HP Dismisses Malicious Printer Hijack Hack

Columbia University researchers demonstrated a bug in common office printers that could be used to forward documents to a remote computer or to remotely send commands that heat up and physically damage the printers, according to a MSNBC.com report. HP immediately issued a statement admitting the vulnerability’s existence in “some” LaserJet printers but denying the scope of the claims.

Professor Salvatore Stolfo and researcher Ang Cui of Columbia University’s School of Engineering and Applied Sciences showed how a remote machine could scan a document, using a tax form as his example, and post sensitive data on Twitter.

Poisoned document source

Malicious perpetrators can compromise a printer just by tricking a user into printing a booby-trapped document, according to Cui (pictured)and Stolfo. There is also another way, in which printers configured to print jobs over the Internet can be remotely updated with malicious firmware without the printer owner’s knowledge or awareness, the researchers said.

“These devices are completely open and available to be exploited,” Stolfo said, noting that these machines are commonly connected to the Internet.

HP’s rebuttal statement stressed, “While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorised access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.”

Sophistication brings vulnerability

The idea that printers cannot be compromised “is nothing new”, Jonathan Gossels, CEO and president of IT compliance and security consulting firm SystemExperts, told eWEEK. Modern printers have always been vulnerable to attack because they are “sophisticated computers in their own right”, he said.

Detecting the malicious firmware would be nearly impossible, according to Cui, since no modern security tool has the ability to scan or repair software running on embedded systems such as printers.

Page: 1 2

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago