The Verge - HP LaserJet printer vulnerability: what you need to know

HP releases firmware fix for laserjet printer exploit

2011-12-24T20:18:01Z

Give HP kudos for timeliness: less than a month after Columbia University researchers shared a worrisome lack of security surrounding firmware updates on the company's line of laserjet printers, a fix is now available for affected models. If you'll recall, Ang Cui and Salvatore Stolfo made headlines by revealing that attaching a virus to a print job on a vulnerable device could provide full access to an intruder, allowing sensitive content to be intercepted and even giving those with the most malicious of intent a way to overheat the fuser within. For its part, HP steadfastly denied the possibility of fire or an explosion, assuring consumers that the built-in thermal breaker is there for the specific purpose of preventing such hazards....

HP confirms LaserJet vulnerability, promises firmware fix

2011-11-29T20:36:34Z

HP just issued a statement saying it "refutes inaccurate claims" made in today's MSNBC report detailing a vulnerability in LaserJet printers that was exploited by Columbia University researchers Ang Cui and Salvatore Stolfo. HP confirms that there's a potential vulnerability in LaserJet printers and promises a firmware update to "mitigate" the issues, but the company also says that "no customer has reported unauthorized access" and that it's not possible to set a fire by exploiting the vulnerability because of the printer's thermal control hardware.

What's more, while HP says it's possible for a specially formatted print job from Linux of Mac machines to trigger a malicious firmware update, the company doesn’t say anything about...

HP LaserJet printers pose massive security risk, say Columbia University researchers

2011-11-29T12:31:12Z

MSNBC is reporting a security flaw that could affect millions of HP LaserJet printers. According to Ang Cui and Salvatore Stolfo of Columbia University, the issue stems from the fact that the HP LaserJet printers tested do not require a signature or certificate to identify the source of remote software updates. Knowing this, Cui and Stolfo are able to exploit the fact that every time a LaserJet accepts a new job it checks for an included software update.

One demonstration by the duo involved infecting a printer through a virus-laden print job. A tax return sent to the infected printer was then surreptitiously forwarded to a remote computer posing as a hacker's workstation. A second, more alarming demonstration showed a hijacked...