Biz & IT —

HP printers can be remotely controlled and set on fire, researchers claim (updated)

Security researchers at Columbia University have accused HP of selling …

Security researchers at Columbia University have accused HP of selling printers with a flaw that could let hackers gain remote control over the devices. Once compromised, the access can be used to steal personal information, attack networks, and even set printers on fire by feeding them a continuous stream of instructions designed to heat them up.

The researchers, funded by government and industry grants, reported the flaw to federal officials and HP this month, and gave a demonstration to MSNBC, which has an extensive article on the subject today. HP told MSNBC that it is reviewing the details, but denied that the problem is as extensive as claimed by Columbia PhD student Ang Cui and Professor Salvatore Stolfo.

Cui and Stolfo say they can remotely install malicious software onto HP LaserJet printers because the printers accept software updates without examining digital signatures, and check for updates each time they accept a print job. "In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser—which is designed to dry the ink once it’s applied to paper—eventually causing the paper to turn brown and smoke," according to MSNBC. "In that demonstration, a thermal switch shut the printer down—basically, causing it to self-destruct—before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc."

The researchers also showed how a hacked printer can be forced to send tax forms and other sensitive documents to criminals, and said the flaw could also be used to disable printers by the thousands. Printers hooked up to computers could also be used to launch attacks and join botnets, they say. Cui tells Ars that such an attack "can be sent though several vectors, the USB connection [from a printer to a computer] is one of them. Once the malware is on the printer, the printer itself can become part of a botnet, or can be controlled by malware on the host PC, or can potentially be used to attack the PC, etc."

However, HP Chief Technologist Keith Moore disputed many of the researchers' claims. In an interview with MSNBC, Moore said HP's printers have required digitally signed firmware upgrades since 2009; that most home users have InkJet printers that do not allow remote upgrades; and that printers behind a firewall are not vulnerable to the flaw. The researchers, however, say models with the flaw are still being sold in major office supply stores.

Although the researchers' claims have caused HP to take notice, Cui and Stolfo have not yet published any research on the vulnerability. A search of the National Vulnerability Database does turn up other flaws in HP printers that could allow remote attacks. With regard to the newly discovered vulnerability, Stolfo tells Ars in an e-mail "the formal publication is in preparation but not yet available."

Update: An HP spokesperson acknowledged the security vulnerability revealed by the researchers, but denied that it could be used to start a fire under any circumstances. "Speculation regarding potential for devices to catch fire due to a firmware change is false," an HP spokesperson told Ars. "HP LaserJet printers have a hardware element called a 'thermal breaker' that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability."

HP says it is working on an update to mitigate against the vulnerability. In the meantime, it warns against leaving printers connected to the Internet without the benefit of a firewall and notes that printers on private networks could be compromised by firmware upgrade from a malicious party or a "corrupted print job" triggering a firmware upgrade in "some Linux and Mac environments."

Channel Ars Technica