Columbia University researchers say tens of millions of printers may have flawed firmware that could allow hackers to remotely set fires, erase code and infiltrate computer networks, according to a report on MSNBC’s Red Tape Chronicles blog today.
Research conducted in the Computer Science Department of Columbia University’s School of Engineering and Applied Science claims that a flaw exists in some of Hewlett-Packard’s older printers and possibly other brands as well.
Explicitly the problem stems from the way many HP LaserJet printers handle firmware updates. Authentication isn’t required and passwords aren’t needed through the printer’s “Remote Firmware Update” function, making it easy for hackers to hijack a machine.
Professor Salvatore Stolfo and fellow researcher/graduate student Ang Cui reportedly reverse engineered software for one printer that nearly set it on fire. The flaw was able to remotely heat up the printer’s fuser until it turned paper brown and began to smoke before the machine’s thermal switch triggered a stop in one demonstration showed.
In another demonstration, Cui printed a tax return and had a copy of it sent to a hacker’s computer. That computer then scanned the document for a social security number, found one and published it to a Twitter feed.
According to the report, Stolfo and Cui disclosed the flaws to federal agencies in a private briefing two weeks ago and notified Hewlett-Packard last week.
Looking ahead however, Cui and Jonathan Voris, a doctoral student at Polytechnic Institute of NYU, are scheduled to demonstrate more of these vulnerabilities at next month’s 28th Chaos Communication Congress in Berlin. The two plan on showing how a specific rootkit can monitor, intercept and manipulate incoming print jobs on HP P2050 printers, along with describing how widespread the vulnerability really is.
“We estimate that there exist at least 100,000 HP printers that can be compromised through an active attack, and several million devices that can be compromised through reflexive attacks,” claims a summary of the pair’s CCC talk, “Print Me If You Dare.”
As networked printers and other peripheral add-ons become more configured to the Internet, it becomes less and less surprising that objects like printers and even computer mice can be hacked.
For the full MSNBC piece, head here.