Printer security flaw could allow remote arson attacks

Researchers at Columbia University have demonstrated a security flaw in Hewlett Packard (HP) printers that allows hackers to install their own firmware, potentially letting them access local networks - and even carry out remote arson attacks.

The problem lies in the fact that the printers look for a firmware update every time they receive a new job. However, there isn't much in the way of file validation of update files, making it possible for nefarious individuals to send their own malicious firmware.

In a demonstration of this security hole's potential, Salvatore Stolfo, the head of research at Columbia University's Computer Science Department, and researcher Ang Cui, showed how a hijacked computer could send instructions to a printer to continuously heat its fuser unit - the heated rollers that are used to bond toner particles to the paper - eventually leading to the paper turning brown and smoking.

Fortunately, the printer used in the demo had a thermal switch that shut the system down before any damage was done, but researchers believe that cheaper offerings without this safety feature could be used to start fires in real life.

The danger stems from the fact that many printers don't use a digital signature to verify the authenticity of any files received by the 'Remote Firmware Update' procedure that is initiated each time a print command is received, enabling malicious commands to be executed.

And with many printers now connected to a network and even the wider internet, such attacks could be carried our remotely. While arson attacks of the kind described appear a fairly remote threat, the increasingly complex nature of networked printers means there is plenty of potential for other hackers to use the devices to gain a foot in the door.

MSNBC quotes a number security professionals who express surprise that printer firms could be so lax with security surrounding their firmware update procedures. Chances are, they're also rather sheepish that they didn't spot the issue themselves...

“First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” said head of research at security firm F-Secure, Mikko Hyponnen.

HP claims to have addressed the update problem years ago. Keith Moore, chief technologist for HP's printer division said that the issue was fixed in 2009, and that all printers developed and sold after that point require digital signatures for firmware updates.

Moore's assertion is called into question by the Columbia researchers, however, who claim that one of the printers tested was bought new from a major office supply store.

Moore added that the threat from hackers was not as widespread as claimed, with most people using inkjet printers, rather than lasers. Inkjets do not allow remote firmware updates.

HP's official line is that it is reviewing details of the vulnerability.