Researchers at Columbia University have identified a firmware security flaw in an unknown number of Hewlett-Packard (HP) printers that could potentially be exploited by hackers.
”The problem is, technology companies aren’t really looking into this corner of the Internet. But we are,” Columbia U professor Salvatore Stolfo told MSNBC.
“The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.”
Indeed, in one demonstration of an attack based on the flaw, a computer was given instructions to continuously heat up the printer’s fuser – eventually causing the paper to turn brown and smoke before a thermal switch shut the printer down.
Nevertheless, the researchers believe the printers could theoretically be used as fire starters – if hackers disable various safety protocols.
Stolfo says he’s managed to reverse engineer software which manages remote firmware updates. Unsurprisingly, a digital signature isn’t used to verify the upgrade software’s authenticity on some models, allowing hackers to install booby-trapped software or even re-install a rogue OS.
“It’s like selling a car without selling the keys to lock it… It’s totally insecure.”
Stolfo illustrated the dangerous potential of a malware infected unit by printing a tax return on a compromised infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer subsequently scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.
“I think it is very wise to broadcast the problem as soon as possible so all of the printer manufacturers start looking at their security architectures more seriously,” Stolfo said.
“It is conceivable that all printers are vulnerable. Printers that are 3-, 4-, 5-years-old and older, I’d think, all used unsigned software. The question is, ‘How many of those printers are out there?’ It could be much more than 100 million.”
Hewlett-Packard exec Keith Moore confirmed HP was taking the Columbia University research “very seriously,” but believes the chances of actual real world exploits are quite low.
“Until we verify the security issue, it is difficult to comment… [And] until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more.
“If this turns out to be the broad (problem) that’s being discussed… We will reach out to customers and get it fixed. We support our customers and value their trust.”
