Hewlett-Packard offers fix for printers susceptible to remote hacks

Last month, MSNBC reported a team of researchers from Columbia University discovered that some Hewlett-Packard LaserJet printers, and possibly similar devices, did not verify software upgrades contained within so-called remote firmware updates. The researchers were able to offer firmware updates that included malicious software and then take control of the printer.

Once the researchers were able to take control of HP printers, they were able to accomplish a host of potentially dangerous tasks. They said they could print a tax return while sending a copy to a hacker's remote computer, compromising a host of personal information; easily disable printers; and even command a printer to continuously heat up its ink-drying component until it started to set on fire.

Hewlett-Packard issued a statement after the report was released vehemently denying that printers could be commanded to burst into flames and saying "no customer has reported unauthorized access," but the company did admit there was a flaw.

"HP has identified a potential security vulnerability with some HP LaserJet printers ... if placed on a public Internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network," the statement read.

On Friday, HP issued a news release reiterating that no customers have reported unauthorized access to their LaserJet printers, and offered a firmware update that the company says will "mitigate this issue." The update is available at http://www.hp.com/support, in the "Drivers" category.

Researchers warned that if a hacker had gained control of a printer in this manner, however, there would be no way to reverse the process.

"If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That's why this problem is so serious, and so different," researcher Ang Cui said. "This is nothing like fixing a virus on your PC."

Hewlett-Packard recommends placing printers behind a firewall to protect exposure to remote hacks and disabling remote firmware upload capabilities on exposed printers.

(c)2011 the San Jose Mercury News (San Jose, Calif.)
Distributed by MCT Information Services