Jump to bottom


1 Bob Dillon  Tue, Nov 29, 2011 3:14:48pm


HP: Printers Will Stop Themselves Before Hackers Set Them On Fire

Company admits vulnerability exists, but claims it only affects Macs and Linux machines

Hewlett Packard Comp. (HPQ) fired back after MSNBC covered recent research on a "devastating" printer driven attack. Conducted by Columbia University, the resarch showed HP printers being forced to overheat after being exploited via a malicious firmware update. The HP printer in the test attack did overheat but did not catch on fire as the thermal breaker shut down when in sensed the internal temperature rise. Thus the paper was browned, indicating high temperature near-combustion reactions, but no full combustion and no blaze.

HP was upset, apparently at the Columbia University researchers' claim that some HP printers might lack the thermal breaker and completely catch on fire. They were also upset about the allegation that Windows users might be vulnerable to the exploit. The attack was done on a Linux machine, and HP states that it believes that only Macs and Linux machines are vulnerable to the attack.

HP writes to us in a tersely worded email:

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.

In other words, HP admits that its printers could, in theory, be taken over by hackers, but it doesn't believe that to have happened yet and it doesn't believe its printers are capable of catching on fire sort of takeover scenario.

While most of its commentary does sound about right, there's a couple of outstanding issues here. First, HP suggests that "HP LaserJet printers have a hardware element called a 'thermal breaker'."

The issue here is the word "have", as in the present tense. It is unclear when this became standard across HP's lineup. We're reaching out to HP to find out.


2 Velvet Elvis  Tue, Nov 29, 2011 3:57:33pm

What linux and macs have in common when it comes to printing: CUPS.

3 Political Atheist  Tue, Nov 29, 2011 6:11:24pm

re: #1 Bobibutu

I would think they are right about the breaker. Of course any part like that can fail under repeated stress.

Past that I don't believe HP. The email is very defensive. Firstly, they have no way of knowing if this hack has happened or not. You would have to pull the chips and test them one by one from each suspected incident. Since they believe this has not happened, hey why test? The effect is so deep in the system even users would have no clue, hence no reports. Since they claim to "believe" something they have no way of confirming, they are just wish casting and spinning.

4 eightyfiv  Wed, Nov 30, 2011 6:40:07am

These breakers are absolutely vanilla-standard. The reason is that the threat exist even without malicious hackers. What if the firmware finds reason to turn the fuser on and then hangs before turning it off, maybe due to a bug, maybe due to interference (cosmic rays, EMI, etc.)? What if the relay controlling fuser power sticks in the on position?

Years ago, I took apart the fuser from a LaserJet 6p, I think it was. It had *two* thermal protective elements in series, one an auto-resetting breaker and the other one-shot a thermal fuse. (The fuse had blown, breaking the printer.)

This page has been archived.
Comments are closed.

Jump to top

Create a PageThis is the LGF Pages posting bookmarklet. To use it, drag this button to your browser's bookmark bar, and title it 'LGF Pages' (or whatever you like). Then browse to a site you want to post, select some text on the page to use for a quote, click the bookmarklet, and the Pages posting window will appear with the title, text, and any embedded video or audio files already filled in, ready to go.
Or... you can just click this button to open the Pages posting window right away.
Last updated: 2016-01-01 10:29 am PST
LGF User's Guide RSS Feeds Tweet

Help support Little Green Footballs!

Subscribe now for ad-free access!Register and sign in to a free LGF account before subscribing, and your ad-free access will be automatically enabled.

Donate with
Square Cash Shop at amazon
as an LGF Associate!
Recent PagesClick to refresh
Trump’s Disregard for Human Life Has Resulted in 200K Deaths and CDC Guidance That Can’t Be Trust… As America's Covid-19 death toll passes another grim milestone the devastating consequences of President Trump's disregard for human life are still becoming clear, as they did this week when the CDC mysteriously removed guidance from their website indicating that ...
3 days, 20 hours ago
Views: 309 • Comments: 0 • Rating: 0
Tweets: 2 •
#Thegreatpoolpondconversion - 200920 There's always an issue of weeds on a paver deck. We weed whacked the deck before power washing.Then we couldn't get the deck sealer and paint down fast enough.So lots of weeds started coming up through the cracks.There's no ...
4 days, 12 hours ago
Views: 355 • Comments: 1 • Rating: 6
Tweets: 0 •
ON the Agency of Objects — Protagony One: Joipatreon: patreon.comtumblr: innuendostudios.tumblr.comtwitter: @InnuendoStudiostranscript:
5 days, 18 hours ago
Views: 409 • Comments: 0 • Rating: 0
Tweets: 1 •
AJR - Bummerland (Official Video) BUMMERLAND OUT NOW Check us out everywhere online @AJRBrothers Directed by Edoardo Ranaboldo Bummerland Lyrics: BummerlandHere I amBetter nix my summer plansBummerlandGive a cheerCause you’re only going up from here This monthI got seven haircutsAnd now my hair ...
6 days, 18 hours ago
Views: 452 • Comments: 1 • Rating: 0
Tweets: 1 •
London Grammar - Baby It’s You (Trizz Visual) Baby It’s You - Listen Now: “It's always a pleasure to work on a music video, but it's tenfold when you are a fan. I instantly connected with London Grammar, from the cinematic mood to the expansiveness in ...
6 days, 18 hours ago
Views: 452 • Comments: 1 • Rating: 0
Tweets: 1 •
Sam Smith - Diamonds Diamonds out now: Pre-order 'Love Goes' out 30th October: Directed by: Luke Monaghan LyricsHave it allRip our memories off the wallAll the special things I boughtThey mean nothing to me any moreBut to youThey were everything we ...
6 days, 19 hours ago
Views: 439 • Comments: 1 • Rating: 0
Tweets: 1 •
Chris Mike - Limerence - Official Video Taken from the album "Socialholic", out October 16th, 2020CLICK HERE TO PRE-SAVE: All music written by Chris Mike.Produced and mixed by Chris Mike. "Socialholic" album track listing:1. Headbang2. Limerence3. Wildfire (feat. Derek Sherinian)4. Velour5. Rue Flower6. Socialholic7. Detox ...
6 days, 19 hours ago
Views: 453 • Comments: 0 • Rating: 0
Tweets: 2 •
YOUR HONOR Trailer (2020) Bryan Cranston New SeriesYOUR HONOR Trailer (2020) Bryan Cranston New Series© 2020 - Showtime
6 days, 19 hours ago
Views: 500 • Comments: 0 • Rating: 0
Tweets: 1 •
LOVE and MONSTERS Trailer (2020) Dylan O’Brien, Jessica Henwick MovieLOVE AND MONSTERS Trailer (2020) Dylan O'Brien, Jessica Henwick Movie© 2020 - Paramount
6 days, 19 hours ago
Views: 511 • Comments: 1 • Rating: 1
Tweets: 1 •
Yusuf / Cat Stevens - Father and Son From Tea for the Tillerman Remake SUBSCRIBE and ENABLE 🔔 The official video for ‘Father & Son’ by Yusuf / Cat Stevens. Directed by director Chris Hopewell, Jacknife Films and Black Dog Film. Order Tea For The Tillerman 2 here: Listen to Father ...
1 week ago
Views: 537 • Comments: 0 • Rating: 0
Tweets: 6 •