Researchers from Columbia University have demonstrated a security flaw found in, but perhaps not limited to, HP printers which can actually lead to fires. The exploit allows hackers to reprogram printers with custom firmware, giving the attacker full control of printer functions. As a result, the hacker can continually heat a laser printer's fuser until paper begins to burn, MSNBC reports.
Update: HP has released an official statement debunking Msnbc's claim that printers can be set ablaze remotely, although smouldering paper appears to still be a possibility.
"Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false."
"HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers"
Columbia professor, Salvatore Stolfo, and fellow researcher, Ang Cui, stumbled upon the flaw after reverse engineering a HP printer driver. Whenever HP printers receive a print job, the device checks for a special set of flags which indicate whether or not the print job is actually a firmware update. If the printer determines what it is receiving is a firmware package, the device will upgrade its embedded software accordingly. Since there is no security of any kind on HP printers older than 2009, the device openly accepts such packages from any source.
It is important to note that according to Keith Moore, Chief Technologist at HP's Printer division, all of the company's printers dating back to 2009 now include digital signing to prevent this type of exploit. Researchers say that still leaves tens of millions of devices vulnerable.
The lack of security found on older devices opens the door for any savvy hacker to send customized firmware to a printer, allowing them the freedom to do virtually anything to it. Unscrupulous individuals could then render a user's printer useless, waste their toner or overheat the device as they see fit. This can all be done remotely by simply gaining access to the user's computer, perhaps through a virus, leaving little recourse.
Ang Cui remarked:
"If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui continued, "This is nothing like fixing a virus on your PC."
Despite the proprietary nature of HP's update process, there is no reason to believe that other manufacturers may not succumb to a variation of this same design flaw. There is currently no word on whether or not this could be an issue for other printer makers.
This issue is reminiscent of another exploit discovered this summer in Apple laptops, allowing hackers to destroy li-ion batteries via unsecured firmware.
