MSNBC is reporting a security flaw that could affect millions of HP LaserJet printers. According to Ang Cui and Salvatore Stolfo of Columbia University, the issue stems from the fact that the HP LaserJet printers tested do not require a signature or certificate to identify the source of remote software updates. Knowing this, Cui and Stolfo are able to exploit the fact that every time a LaserJet accepts a new job it checks for an included software update.
One demonstration by the duo involved infecting a printer through a virus-laden print job. A tax return sent to the infected printer was then surreptitiously forwarded to a remote computer posing as a hacker's workstation. A second, more alarming demonstration showed a hijacked computer sending instructions to continuously heat up the printer's fuser until smoke appeared and the printer's thermal switch shut it down.
While the flaw does not affect HP's InkJet printers commonly used in homes, millions of LaserJets sold to businesses since 1984 could be vulnerable. To make matters worse, a printer, which is almost always categorized as a trusted device could be turned into a platform to launch attacks within corporate networks. A problem exacerbated by the advent of new HP printers that accept jobs from the Internet.
For its part, HP says that it's still reviewing the details of the vulnerability. While it can't confirm or deny the researchers' claims as of Monday, it disputes the claim that the vulnerability is widespread, suggesting that the ability to exploit such a flaw in the real world is likely low, and applies to older, pre-2009 printers that did not require digitally signed firmware. The researchers, however, say one hacked printer was purchased recently at a major New York City office supply store. HP was told about the vulnerability last week.