14 DAY TRIAL // After Columbia University researchers demonstrated a series of attack methods that rely on vulnerabilities found in HP LaserJet printers, Hewlett Packard came forward with a statement to argue that it’s not as bad as it looks.
According to DailyTech, the company claims that so far no customers reported anything that would indicate a device catching on fire as a result of a malevolent software update.
“HP LaserJet printers have a hardware element called a 'thermal breaker' that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability,” HP states.
On the other hand, they admit that some of the vulnerabilities that could allow unauthorized access may be plausible, but the attack only works on machines that are placed in a public network that doesn’t benefit from the protection offered by a firewall.
“In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade,” the statement adds.
It seems as they are already working on a firmware upgrade that will mitigate the issue, but in the meantime, their customers are advised to secure the devices by placing them behind a firewall and by disabling the remote firmware upload when possible.
As it turns out, most printers do have the “thermal breaker” HP was talking about, so it remains uncertain as to what models may be set on fire as a result of a malicious operation.
While HP keeps stating that the attacks would only work on Mac and Linux systems, printers connected to Windows devices not being susceptible to an attack, in reality, a Windows-running machine could always be fitted with a Linux partition from where the attack could take place.
In any case, now that the situation is out in the open, HP will need to act quickly on resolving these issues before an actual attack occurs. Fortunately for them, these attacks are not something that any script kiddiez could perform, but who knows, a cybercriminal mastermind may be planning an operation that relies on the flaws.