HP: Printers Will Stop Themselves Before Hackers Set Them On Fire
November 29, 2011 4:50 PM
HP says its printers won't catch fire even if maliciously attacked by hackers-- not its current lineup at least. We're seeking clarification about whether all legacy models come with a thermal breaker.
Company admits vulnerability exists, but claims it only affects Macs and Linux machines
Hewlett Packard Comp. (
) fired back after
covered recent research
on a "devastating" printer driven attack. Conducted by
, the resarch showed HP printers being forced to overheat after being exploited via a malicious firmware update. The HP printer in the test attack did overheat but did not catch on fire as the thermal breaker shut down when in sensed the internal temperature rise. Thus the paper was browned, indicating high temperature near-combustion reactions, but no full combustion and no blaze.
HP was upset, apparently at the Columbia University researchers' claim that some HP printers might lack the thermal breaker and completely catch on fire. They were also upset about the allegation that Windows users might be vulnerable to the exploit. The attack was done on a Linux machine, and HP states that it believes that only Macs and Linux machines are vulnerable to the attack.
HP writes to us in a tersely worded email:
Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.
HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.
HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.
In other words, HP admits that its printers could, in theory, be taken over by hackers, but it doesn't believe that to have happened yet and it doesn't believe its printers are capable of catching on fire sort of takeover scenario.
While most of its commentary does sound about right, there's a couple of outstanding issues here. First, HP suggests that "HP LaserJet printers
a hardware element called a 'thermal breaker'."
The issue here is the word "have", as in the present tense. It is unclear when this became standard across HP's lineup. We're reaching out to HP to find out.
Edit (6:09 p.m.) :
on printer repair indicates that series thermiresistors (aka the "thermal breaker") are standardly used in series with the fuser elements in printers. It's unclear what Columbia University/MSNBC meant by claiming that some models could be vulnerable to fire. It is possible that they were unaware of this design paradigm and still haven't figured it out.
The second issue is HP's portrayal of this as an attack that's only possible if the printer is a Linux/Mac machine "placed on a public internet" or the attempt is made by "a trusted party on the network". While this is technically accurate, it fails to mention that all it would take to carry out the assault on a local corporate network would be one hijacked Mac/Linux box with print permissions. The jacked box would be able to scan for local printers or looked at saved settings and ID target HP printers.
Depending on how tight the IT monitoring was, the attacker could even install a Linux partition or virtual machine on a Windows box to complete the attack, assuming no compromised Linux/Mac machines were available. Likewise with a Windows-connected internet printer, even if Windows itself was not vulnerable, an attacker could gain access to the system in other ways and then install a Linux partition and boot to it, accessing the printer in that manner.
Of course these attacks would require a fair level of sophistication, so it's hardly the kind of thing your average
SQL injection "script kiddies"
could pull off. At this point such attacks seem unlikely to happen, unlikely more so to happen very often. But there have been surprisingly sophisticated in-the-wild exploits in the past both from
private sector black hats
by nation state players
, and when you add in the potential for terrorism, it's not entirely unfeasible that an attack on an unpatched machine could occur, given HP's market prevalence as the world's biggest manufacturer of printers.
HP -- whether it likes it or not -- better react quickly with all its available partners to patch the issue on all legacy printers. Because god forbid if terrorists or cybercriminals
steal someone's identity or set their printer on fire via malformed firmware updates, HP would see worlds more negative PR than it's seeing now.
Thus while getting the right story out there is important -- and still a work in progress for
, HP, and Columbia University, all of whom are probing the full extent of this set of vulnerabilities -- it's equally important that story is out there. Because given the media scrutiny, the issue now becomes one HP is forced to fix immediately.
back in August reported that numerous HP Photosmart printers were subject to
potential remote attacks
by malicious users'. In its security advisory
Some vulnerabilities have been reported in multiple HP Photosmart printers, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, and manipulate certain data.
1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) An unspecified error in the webscan component can be exploited to disclose certain information.
3) An unspecified error in the SNMP component can be exploited to disclose or manipulate certain data.
this vulnerability for numerous models and has released a preventive firmware patch.
Firmware-level attacks have seen growing interest both in the black hat and cybersecurity ("white hat") communities, although attacks in the wild using such sophisticated exploits remain almost nonexistent.
"Spreading the rumors, it's very easy because the people who write about Apple want that story, and you can claim its credible because you spoke to someone at Apple." -- Investment guru Jim Cramer
"Devil Robber" Trojan Infects Macs, Leeches Their GPUs for Bitcoin Profit
November 1, 2011, 10:59 AM
U.S. Suspects Chinese Involvement in Satellite Hacks; China Denies Accusations
October 31, 2011, 12:06 PM
Nokia is the Victim of SQL Injection, Loses Developer Records
August 29, 2011, 8:37 AM
November 28, 2016, 1:01 AM
Iron Man Mechanical Keyboard
November 18, 2016, 2:28 AM
When you shop for a computer, consider what you need it for?
November 17, 2016, 1:00 AM
Here Goes Intel and AMD - Neck and Neck Again
November 14, 2016, 5:00 AM
Refurbished Desktops and More in Today’s Market
November 13, 2016, 5:00 AM
AMD Inspires Innovation Everywhere
November 12, 2016, 1:00 AM
Most Popular Articles
Sales Battle - Apple iPad Mini vs Samsung Galaxy Tab
November 29, 2016, 12:36 AM
PlayStation 4 Pro – 4K Console for 4K TVs
November 28, 2016, 1:00 AM
Phillips 55’ 4K Smart TV – Is This Really a Deal? We Think So.
November 25, 2016, 9:44 AM
Google Wi-Fi – A Scalable Wi-Fi Solution for any size Home or Apartment
November 30, 2016, 1:00 AM
PIQ ROBOTTM reveals its new artificial intelligence software
November 29, 2016, 12:59 AM
Latest Blog Posts
Dec 4, 2016, 5:00 AM
Dec 3, 2016, 5:00 AM
Dec 2, 2016, 5:00 AM
Surface Ergonomic Keyboard
Dec 1, 2016, 3:01 AM
Chapeconense plane crash: Football rallies around Brazilian Team
Nov 30, 2016, 1:00 AM
How to Extends Your iPhone’s Battery Life
Nov 29, 2016, 12:49 AM
Nov 28, 2016, 1:12 AM
News: Fidel Castro
Nov 27, 2016, 5:00 AM
Nov 26, 2016, 5:00 AM
Changes in Social status affect the way genes turn on and off within immune cells.
Nov 25, 2016, 5:12 AM
Austrian far–right hopeful Hofer may back EU vote.
Nov 24, 2016, 4:00 AM
Final Fantasy XV Leaked Before Nov 29 Launch Date
Nov 23, 2016, 1:00 AM
Nov 22, 2016, 2:26 AM
Nov 21, 2016, 1:00 AM
HTC Makes Big Moves in China
Nov 20, 2016, 2:00 AM
Do you know who is the number one company in the word?
Nov 19, 2016, 5:30 AM
Foldable Cardboard ”EcoHelmet” wins James Dyson Award’s Top Prize
Nov 18, 2016, 2:39 AM
Scientists Discover Roundest Object Ever Spotted in Universe
Nov 17, 2016, 1:00 AM
Smallest Device Lets You Print Almost from Anywhere
Nov 16, 2016, 9:32 AM
Cancer Screening in the Community Is there a link between Cancer and Poverty?
Nov 15, 2016, 8:00 AM
More Blog Posts
Copyright 2016 DailyTech LLC. -
Terms, Conditions & Privacy Information