Researchers at Columbia University say millions of HP LaserJet printers are vulnerable to infected print jobs. Ang Cui and Salvatore Stolfo demonstrated an exploit whereby the duo could send virus-laden print jobs to a recently purchased LaserJet to overwrite the firmware and take control of the printer. HP has confirmed the exploit but claims the risk is not as great as the original MSNBC story characterized it, and has promised a firmware fix.
HP just issued a statement saying it "refutes inaccurate claims" made in today's MSNBC report detailing a vulnerability in LaserJet printers that was exploited by Columbia University researchers Ang Cui and Salvatore Stolfo. HP confirms that there's a potential vulnerability in LaserJet printers and promises a firmware update to "mitigate" the issues, but the company also says that "no customer has reported unauthorized access" and that it's not possible to set a fire by exploiting the vulnerability because of the printer's thermal control hardware.Read Article >
What's more, while HP says it's possible for a specially formatted print job from Linux of Mac machines to trigger a malicious firmware update, the company doesn’t say anything about Windows environments — which is obviously of great importance to the enterprise customers that most deploy LaserJets. We'll see what happens next; HP is obviously taking this story very seriously.
One demonstration by the duo involved infecting a printer through a virus-laden print job. A tax return sent to the infected printer was then surreptitiously forwarded to a remote computer posing as a hacker's workstation. A second, more alarming demonstration showed a hijacked computer sending instructions to continuously heat up the printer's fuser until smoke appeared and the printer's thermal switch shut it down.Read Article >
While the flaw does not affect HP's InkJet printers commonly used in homes, millions of LaserJets sold to businesses since 1984 could be vulnerable. To make matters worse, a printer, which is almost always categorized as a trusted device could be turned into a platform to launch attacks within corporate networks. A problem exacerbated by the advent of new HP printers that accept jobs from the Internet.