Researchers Hack Printers to Spread Malware, Catch Fire
A Hewlett-Packard LaserJet printer.
CREDIT: Joydeep/Creative Commons
UPDATED: This story was updated Wednesday morning with official comment from Hewlett-Packard.
Two researchers at Columbia University in New York say they've found a flaw in ordinary office printers that lets hackers hijack the devices to spy on users, spread malware and even force them to overheat to the point of catching fire.
"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," Salvatore Stolfo, the Columbia professor overlooking the research, said to MSNBC's Bob Sullivan, who first reported the story.
Stolfo and his fellow researcher Ang Cui sent a Hewlett-Packard LaserJet printer various bogus firmware updates. One made the fuser overheat, causing the paper in the printer to yellow and smoke until the machine shut down.
When a tax return was sent to the printer as a print job, another bogus update secretly forwarded the document, complete with Social Security numbers, to a second computer.
"The research on this is crystal clear," Stolfo said. "The impact of this is very large. These devices are completely open and available to be exploited."
To be fair, printer vulnerabilities have been known for some time. In January, researchers at a hacker conference showed how Internet-connected printers could be hijacked to spread malware through office networks. More than a year ago, researchers showed that all-in-one printer-scanner hybrids could be made to post sensitive documents online .
The fuser-overheating flaw is similar to research recently done by Mac hacker Charlie Miller, who showed how bogus firmware upgrades to Apple laptop batteries could cause them to overheat as well.
Hewlett-Packard, which had been informed of the printer flaws before the Columbia researchers made them public, disputed that the problems were as bad as the researchers made them out to be.
"This is probably not as broad as what I had heard in their first announcement," Hewlett-Packard's Keith Moore told MSNBC. "It sounds like we disagree on what the exposure might be."
UPDATE: Hewlett-Packard answered what it called the researchers' "inaccurate claims" in a press release issued later Tuesday.
"Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers," the statement began. "No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false."
That's true, as indicated earlier in this story; HP's LaserJet printers have a built-in "thermal breaker" to shut down the machine if it gets too hot.
But the statement obliquely admitted there was a problem.
"HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted," it said. "In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers."