Yesterday, we brought you the story of a team of Columbia University researchers who claim they have discovered a way that hackers could infiltrate any number of networked printers to do anything from steal information to cause your paper to smolder and possibly catch fire. But the folks at HP, which was singled out in the report, have now come out to defend their product and refute the researchers’ claims.
In a statement posted on the HP website, the company calls the stories about the hacker loophole “sensational and inaccurate,” and points out that “No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.”
“HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
“While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.”
The researchers claimed they were able to create a virus that could infiltrate a printer’s firmware just by printing out a single document that appears harmless to the end user. They also say that, for printers where the firmware can be updated remotely via the internet, the printer could be hacked without actually printing anything.