Hackers Could Trigger Your Printer to Overheat (or Worse)
Your HP LaserJet printer could be a likely target by hackers intent on creating physical damage, not just financial damage.
Researchers at Columbia University have discovered a new class of security flaws that could allow hackers to remotely control printers over the Internet. Even more, hackers could cause actual physical damage to the device by continuously heating up the printer’s fuse.
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science. "The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited."
The exploit made known in the report was based on HP LaserJet printers that allow firmware upgrades through a "Remote Firmware Update" process. The problem is that the printers don't check the source of the update software, and the firmware update itself doesn't even come packed with a digital signature to authenticate its source. That said, anyone can send a virus-laiden document to the printer which would instruct the printer to erase its current firmware and install a malware-laced version. Hackers can even do this on printers configured to accept print jobs via the Internet.
"It's like selling a car without selling the keys to lock it," Stolfo said. "It’s totally insecure."
Researchers have quietly worked on the firmware issue over the last few months, funded by a series of government and industry grants. Federal agencies were told about the exploit in a private briefing two weeks ago. HP said that it was just told about the problem last week, and is currently reviewing the details. So far the company disputes the firmware problem as being "widespread," claiming that, in most cases, the likelihood that the vulnerability can be exploited in the real world is low.
"Until we verify the security issue, it is difficult to comment," he said, adding that the firm cannot say yet what printer models are impacted. However the researchers claim the problem affects tens of millions of printers and other embedded systems that uses a similar firmware update method.
Mikko Hypponen, head of research at security firm F-Secure, seems floored over the lack of a signature or certificate of authenticity in HP's firmware updates. "How the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?" he complained. "Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact."
HP claims that the company's newer printers do in fact require digitally signed firmware upgrades, and have since 2009. The company also insists that the printers in question are older models, yet it wouldn't specify what those vulnerable printers actually are. The researchers retaliated by saying they purchased one of the printers back in September at a major New York City office supply store.
HP's Official Response
This is HP's official response (via MSNBC):
Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding
potential for devices to catch fire due to a firmware change is false.HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.
HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.
- Another Siri Clone Arrives on Android: Cluzee
- RIM's BlackBerry Fusion Will Support Android and Apple iOS
- Apps and Games to Get Rated for Violence, Sex, Drugs
- Cyber Monday Sales Skyrocket By 33 Percent
- Is Apple Terribly Undervalued? A Fund Manager Thinks So
- Apacer Reveals "World's Fastest" microSDXC Card
- Riot Police Called in for Blackberry Launch in Jakarta
- More Details on GameStop's Streaming Service Revealed
- Asus Transformer Prime Coming December 8th?
- Lenovo Reveals Plans for 3 Tablets, Smartphone, Smart TV
- Grooveshark Had Employees Upload Illegal Music
- Acer, Lenovo Quad-Core Tablets Coming in Q1
- Apple, RIM, Samsung, HTC Sued Over Mobile Displays
- Scorsese: I'd Consider Going 3D-only for My Movies
- Researchers Find That Not All Androids Are Equally Secure
- Google Nukes Black Horizontal Nav Bar for Pull-Down Menu
- Firefox 8 Could Be Coming to the Kindle Fire Soon
- Microsoft Gives a Taste of Mango on iPhones and Androids
- Print Your Own Robot: A Consumer 3D Printing Service
potential for devices to catch fire due to a firmware change is false.
As if they'd recognize a hack versus hardware just failing...
My printer is always off. Saves power. Oh, yeah...and a hacker would be much better off faxing black paper to you. Ink is expensive a hell!
It's called Toner Bombing. People find internet connected printers (or a printer within the network) and they send a massive amount of prints in full page, pure black.
University of Waterloo had it happen on campus just a while back.
I don't know if this will ever be released, but I want a copy of this exploitative program.
Not to hack printers (though that would be good for a laugh), but for personal use.
Why? Because then I can buy one of these printers, flash it and urn it into an all-in-one "internet device". Then make the firmware available to others so they can do the same.
Printer, routing device, firewall, automatic downloader (though you'd also have to have a NAS device to save those files to), wireless AP (some printers have wireless NICs), scanner/copier (some, not all)- all available from any device you can think of, anywhere in the world.
I mean- you have to buy these devices separately.
Why not just make them into separate modules and sell that as the definitive Internet device?
Printers don't overheat, they just revert to their true nature, as they are designed in hell.
Suprised the researchers didn't realize that HP's laserjet printers have a physical breaker to prevent overheating.
Printers don't overheat, they just revert to their true nature, as they are designed in hell.
Um....ok?
As if they'd recognize a hack versus hardware just failing...
and when it comes to HP products its harder to recognize something like that
Could a hacker also...say get control of ur CPU frequency control? And maybe overclock your ur cpu/gpu so high that it burns out?
@guru_urug
That attack concept is already 5 years old. And to burn stuff up you need to modify voltages, not frequencies.
By the way- they had a virus that deleted the BIOS of a machine in 1998.
Printers don't overheat, they just revert to their true nature, as they are designed in hell.
Um....ok?
http://theoatmeal.com/comics/printers
So then.. They won't be changing my current printers "functionality" by much then will they..
InkJet ftw.. Unless they send me a rainbow coloured page, this ink is expensive as hell..
seemingly lame research...anyway this is what i found interesting in the article:
1) HP promptly responded to the findings, acknowledging problems and at the same time said "hey, your research is crap" where it was deserved.
2)
weren't those claimed to be "safer" than windows? lol.
What sort of hacker would actually do it?
What sort of hacker would actually do it?
No one, because they can't really. (see HP's reply)
@guru_urugThat attack concept is already 5 years old. And to burn stuff up you need to modify voltages, not frequencies.By the way- they had a virus that deleted the BIOS of a machine in 1998.
I don't know if this will ever be released, but I want a copy of this exploitative program.Not to hack printers (though that would be good for a laugh), but for personal use.Why? Because then I can buy one of these printers, flash it and urn it into an all-in-one "internet device". Then make the firmware available to others so they can do the same.Printer, routing device, firewall, automatic downloader (though you'd also have to have a NAS device to save those files to), wireless AP (some printers have wireless NICs), scanner/copier (some, not all)- all available from any device you can think of, anywhere in the world.I mean- you have to buy these devices separately. Why not just make them into separate modules and sell that as the definitive Internet device?
LOL classic
I'd be most worried about a hacked firmware that echoes print jobs over the network to anyone wanting to listen. I'm sure there are plenty of corporate/government documents that potential hackers would love to get their hands on.
Easy prevention: simply unplug the printer when not in use.