HP Printers Remotely – HP is investigating a claim that essentially any LaserJet printer the company made before 2009, about 100 million have been sold since 1984, could be remotely instructed to catch fire, according to a report on MSNBC.com.
Researchers at Columbia University, under a series of government and industry grants, have shown that the printers can be remotely controlled by hackers over the Internet, allowing them to not only steal information but even cause physical damage.
In one demonstration, Columbia professor Salvatore Stolfo and colleague Ang Cui showed how a hijacked system could be sent commands that would overheat the printer’s fuser, causing the paper to brown, smoke, and sometimes even catch fire.
Researchers believe the vulnerability could have widespread implications. “The research on this is crystal clear,” Stolfo told MSNBC.com. “These devices are completely open and available to be exploited.”
Every time a HP printer accepts a job, it checks for software updates. Since LaserJet printers manufactured before 2009 don’t verify the source of the update, nefarious hackers can easily intercept these requests and implant their own “updates”, a flaw that left security experts aghast.
“First of all, how the hell doesn’t HP have a signature or certificate indicating that new firmware is real firmware from HP?” said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw.
“Printers have been a weak spot for many corporate networks,” Hypponen told MSNBC.com. “Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact.”
“Until we verify the security issue, it is difficult to comment,” Keith Moore, chief technologist for HP’s printer division. told MSNBC.com.