Could someone remotely hack into your printer, steal your personal information, and then set the device on fire? Yes, according to researchers who went public with a pretty startling proof of concept this morning.
As MSNBC reports, the Columbia University team, led by Professor Salvatore Stolfo, found HP's LaserJet printers can be remotely compromised through their automatic firmware update mechanism. If I understand correctly, the printers are designed to check each print job to see if it includes a firmware update. All hackers have to do is hijack that mechanism by sending a print job with a custom firmware. That can be done either locally or over the Internet, if the printer is configured to accept remote print jobs. The consequences can be dire:
In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
Attacks can be more insidious, too. MSNBC says the researchers programmed one printer to intercept incoming tax forms and send them to another machine. That machine was able to extract Social Security numbers and post them to Twitter.
Now, HP Chief Technologist Keith Moore says LaserJet printers released after 2009 require firmware updates to be digitally signed, so only older models may be vulnerable. An HP spokesperson also told Ars Technica that, even when compromised, LaserJet printers can't catch on fire. A "thermal breaker" inside the devices prevents fires and "cannot be overcome by a firmware change or this proposed vulnerability," the spokesperson claims.
Still, the pool of vulnerable printers could be considerable. HP has reportedly sold 100 million LaserJet printers since 1984; untold numbers of them may still be in use today, and many could be open to remote attack over the Internet. The researchers claim an online scan yielded a whopping 40,000 vulnerable devices. Worst of all, they say hacked firmware would be "virtually impossible to detect" unless one took out chips and tested then manually, since no antivirus software currently has the right countermeasures.
Good thing this is only a proof of concept... for now.
|Gigabyte's GeForce GTX 1080 Xtreme Gaming graphics card reviewed||13|
|Nvidia will pay GeForce GTX 970 owners $30 over memory snafu||17|
|Microsoft's free Windows 10 upgrade offer ends tomorrow||69|
|ASRock H110M-STX mobo puts the 5x5 platform in builders' hands||15|
|Asus' slim ROG G20CB desktop gets in on the Pascal party||7|
|Apple sells its billionth iPhone||35|
|TT Premium Edition RGB LED radiator fans play better together||7|
|Toshiba's latest BiCS flash is stacked 64 layers high||11|
|Xiaomi breaks into ultrabooks with Mi Notebook series||6|
|Now you can install Crysis directly on the video card!||+62|