Could someone remotely hack into your printer, steal your personal information, and then set the device on fire? Yes, according to researchers who went public with a pretty startling proof of concept this morning.
As MSNBC reports, the Columbia University team, led by Professor Salvatore Stolfo, found HP's LaserJet printers can be remotely compromised through their automatic firmware update mechanism. If I understand correctly, the printers are designed to check each print job to see if it includes a firmware update. All hackers have to do is hijack that mechanism by sending a print job with a custom firmware. That can be done either locally or over the Internet, if the printer is configured to accept remote print jobs. The consequences can be dire:
In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
Attacks can be more insidious, too. MSNBC says the researchers programmed one printer to intercept incoming tax forms and send them to another machine. That machine was able to extract Social Security numbers and post them to Twitter.
Now, HP Chief Technologist Keith Moore says LaserJet printers released after 2009 require firmware updates to be digitally signed, so only older models may be vulnerable. An HP spokesperson also told Ars Technica that, even when compromised, LaserJet printers can't catch on fire. A "thermal breaker" inside the devices prevents fires and "cannot be overcome by a firmware change or this proposed vulnerability," the spokesperson claims.
Still, the pool of vulnerable printers could be considerable. HP has reportedly sold 100 million LaserJet printers since 1984; untold numbers of them may still be in use today, and many could be open to remote attack over the Internet. The researchers claim an online scan yielded a whopping 40,000 vulnerable devices. Worst of all, they say hacked firmware would be "virtually impossible to detect" unless one took out chips and tested then manually, since no antivirus software currently has the right countermeasures.
Good thing this is only a proof of concept... for now.
|GeForce 385.69 drivers are Game Ready for a ton of titles||0|
|Thursday deals: big external drives, a sweet case, and more||3|
|Google acqui-hires 2,000 HTC employees for $1.1 billion||12|
|Some of AMD's next chips will arrive on GloFo's new 12LP process||21|
|The Tech Report System Guide: September 2017 edition||47|
|Intel shows off 10-nm Cannon Lake wafer and talks process tech||26|
|AOC Agon AG322QCX offers 32" of gaming goodness on the cheap||24|
|Aqua Computer Cuplex Kryos Next block is ready for Threadripper||8|
|Amazon's Kindle Fire HD 10 gets a meaty hardware upgrade||29|
|He's play on a typical English plural construction. In gaming, a multi-faceted object with numbers or characters on each face is a "die," while two or...||+29|