Published November 29, 2011
HP on Tuesday vigorously denied reports that LaserJet printers made before 2009 -- about 100 million have been sold since 1984 -- can be remotely instructed to catch fire.
Reports based on research by a team of Columbia University computer science professors, claimed that HP's laser printers can be sent new software and even remotely controlled over the Internet. This could allow hackers not only to steal information but ultimately to cause physical damage and even fires, according to an MSNBC.com story.
HP called such reports "sensational and inaccurate."
"Someone had taken apart our printer to see if they could 'cook' something," Keith Moore, chief technologist for HP's printer division, told FoxNews.com. "Frankly they were unsuccessful."
"Speculation regarding potential for devices to catch fire due to a firmware change is false."
Columbia professor Salvatore Stolfo, one of the researcher who informed HP of the security flaw, said his team was able to brown a piece of paper -- but never burn anything. They conducted the test with one type of HP LaserJet.
MSNBC.com reported that the researchers believe other printers might be used as fire starters. Stolfo told FoxNews.com that's not quite true.
"Might it be possible? There are larger printers with more power, with higher voltage, that we haven't tested," he said, noting other models and manufacturers simply haven't been tested.
Stolfo and colleague Ang Cui showed MSNBC.com how a hijacked system could be sent commands that would overheat the printer’s fuser, causing paper in the printer to brown and smoke.
HP said that a hardware element called a "thermal breaker" would prevent the fuser from causing a fire, however -- and said this breaker cannot be overcome by a firmware change. Other printers may have a similar system, Stolfo said.
"I would presume … they probably have the same thermal switch. But it hasn't been tested so I can't say one way or the other," he told FoxNews.com.
"Frankly they're very expensive, and I didn't want to buy a printer just to succeed in burning it."
Key security issues exposed
Beyond the threat of fire, the researchers believe the key vulnerability they uncovered could have widespread implications.
Every time a printer accepts a job, it checks for software updates, the researchers discovered. Since LaserJet printers manufactured before 2009 don’t verify the source of that update, nefarious hackers can easily intercept these requests and implant their own “updates” -- a flaw that left security experts aghast.
“First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” Mikko Hypponen, said head of research at security firm F-Secure, when told of the flaw.
There has been a sea change in security surrounding PCs, servers, and other office computers, Stolfo explained -- a change that hasn't happened for the printer market.
"There's nothing like that for the embedded system marketplace," he told FoxNews.com, lumping into that category digital thermostats, phones, networked printers, faxes and more.
"Hey, these are exploitable. They will be exploited, if they haven't already," Stolfo said.
HP did confirm the existence of a potential vulnerability, the main point of Stolfo and Cui's research, although the company downplayed the significance of the find.
"I wouldn't call it a security hole at all," Moore told FoxNews.com. "The attack required quite a lot of engineering" and it involved "unusual configurations," he said. (HP is nevertheless planning to update its laser printers.)
Stolfo disagrees. He claims this is a giant flaw, one probably common to other networked printers.
"I don't think this is going to be exclusive to HP … we just don't know." But HP must address the flaw, he said. And if they company does that swiftly and correctly, it will have solved a key IT security problem.
"If they get this right, they will be years ahead of other manufacturers," he said.