Could someone remotely hack into your printer, steal your personal information, and then set the device on fire? Yes, according to researchers who went public with a pretty startling proof of concept this morning.
As MSNBC reports, the Columbia University team, led by Professor Salvatore Stolfo, found HP’s LaserJet printers can be remotely compromised through their automatic firmware update mechanism. If I understand correctly, the printers are designed to check each print job to see if it includes a firmware update. All hackers have to do is hijack that mechanism by sending a print job with a custom firmware. That can be done either locally or over the Internet, if the printer is configured to accept remote print jobs. The consequences can be dire:
In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
Attacks can be more insidious, too. MSNBC says the researchers programmed one printer to intercept incoming tax forms and send them to another machine. That machine was able to extract Social Security numbers and post them to Twitter.
Now, HP Chief Technologist Keith Moore says LaserJet printers released after 2009 require firmware updates to be digitally signed, so only older models may be vulnerable. An HP spokesperson also told Ars Technica that, even when compromised, LaserJet printers can’t catch on fire. A "thermal breaker" inside the devices prevents fires and "cannot be overcome by a firmware change or this proposed vulnerability," the spokesperson claims.
Still, the pool of vulnerable printers could be considerable. HP has reportedly sold 100 million LaserJet printers since 1984; untold numbers of them may still be in use today, and many could be open to remote attack over the Internet. The researchers claim an online scan yielded a whopping 40,000 vulnerable devices. Worst of all, they say hacked firmware would be "virtually impossible to detect" unless one took out chips and tested then manually, since no antivirus software currently has the right countermeasures.
Good thing this is only a proof of concept… for now.