Hewlett Packard’s LaserJet printers have security flaws that can allow attackers to steal data, take over systems and provide access to commands that can lead to hardware overheat or even catch fire according to two Columbia University researchers. They added that printers from other brands most likely share the same vulnerabilities and thus expose users to identical threats.
MSNBC first reported on the findings of Professor Salvatore Stolfo and co-security researcher Ang Cui from Columbia University’s Computer Science Department under the School of Engineering and Applied Science.
The flaw was found on the Remote Firmware Update process of HP’s Laser Jet printers. According to Stolfo, there are weak authentication measures that can fool printers to accept modified firmware from anyone who has access to the device.
HP responded to the report saying that the researchers’ claims were “sensational and inaccurate.” The company said that it has found “potential security vulnerability” among a number of its printers but there were no reports from customers regarding unauthorized access. HP also denied that the flaw could allow attackers to set the printers on fire considering that there are built-in safety mechanisms that prevent such occurrence.
Stolfo said that the tested printers did not require updates for firmware to be digitally signed. This means that anyone can command the printer to delete existing operating software then overwrite this with a malicious one. Once hackers have control over the printer it can rewrite the software to make it impossible for resetting.
In order to compromise the printer, an attacker needs to send a maliciously made print job which can be sent either with direct access to the device or with remote access via Internet. Hackers can steal documents or use the compromised device to attack other computers attached to it.
There were three LaserJet models tested by the researchers: the LaserJet 3800 series, LaserJet 203x/205x and the LaserJet 4005. The vulnerability findings were the same for all three models.
HP said that the company is working on an update for the firmware to address the issue. It downplayed the threat and said that the speculation of devices catching fire because of firmware change is false. The company further explained that there are thermal breakers in the hardware to prevent overheating or causing fire.
