Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

HP Printer Firmware Vulnerabilities: FUD or Fire?

Is the Potential of an Attacker Setting a Printer on Fire Really What IT Security Departments Should be Worried About?

Is the Potential of an Attacker Setting a Printer on Fire Really What IT Security Departments Should be Worried About?

Last week, news surfaced that researchers from Columbia University had discovered vulnerabilities in upgradeable firmware in HP laser printers that could be compromised and modified by an attacker, enabling them to do anything from overheating the printer, to compromising a network, with some speculating that the devices could even be set up in flames.

Can Hackers Set Printers on Fire?HP responded with a statement, saying the reports were “sensational and inaccurate,” and that “speculation regarding potential for devices to catch fire due to a firmware change is false.” The company explained that HP LaserJet printers have a hardware element called a “thermal breaker” that’s designed to prevent the fuser from overheating and causing a fire. “It cannot be overcome by a firmware change or this proposed vulnerability,” the company said.

But is the potential of a printer fire the real threat that IT security department should be worried about? Security expert Kurt Stammberger, VP of Market Development at device security firm Mocana doesn’t think so.

“The focus of HP is on the fire issue, but they don’t say anything to address the real issue, which is the fairly indefensible position of not cryptographically authenticating their printer software updates,” Stammberger told SecurityWeek. “Fires notwithstanding, printers are still a great place to launch and attack against a network, because they are so broadly connected.”

While HP refuted claims that its printers could be set on fire remotely by an attacker, it did acknowledge existence of potential security vulnerability related to the firmware in some its LaserJet printers.

“The specific vulnerability exists for some HP LaserJet devices if placed on a public Internet without a firewall,” the company said it a statement. “In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.”

The company followed in saying that “no customer has reported unauthorized access.” But how many organizations and individuals monitor printers and other non-PC networked devices for potential attacks? Not many. And most do not have the ability to do so.

Stammberger believes HP’s statement that ‘no customer has reported unauthorized access’ is a bit interesting and somewhat concerning. “That is a pretty cheeky statement, considering HP doesn’t provide any facility to diagnose the health of their printers’ firmware images, or report on whether or not it has been infected,” he said.

Advertisement. Scroll to continue reading.

“HP is only stoking the controversy by reacting this way. This is a they ‘doth protest too much’ type of denial, typical of companies that don’t have a lot of experience in security issues,” he added. “In fact, this sounds a lot like the way Microsoft would have reacted in the late 90’s,” noting that Microsoft has made great strides and its security organization, and takes all vulnerability reports seriously and doesn’t try to minimize vulnerabilities through PR.

HP currently provides software that enables admins to set configurations and security policies for devices, and provides IT infrastructure and filtering technology to help remove suspicious files and devices on a network, but being able to monitor the health of the firmware on its printers is lacking.

“First of all, how the hell doesn’t HP have a signature or certificate indicating that new firmware is real firmware from HP?” asked Mikko Hypponen, head of research at F-Secure, speaking to MSNBC.Com’s Bob Sullivan.

HP is by no means alone. This trend extends far beyond printers, to devices including as Internet-capable televisions, cars and many more. The security of such embedded devices is often ignored – not just by consumers, but by network administrators, because they often don’t consider these devices to be at risk since there is no data to lose. This is far from the truth.

“Even if I couldn’t start a fire in this particular printer line, I might be able to, for example, introduce malware that sends a copy of every document printed to China,” Mocana’s Stammberger explained.

HP said it is working on a firmware upgrade to mitigate the issue and will reach out customers and partners who may be impacted. In the meantime, HP suggests that customers place printers behind a firewall and, when possible, disable remote firmware upload functionality on exposed printers.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.