Researchers: Some Printers Vulnerable To Hack Attack That Could Lead To Fire

It’s like something out of a movie starring Matthew Broderick. Researchers at Columbia University claim they’ve discovered a vulnerability that could let hackers remotely access your printer for nefarious hijinks, like making said printer go up in flames.

The Columbia eggheads have been probing the depths of printers, specifically those made by HP, for several months. They have already briefed the relevant federal agencies and the folks at HP about the problem.

The problem, claim the scientists, lies in the printers’ firmware and the fact that, while many recently built printers are so multifunctional that they operate in much the same way a computer does — and are often connected to the internet — they do not have the same protection that a networked computer does.


[The researchers] say they’ve reverse engineered software that controls common Hewlett-Packard LaserJet printers. Those printers allow firmware upgrades through a process called “Remote Firmware Update.” Every time the printer accepts a job, it checks to see if a software update is included in that job. But they say printers they examined don’t discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version.

While all of these printers could be hacked simply by tricking someone into printing a document that contains the virus, those printers that are accessible via the Internet don’t require a dupe to print out the offending document.

“It’s like selling a car without selling the keys to lock it,” explains Columbia professor Salvatore Stolfo, who directed the research. “It’s totally insecure.”

“The problem is, technology companies aren’t really looking into this corner of the Internet,” said Stolfo. “The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.”

Stolfo and his team demonstrated that a hacker could remotely heat up a printer’s fuser, causing the paper to turn brown and smoke. A thermal switch caused the printer to turn off before it could truly catch fire, but the researchers believe that other printers are more vulnerable to going up in flames.

As for HP, the computer company said it hasn’t been able to confirm or deny the researchers’ findings. Regardless, HP “takes this very seriously.”

“Until we verify the security issue, it is difficult to comment,” the HP rep tells MSNBC.

UPDATE: HP has released a statement refuting the researchers’ claims.

Exclusive: Millions of printers open to devastating hack attack, researchers say [MSNBC]

Thanks to Harper for the tip!

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.