Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reports MSNBC.
The flaw involves firmware that runs so-called "embedded systems" such as computer printers, which increasingly are packed with functions that make them operate more like full-fledged computers. They also are commonly connected to the Internet.
This time-lapsed image of a screen on an HP LaserJet shows the impact of a rogue print job used to reprogram the device.
Researchers Salvatore Stolfo and Ang Cui at Columbia University, discovered the security flaw say there's no easy fix for the flaw they've identified in some Hewlett-Packard LaserJet printer lines - and perhaps on other firms' printers, too - and there's no way to tell if hackers have already exploited it.
Columbia researcher Ang Cui explains how he was able to infect an HP printer with malicious code.
The problem comes from the embedded systems inside the printers, which are basically small computers that are even connected to the internet. Even though today's printers are full-fledged devices connected to the internet, not much thought goes into making them secure.
By hacking into the computer and overloading it with instructions that heat up the fuser - a part of the printer that helps dry the ink - the researchers made the paper in the printer blacken and smoke. In another demo, a thermal switch shut down the printer, causing it to burst into flames.
Before beginning a print job, HP's printers check for firmware updates and download them if they're available. The only problem is that they don't discriminate if the update is coming from Palo Alto or an Eastern European hacker's den. The only way that hackers can take over printers that aren't connected to the internet is to trick the user into trying to print a document containing a virus. The real threat comes from printers with internet connectivity, something that's becoming more and more common in today's mobile world.
Rewriting the printer's firmware takes only about 30 seconds, and a virus would be virtually impossible to detect once installed. Only pulling the computer chips out of the printer and testing them would reveal an attack, Cui said. No modern antivirus software has the ability to scan, let alone fix, the software which runs on embedded chips in a printer.
"First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?" said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw. "Printers have been a weak spot for many corporate networks. Many people don't realize that a printer is just another computer on a network with exactly the same problems and, if compromised, the same impact."
Keith Moore, chief technologist for HP's printer division, said the firm "takes this very seriously," but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases. Moore also said that the impact of any potential vulnerability is limited because most home users have InkJet printers - not LaserJet printers - and they do not permit remote firmware upgrade, he said.
Full HP statement on the printer security:
Update Dec. 23, 2011: HP issued a firmware update to mitigate the above issue.
"No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers," HP said in a blog post announcing the firmware update.
The firmware update can be found at www.hp.com/support and selecting Drivers.
Additional printer security information is available at www.hp.com/go/secureprinting.