Security Flaw in HP Laserjets Uncovered by Columbia University Researchers November 30, 2011 12:00 by Mike Derges

A HP LaserJet PrinterResearchers at Columbia University have been working with Laserjet printers for a few months and believe they’ve uncovered a large security flaw with potentially huge effects. After talking with government agencies a fortnight ago and contacting HP last week the researchers went public yesterday through MSNBC.com.

In a demonstration the Columbia researchers tricked a printer into overheating it’s fuser unit causing it to smoke and turn the paper brown before an internal thermal switch tripped and the printer shut down to avoid a fire. This however was only the flashy part of the hack before the researchers talked about the much more serious implications of the flaw.

Firstly the method by which the group got their own code to run has raised several eyebrows. HP’s (and possibly other manufacturer's) machines check for software updates each time the take a print job. The problem arises because the affected machines don’t verify where an update has come from. This could allow an attacker to install his own firmware on a machine, what’s worse is that this malicious software may be able to resist legitimate firmware updates.

Columbia professor Salvatore Stolfo and his fellow researcher Ang Cui also showed how an identity thief may use the exploit. Once his infected printer printed a document it would send the file on to another machine. This would then scan the document and if it found any critical information (in the demonstration Cui used a social security number but any piece of data would be easy to extract) it would print it to a twitter feed. If a hacker had mischief in mind however it would be extremely easy to send an update to a printer that simply altered some values rendering it unusable.

Disputing the claims, Chief technologist for HP Keith Moore explained that while HP were taking the situation seriously their own research had indicated that the potential for an attack was much lower than the researchers had suggested. First he suggested that the printers used were older models (although the researchers claim that they purchased new printers over the counter in September). He also spoke about the reporting of the issue pointing out that “No customer has reported unauthorized access” and that there had been no evidence to several commenter's claims that the HP printers would catch fire.

While completely correct about the claims of fire being greatly exaggerated just because no hacks had been reported to HP doesn’t mean they’re not taking place. Mr Cui said in his initial statement that the firmware would be hard to detect, believing that the printer would have to be taken apart and the chip examined, not exactly the task that anyone who owns what appears to be a healthy printer will undertake.

The Columbia group are currently expanding their research into other printers and we’ll keep you up to date as more information surfaces. If you'd like to read more the full story is available here and the statement from HP can be found here.

Share

Call the ink experts on 0844 414 4141 We accept all major credit and debit cards

Ordered from us before? Log in!

Go to Checkout

Version: 2.5.10