Could someone remotely hack into your printer, steal your personal information, and then set the device on fire? Yes, according to researchers who went public with a pretty startling proof of concept this morning.
As MSNBC reports, the Columbia University team, led by Professor Salvatore Stolfo, found HP's LaserJet printers can be remotely compromised through their automatic firmware update mechanism. If I understand correctly, the printers are designed to check each print job to see if it includes a firmware update. All hackers have to do is hijack that mechanism by sending a print job with a custom firmware. That can be done either locally or over the Internet, if the printer is configured to accept remote print jobs. The consequences can be dire:
In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
Attacks can be more insidious, too. MSNBC says the researchers programmed one printer to intercept incoming tax forms and send them to another machine. That machine was able to extract Social Security numbers and post them to Twitter.
Now, HP Chief Technologist Keith Moore says LaserJet printers released after 2009 require firmware updates to be digitally signed, so only older models may be vulnerable. An HP spokesperson also told Ars Technica that, even when compromised, LaserJet printers can't catch on fire. A "thermal breaker" inside the devices prevents fires and "cannot be overcome by a firmware change or this proposed vulnerability," the spokesperson claims.
Still, the pool of vulnerable printers could be considerable. HP has reportedly sold 100 million LaserJet printers since 1984; untold numbers of them may still be in use today, and many could be open to remote attack over the Internet. The researchers claim an online scan yielded a whopping 40,000 vulnerable devices. Worst of all, they say hacked firmware would be "virtually impossible to detect" unless one took out chips and tested then manually, since no antivirus software currently has the right countermeasures.
Good thing this is only a proof of concept... for now.
|1. Hdfisise - $600||2. Ryszard - $503||3. Andrew Lauritzen - $502|
|4. the - $306||5. SomeOtherGeek - $300||6. Ryu Connor - $250|
|7. doubtful500 - $200||8. Anonymous Gerbil - $150||9. webkido13 - $135|
|10. cygnus1 - $126|
|Nvidia recalls Shield Tablet due to battery fire risk||37|
|Friday Night Shortbread||92|
|Mozilla CEO protests Win10's default application setup process||124|
|Deals of the week: Samsung's 850 EVO 1TB for $310 and more||52|
|Report: new Google Glass is a clip-on model for businesses||14|
|14 million have upgraded to Windows 10 in its first 24 hours||91|
|EVGA X99 Micro 2 mobo offers USB-C in a microATX package||13|
|The Tech Report Podcast is live on Twitch||6|
|Wake-from-sleep vulnerability leaves UEFIs open to attack||48|