HP Smacks Down Printer Fire Report
Hewlett-Packard has refuted what it called "sensational and inaccurate reporting" suggesting hackers could use a newly discovered security vulnerability to spark a fire in some HP LaserJet printers.
Even the Columbia University researchers who discovered the security flaw said today they were not able to set a printer on fire.
The researchers do believe the vulnerability could potentially be used to disable printers and steal personal information.
HP acknowledges a security problem, but says no customers have reported unauthorized access to its printers. The company is working to close the hole.
The Columbia researchers found HP's printers contain a flaw that can allow hackers to remotely take control of the devices.
"Any modern printer has a computer inside of it. That computer runs software which is as vulnerable as the computer inside a PC. We found a way to completely re-write the printer's software to do bad things. We were trying to inject security to prevent it from being attacked when we found this major flaw," says Columbia professor Salvatore Stolfo, the researchers' director.
A report on MSNBC.com suggested the flaw could be used to give a printer "instructions so frantic that it could eventually catch fire."
The researchers don't agree. "We were not able to make the printer go on fire. That wasn't the purpose of the research. There is a thermal switch. When the printer reached a critical temperature, it cuts the power," Stolfo explained. "It's not the hardware, it's the software that's the problem."
In its news release, Hewlett-Packard noted that all of its LaserJet printers have a "thermal breaker" that prevents overheating. The company said the hardware protection "cannot be overcome by a firmware change or this proposed vulnerability."
The MSNBC.com report said that in a demonstration, the printer did shut itself down before a fire started, "but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc."
HP said it is working to remove the vulnerability. "HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers."
The revelation here is that printers can be remotely controlled over the internet. As HP recommends, a firewall is the best way to restricts access to authorized users only. You'll need a password to access it, thus blocking the worldwide web.
If you're using a corporate computer, your server likely has a firewall between it and the Internet. The strength of the firewall on these and other printers, however, is still an open question.
"Printers belong to a class of single-purpose devices, which are ubiquitous. While there is embedded software in them, there is no anti-virus that runs on them. Embedded systems are inherently insecure. The industry should pay attention," adds Stolfo.