire hazards, that fear appears to have been overhyped – but there were genuine security concerns raised by the vulnerability.
Here’s a video where the researchers discuss their discovery:
The good news is that HP snuck out a fix for affected printers on December 23, 2011. The bad news is that HP customers have no easy way of knowing if they might need it or not.
The normal convention for companies disclosing a flaw, is to document which products are affected and what the risks are if the vulnerability is not patched. That, after all, is useful information for customers and helps them decide if they need to take action.
HP, however, hasn’t provided any details in their press release about which printers are impacted by the vulnerability – which means that you don’t know if you need to update your printer’s driver or not.
Instead, HP recommends that LaserJet owners visit www.hp.com/support and select “Drivers”.
Imagine the millions of people who could waste their time, looking for a driver update when it might be that their printer doesn’t require one. Wouldn’t it have been easy and much *better* for HP to have been a little more open about which of their products suffer from the security issue?
My suspicion is, sadly, that HP’s lack of information and low key response to the security vulnerability will simply mean that many LaserJet owners will be blissfully unaware that they could be at risk, and won’t look for a security update.
Be honest – if you have an HP LaserJet, have you gone looking for a firmware update since December 23rd?
Update:Many thanks to Naked Security’s superb readership, who have managed to dig out a list of affected printers on HP’s website. Of course, it would have been nice if it had been a little easier to find, or linked to from HP’s press release. Never mind, HP. Naked Security’s readers have done the job for you.
No,I haven’t looked for an update since 23 December. I wouldn’t be surprised my printer has the flaw since it is always very temperamental when it comes to connectivity.
I wonder if I need to worry and need to find a new driver. ๐
HP did publish a list, but the new firmware isn't available for none of the models. I searched for the new firmware for more than 10 of the LaserJet printers and I couldn't find the "secure" firmware anywhere. Here is the list: http://h20000.www2.hp.com/bizsupport/TechSupport/…
Unfortunately…this is the first I'm hearing of this!! Which means I should probably start looking for an updated driver since I do in fact own an HP LaserJet. I do think it is a bit ridiculous that HP could not give their customers a decent "heads up" and decided to be all vague and nonchalant over the whole ordeal…way to drop the ball HP!! ๐
I have checked the version a few minute ago but no updates. I wish HP simply list the printers affected (model numbers).
Like:
Affected printer:
HP 1102w
I received an email today at 6:30am EST:
"HP Support Alert!
HP LaserJet Pro CM1415 Color MFP Series
HP LaserJet Pro CP1525 Color Printer Series
HP LaserJet Pro M1536 MFP Series
A free firmware upgrade is required to keep your ePrint and Print Apps service working. Please go to: www.hp.com/go/eprint to download the newest firmware and continue using your ePrint solution. If you do not complete the upgrade, your ePrint and Print Apps may not work after Hewlett-Packard has finished a service upgrade on 1/15/2012. All other product features will continue to work as before. If you have questions, please contact HP Support at http://www.hp.com/support/contacthp."
Definitely not urgent sounding, or indicative of a security problem!
Whoa there. Updating the driver (which is installed on your computer) does not patch the firmware on an HP Laserjet printer! Firmware is patched with HP Web Jetadmin or by using the printer's web interface. Also I have never seen firmware on HP's web site in the "drivers" section.
In some cases, it can, at least one of the updates for the CM2320 will, without any confirmation, proceed to update the printer’s firmware if it’s out of date.
Our IT guy was a bit “wtf” when it happened.
The main problem I see with HP is that it can already be a huge time-waster identifying which drivers work best for which of their models, especially in a diverse corporate network environment.
A quick review of this page illustrates that issue:
http://h20000.www2.hp.com/bizsupport/TechSupport/…
Now which driver did I pick to get that LaserJet working in the first place?
HP PCL 6 Driver (non-UPD)
HP LaserJet Plug and Play package
Host-based Print/Scan Plug and Play
HP LaserJet Basic Print and Scan
HP LaserJet Host-based Basic Driver
Alternate Windows Vista driver option (select models only)
Windows Vista driver in compatibility mode (select models only)
Then if all else fails, there is their Universal Print Driver package
Who's using what? Does anyone need Postscript? What functionality is used beyond simply printing? Will updating a driver affect customized printing preferences or defaults? Don't forget the shared drivers for other OSs. What if some printers are locally installed in my environment and not shared? Do I have all that accurately documented?
In short, upgrading an HP driver can be a very very long way removed from "Go to the HP website and click on drivers."
So I agree — a list of affected devices would have been extremely useful. But even then, how do I know that my device is vulnerable with the driver choice I used?
Even better perhaps, releasing firmware upgrades for affected models so the problem could be fixed below the driver level would have been a much more practical fix for us mere customers.
— Gavin
It's probably every laserjet ever invented so they dont want the embarressment, they just tell all users generally to update their firmware. ๐
Graham,
There's a list of affected HP printers at https://h20565.www2.hp.com/portal/site/hpsc/publi…
(in case the link breaks, it's HP document HPSBPI02728 SSRT100692).
Some have the patched firmware, while others require the owner to disable remote firmware updates (which might itself require a firmware update that will not patch the flaw by itself).
They apparently didn't cite this in their press release. If that was intentional or bad internal communication is up for guessing.
Good find! Well done. Maybe HP should offer you a job. ๐
It's not a driver flaw, it's a firmware flaw. It affects all LaserJets, too, so that may be why there are no specific models listed.
Also, enterprise networks have tools to update the firmware of their printers over the network. I did it all in 2 hours for 156 printers.
Still, HP doesn't clarify anything about a flaw this big? We see why no one really wants to purchase their products anymore.
I've never bought an HP printer. Never will…
What they neglect to mention to you is that, after this urgent firmware update, some functions will cease to operate as they had up to that point.
When you complain and request some assistance, they will offer to help you for a mere $39. Or you may take it to a local service center.
Tell me how a company can release a firmware update to repair it's own security flaw, alter functions that had been working up to that point, then request payment to fix the issue?!?
After having spent $400 on the printer, plus at least $1000 on toner over the last 16 months, I doubt I will ever be purchasing an HP product again. This is, at the very least incompetence, or at worst, extortion.