Sign in with
Sign up | Sign in

HP Issues Firmware to Address Printer Vulnerability

By - Source: HP | B 4 comments

HP has updated the firmware to its LaserJet printers to address a security flaw discovered by Columbia University last month.

Last month researchers at Columbia University discovered a new class of security flaws that could allow hackers to remotely control printers over the internet. The discovery even indicated that hackers could cause actual physical damage to the device by heating up its fuser to dangerous levels, possibly causing a fire.

The exploit made known in the report was based on HP LaserJet printers that allow firmware upgrades through a "Remote Firmware Update" process. Because the printers don't verify the source, and because firmware updates don't come packed with a signature, anyone can send a virus-laden document to the printer which would instruct the printer to erase its current firmware and install a malware-laced version. Hackers can even do this on printers configured to accept print jobs via the Internet.

Once news of a potential hacker-ignited fire began to circulate, HP quickly retaliated to the Columbia University finding, stating that a potential fire stemming from a firmware change was false. "HP LaserJet printers have a hardware element called a 'thermal breaker' that is designed to prevent the fuser from overheating or causing a fire," HP said in a statement. "It cannot be overcome by a firmware change or this proposed vulnerability."

"While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access," the company added. "The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade."

As promised, HP has finally released a firmware upgrade to mitigate the security issue. The company also said that as of December 23, no customer reports of unauthorized access have been reported. "HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers," HP said in a statement.

To update your HP LaserJet firmware, head here and select Drivers. Additional printer security information is available at www.hp.com/go/secureprinting.

Display 4 Comments.
This thread is closed for comments
  • 1 Hide
    Anonymous , December 28, 2011 11:51 AM
    I guess the kids at Columbia exposed their security flaws.
  • 1 Hide
    jhansonxi , December 28, 2011 3:46 PM
    This isn't the first time HP printers have been hacked. There were JetDirect exploits 10 years ago.
  • 2 Hide
    freggo , December 28, 2011 4:55 PM
    Yeah, hacking printers could be the next big thing for spammers.
    Think about it, you come to the office in the morning and find a neatly printed stack of coupons for Canadian Viagra on you laser printer tray. :-)
  • 0 Hide
    casand , March 1, 2012 5:35 AM
    HP printers have been hacked many times , there is any security options for that
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter