HP has updated the firmware to its LaserJet printers to address a security flaw discovered by Columbia University last month.
Last month researchers at Columbia University discovered a new class of security flaws that could allow hackers to remotely control printers over the internet. The discovery even indicated that hackers could cause actual physical damage to the device by heating up its fuser to dangerous levels, possibly causing a fire.
The exploit made known in the report was based on HP LaserJet printers that allow firmware upgrades through a “Remote Firmware Update” process. Because the printers don’t verify the source, and because firmware updates don’t come packed with a signature, anyone can send a virus-laden document to the printer which would instruct the printer to erase its current firmware and install a malware-laced version. Hackers can even do this on printers configured to accept print jobs via the Internet.
Once news of a potential hacker-ignited fire began to circulate, HP quickly retaliated to the Columbia University finding, stating that a potential fire stemming from a firmware change was false. “HP LaserJet printers have a hardware element called a ‘thermal breaker’ that is designed to prevent the fuser from overheating or causing a fire,” HP said in a statement. “It cannot be overcome by a firmware change or this proposed vulnerability.”
“While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access,” the company added. “The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.”
As promised, HP has finally released a firmware upgrade to mitigate the security issue. The company also said that as of December 23, no customer reports of unauthorized access have been reported. “HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers,” HP said in a statement.