Could hackers steal info, start a fire using your printer?

Networked printers have long been seen by security experts as a potential — although to date unexploited — entry point into networks.

But now a team of researchers at Columbia University’s School of Engineering and Applied Science say they have discovered a flaw in certain Hewlett-Packard LaserJet printers that would make it easier for hackers to gain control of the devices, potentially stealing personal information, executing attacks on networks and even giving it instructions that might make it overheat enough to catch fire, researchers said.

Exploiting the flaw, the researchers were able to give the printer so many rapid instructions that the fuser (the device that heats up to dry the ink on the paper) got hot enough to make paper smoke, MSNBC reported.


Related coverage:

Snazzy printer features could open Pandora’s box


HP at first denied any possibility of this flaw existing, citing zero customer complaints of printers being hacked by outside users. Then the company issued a statement admitting there was a security flaw and said it was working on firmware updates but that it was impossible for their printers to cause a fire. Again, HP emphasized that there have been no  complaints from customers about their printers being hacked.

HP may have a point about the fire part. Even in the researchers’ private demonstration before several federal agencies earlier this month, a thermal switch shut the printer down before anything actually caught fire. HP says this switch is in all of the company’s LaserJet models, so none of them could start a fire that way.

However, shutting down the printer this way effectively disables it, at least until certain parts are replaced.

HP said the vulnerability applies to some LaserJets that are connected to the Internet without a firewall. “In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network,” the company said. “In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.”

The company said it is working on a firmware upgrade and will notify customers who could be affected. Meanwhile, HP recommends putting printers behind a firewall and disabling remote firmware upload on exposed printers when possible.

Although few, if any, network attacks have ever occurred via printers, this security flaw sheds light on their vulnerability to intrusion, which could open the doorway to viruses and the like. Right now, no antivirus solution on the market could detect, let alone fix, a virus that might reside on a printer’s firmware. Something to think about.

But the real question is: If a printer were hacked like this, could it finish printing its explosive detector before catching fire? And is that dramatic irony? I always get confused about literary devices.

Reader Comments

Thu, Dec 1, 2011 Dylangrr MI

If human combustion can't be accomplished, at least make them sizzle and smoke.

Thu, Dec 1, 2011 The Far Bite good'ol USA

Yeap... HacKers Kan do that. They Kan even someday Kary a man - who will turn out to be a hacKer - to the moon using a flaw in Microsoft Windows that NASA has on some of the servers that manage some of the email on some Space Station above the moon, sometimes in the future, therefore achieving the first ever successfully teleportation. That which NASA and others have no clue on how to accomplish it.

Thu, Dec 1, 2011 HJF VA

A team of researchers at Columbia University’s School of Engineering and Applied Science need to be working on a reverse virus that make hackers sufferer from spontaneous human combustion.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above