Comment

Millions of printers open to devastating hack attack, researchers say

1
Bob Dillon11/29/2011 3:14:48 pm PST

dailytech.com

HP: Printers Will Stop Themselves Before Hackers Set Them On Fire

Company admits vulnerability exists, but claims it only affects Macs and Linux machines

Hewlett Packard Comp. (HPQ) fired back after MSNBC covered recent research on a “devastating” printer driven attack. Conducted by Columbia University, the resarch showed HP printers being forced to overheat after being exploited via a malicious firmware update. The HP printer in the test attack did overheat but did not catch on fire as the thermal breaker shut down when in sensed the internal temperature rise. Thus the paper was browned, indicating high temperature near-combustion reactions, but no full combustion and no blaze.

HP was upset, apparently at the Columbia University researchers’ claim that some HP printers might lack the thermal breaker and completely catch on fire. They were also upset about the allegation that Windows users might be vulnerable to the exploit. The attack was done on a Linux machine, and HP states that it believes that only Macs and Linux machines are vulnerable to the attack.

HP writes to us in a tersely worded email:

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.

In other words, HP admits that its printers could, in theory, be taken over by hackers, but it doesn’t believe that to have happened yet and it doesn’t believe its printers are capable of catching on fire sort of takeover scenario.

While most of its commentary does sound about right, there’s a couple of outstanding issues here. First, HP suggests that “HP LaserJet printers have a hardware element called a ‘thermal breaker’.”

The issue here is the word “have”, as in the present tense. It is unclear when this became standard across HP’s lineup. We’re reaching out to HP to find out.