A class action lawsuit filed in U.S. District Court in California against Hewlett-Packard could have wide ranging implications for software makers, should the court agree with the plaintiff’s claim that the company violated the state’s consumer protection laws by failing to disclose a serious vulnerability in the software that runs some of its printers.
The suit was filed on December 1 on behalf of David Goldblatt, a New York resident who purchased two HP printers. The complaint alleges that Goldblatt would not have purchased the printers had he been aware of the defects. It alleges that HP does not require its printers to accept only digitally signed updates, opening the devices to malicious, remote updates that could give hackers control over the devices, which can be used to steal information, attack other computers on the same network as the printer or even cause physical harm to the printer hardware.
The lawsuit relies on recently published research by academics at Columbia University, who reported that security holes in HP firmware could be used to remotely attack and commandeer HP printers, and even cause the devices to spontaneously combust
HP has acknowledged the existence of a vulnerability in its firmware, but has vigorously denied the allegations by the Columbia researchers. The company claims that its printers come equipped with hardware – a thermal switch – that prevents them from overheating or bursting into flames.
Regardless of the veracity of the claims about printers bursting into flames, software security experts say that the case could have an enormous impact on the software industry, if a jury agrees with the plaintiff that HP had a duty to publicly disclose the security hole affecting its printer firmware. Writing on the Veracode All Things Security blog, Fergal Glynn noted a recent decision by a court in the UK in favor of a London hotel in a case alleging that defective hotel management software by the firm Red Sky cost the hotel money.
Amrit Williams, the Chief Technology Officer at Quantivo, a digital analytics firm, wrote on his blog that a ruling in the plaintiff’s favor would push legal responsibility for ensuring the security of software from customers back to vendors – and even to developers. While that’s a good thing, having the courts and legislatures suddenly put in the role of overseeing the security of software would be counter productive.
Williams sees a role for industry watchdogs like the PCI Council to start requiring software developers to adhere to “a base set of security processes and tools” if they want to handle high-risk operations like credit card transactions.
The issue of software application security is gaining more and more attention. On Wednesday, veracode released its State of Software Security report, which found that only 16% of more than 9,000 applications the company tested over the last 18 months passed a security audit on the first pass. Problems like SQL injection and cross site scripting were particularly common in Web based applications.
Williams notes that, historically, customers have borne the brunt of costs for shoddy products – both in lost productivity and for the purchase of additional tools to help protect and secure vulnerable applications.
