14 DAY TRIAL // Columbia University researchers Ang Cui and Salvatore Stolfo found a vulnerability in HP LaserJet printers that could allow a hacker to remotely control it to launch cyberattacks, steal information that’s being printed and even instruct its mechanical components to overload until the device catches on fire.
According to MSNBC, Cui and Stolfo revealed that the flaw they found does not affect only HP printers, but also other devices utilized by millions of individuals and companies that so far were considered to be safe.
In one of the cases of the HP printers which they thoroughly tested, the researchers relied on the fact that remote software updates are not checked for signatures or certificates when they’re being installed, but this wasn’t the only issue.
In another demonstration, by sending the device a specially crafted print job, they were able to inject a code that would automatically scan printed documents for sensitive information, transmitting the sensitive data to a Twitter feed.
They showed that an infected computer could instruct the printer’s fuser, the one that melts toner particles to make them stick to the paper, to continuously heat up until the device self-destructs or, if it lacks a fuse, to set itself on fire.
Even more worryingly, during the tests they also proved that a hijacked printer could act as a gate-opener for a full-effect attack on a company network. They even made a demo from computers running Mac and Linux operating systems.
“Printers have been a weak spot for many corporate networks. Many people don’t realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact,” said F-Secure’s Mikko Hypponen.
HP representatives argue that the situation might not be all that disastrous, claiming that their newer models do check for signature while performing firmware updates. However, they’re currently investigating the issue to determine exactly who is affected and what can be done about it.
Even though later printer models should be more secure, the researchers claim that one of the printers used in their tests was purchased not long ago.