A team of Columbia researchers say they've discovered an exploit involving the embedded systems found in printers in which hackers can gain control of the device and rewrite the firmware without anyone knowing, and then use that to steal information or potentially cause printers to catch fire.
MSNBC says that the research team first discovered the vulnerability using an HP LaserJet printer, but believe this problem extends to virtually any printer connected to the internet or linked to an internet-connected computer. Researchers claim the printer can be easily taken over and controlled by hackers if the printer if a user prints a document with a virus hidden within.
Printer security flaws have long been theorized, but the Columbia researchers say they've discovered the first-ever doorway into millions of printers worldwide. In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer's fuser – which is designed to dry the ink once it's applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
The researchers believe that its nearly impossible to rid an infected printer of malware once infected (short of taking out the embedded components entirely), and are making tech doomsday predictions that the entire world will have to throw their old printers out (which will almost certainly never happen). HP, for their part, says that these vulnerabilities are popping up on older printer models, and that newer devices have firmware with more stringent security measures built-in. Maybe this is why they want webOS on their printers so bad.
Update: HP responds to the claims, acknowledging the vulnerability and promising a firmware update soon, but playing down the threat, claiming that their hardware is designed to not catch fire and that no incidents have been reported as of yet.
HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.