HP denies printer hack fire risk

Hewlett Packard has hit back at claims that hackers could use a firmware flaw in its laser printers to start fires, claiming such hyperbole is "sensational and inaccurate", while admitting that there is a security flaw to be resolved.

Researchers from Columbia University got the headlines they were after with claims that a remote firmware update procedure in selected models of HP printer could be fooled into installing a malicious update that would their laser printer into a remote-controlled firebomb.

For those who grew up in the days of dot matrix printers, the report seemed believable: several viruses existed that would burn out the motor in the printer, rendering it useless - but not starting a fire.

HP, naturally, has come to the defence of its printers, pointing out that newer devices check for signatures of firmware updates and that a thermal fuse built into every single LaserJet ever sold - a requirement for sale in the US or Europe - cuts the power before a laser would ever reach ignition temperatures.

"Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers," a company spokesperson explains in a somewhat tetchy press release. "No customer has reported unauthorised access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

"HP LaserJet printers have a hardware element called a 'thermal breaker' that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

"While HP has identified a potential security vulnerability with some HP LaserJet printers," the company spokesperson admits, "no customer has reported unauthorised access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

"HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers."

Sometimes, it seems, there can indeed be smoke without fire.