This flaw was discovered in HP’s LaserJet printer series and could possibly be present in other brands as well. It seems that this flaw will allow hackers to steal personal information, destroy information and even cause physical harm and damage to those nearby.
For example the researchers demonstrated that a hijacked computer could be given instructions that cause the printer’s fuser to heat up, causing the paper to turn brown and smoke. In one instance it was demonstrated that hackers could even cause the printer to self-destruct and cause a fire if left unchecked.
It seems that this is achieved through an auto-update of firmware on the printers which is sent to the LaserJet. Unfortunately the lack of a signature or certification to indicate that it is a genuine update from HP has led to this security flaw. HP is currently investigating this issue and have said that it’s too early to announce which products have been affected or what consumers should do about it.
Update November 29 2011: HP has contacted us with a response to the Researcher’s results. Here it is:
“Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.
HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.
HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.
Additional information is available at www.hp.com/go/secureprinting“