HP sued over LaserJet printer security flawBy Lee Kaelin 7 comments
Last week researchers at Columbia University demonstrated a security flaw in certain Hewlett Packard LaserJet printers that, if exploited, could lead to them catching fire. The team also pointed out that the flaw might not be limited to just HP branded printers.
HP hit back almost immediately with an official statement saying, "there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false."
Interestingly, despite the denial, HP went on to confirm that they were building a firmware upgrade to "mitigate" the issue. Thus, it's probably safe to assume there is an issue serious enough to warrant an immediate patch, and perhaps the initial report isn't quite "sensational and inaccurate" as HP would lead you to believe.
The publicity surrounding the news has resulted in a lawsuit filed with the District Court in San Jose, Ca., whereby HP stands accused of knowingly selling its LaserJet printers with a security flaw that could be exploited to steal data, take control of networks and cause physical damage by overheating the printers.
The plaintiff, David Goldblatt of New York, said he would never have purchased his two printers had he been aware of the flaw. Goldblatt alleges HP broke California laws designed to protect consumers and those that prohibit fraudulent or deceptive business practices. He is seeking a class-action status for the lawsuit.
According to Cnet, the suit claims, "as a result of HP's failure to require the use of digital signatures to authenticate software upgrades, hackers are able to reprogram the HP Printers' software with malicious software without detection." Adding that, "once the HP printers' software is maliciously reprogrammed, they can be remotely controlled by computer hackers over the Internet, who can then steal personal information, attack otherwise secure networks, and even cause physical damage to the HP printers, themselves."
Digital signatures have been present from around 2009 onwards, but that still leaves a considerable number of pre-2009 LaserJet printers in service currently unprotected. HP also said the printers in question have a thermal breaker designed to prevent the fuser (which dries the ink) from overheating. This, they said, could not be overcome by firmware changes or the proposed vulnerability.
HP was invited to comment but declined saying the company does not comment on pending litigation.