HP's Hackable Printers: The Lawsuit

[qubit]

Three days ago, we brought you news of how researchers have made proof-of-concept attacks on HP printers by reprogramming their firmware. Among other things, these attacks could deliberately cause the fuser in a printer to overheat and singe the paper, until shut down by a built-in unoverridable thermal switch, preventing a fire. Now, in light of this, a lawsuit has been filed by David Goldblatt of New York, seeking damages for fraudulent and deceptive business practices and is looking for class action status: "As a result of HP's failure to require the use of digital signatures to authenticate software upgrades, hackers are able to reprogram the HP Printers' software with malicious software without detection," the suit says. "Once the HP printers' software is maliciously reprogrammed, the HP printers can be remotely controlled by computer hackers over the Internet, who can then steal personal information, attack otherwise secure networks, and even cause physical damage to the HP printers, themselves." Note that HP has used digital signatures since 2009 to authenticate the firmware updates, helping to mitigate this potential problem in recent models.

Despite this though, HP still intends to patch the firmware to eliminate threats from this hack, which exploits bugs in the firmware. As these attacks have only actually been demonstrated in the lab and no actual losses have been incurred by Goldblatt, it makes one wonder if he is just using the prevailing American "victim culture" to try and make a quick buck off HP. HP are the top printer brand, mainly because their products are excellent, performing well and lasting a long time, plus other companies' printers and embedded devices have the same problems, so it seems unlikely that he would really not have bought HP printers.



Source: c|net

[Kreij]

While HP drivers could use a little extra security, I hardly see it as "fraudulent and deceptive business practices."

If that's the case, just about every hardware manufacturer is guilty of the same thing.
I don't really see him winning this case and he is probably just banking on the fact it will be cheaper for HP to just settle the claim, and payout something, than fight it out in court.

[a111087]

the only "fraudulent" thing in here is the lawsuit itself...

[qubit]

Quote:

Originally Posted by Kreij

While HP drivers could use a little extra security, I hardly see it as "fraudulent and deceptive business practices."

If that's the case, just about every hardware manufacturer is guilty of the same thing.
I don't really see him winning this case and he is probably just banking on the fact it will be cheaper for HP to just settle the claim, and payout something, than fight it out in court.

Indeed. It's one thing to sue where you've actually suffered damages due to someone's negligence. However, it's quite another in a case like this. I hope HP nail him to the wall for a "fraudulent and deceptive" lawsuit!

[jsfitz54]

How does an HP Printer Owner know that the Software/Firmware is Intact and Unaltered?

HP should patch and provide a utility to verify its integrity.

[qubit]

Quote:

Originally Posted by jsfitz54

How does an HP Printer Owner know that the Software/Firmware is Intact and Unaltered?

HP should patch and provide a utility to verify its integrity.

Checksums are used to detect file corruption and has been used since the dawn of computers. Digital signatures on the other hand, go a step further. While they check the integrity of a file, they also authenticate that it came from who it claims to have come from. This technique uses cryptography to implement this function and is similar in concept to SSL for websites.

[masterbw2000]

This lawsuit has no merit, it's Gold-seeking lawsuit for sure.
Whether you intentionally or unintentionally getting the exploited firmware upgrade due to user error, it's your fault and don't blame the manufacturer.

[robal]

Lawsuit troll...

[dank1983man420]

Quote:

Originally Posted by robal

Lawsuit troll...

This guy probably worked for Rambus at some point in his life.



I hope he loses big in court and HP does a firmware update so this issue can be done with.

[qubit]

This David Goldblatt sounds like a lawyer, just the type to pull a stunt like this. I tried googling him, but turned up nothing, just some hit that didn't look like it would be him.

Can anyone do better?

[bill_d]

to bad this won't make HP put out full windows 7 drivers for their printers

[Shihabyooo]

Quote:

Originally Posted by qubit

As these attacks have only actually been demonstrated in the lab and no actual losses have been incurred by Goldblatt, it makes one wonder if he is just using the prevailing American "victim culture" to try and make a quick buck off HP.

^Summing up the entire article.

[tigger]

Its america, just another excuse to sue somebody.

[erocker]

As an American that owns a couple HP printers I definitely feel like a victim. Every night when I leave work, I'm now afraid and traumatized that my printers may catch fire burning my business to the ground. It's hard to sleep at night and HP is at fault. God ble$$ lawyer$, we would be lo$t without them.

[Kreij]

If the business starts to take a nose dive and becomes unprofitable, you can burn it down, collect the insurance money and blame HP.
Just make sure you start the fire at the printer, and be careful what accelerants you use as they will show up in the forensics of an arson investigation.

There is a silver lining in everything.

Disclaimer : I do not encourage nor condone arson as a method of perpetrating insurance fraud.

[JATownes]

Quote:

Originally Posted by Kreij

Disclaimer : I do not encourage nor condone arson as a method of perpetrating insurance fraud.

Since you don't outright discourage insurance fraud, what method do you encourage or condone?

[wiak]

i love my new HP 1102W Wireless LaserJet printer, fast and easy driver installation, i upgraded from a ancient HP LaserJet 1010

[Kreij]

I have quite a few HP printers on my work network and never had any problem other than HP driver incompatibility with some applications.

Although I will say that their default installation package is horribly bloated if you just want to print.

[95Viper]

Just my opinion; but, this is just another case of class action get rich scheme for lawyers.
Class action lawsuits, as the law allows for today, does nothing for the victims; however, it is lucritive for the lawyers involved.
They need to change the system to where there is a cap on the amount of profit that can be made by the lawyers and involved staff and/or associates. Do this and watch the courtrooms go almost vacant.
No thank you , do use the guise of suing for me to make some chump(s) rich.

Call me silly, but, shouldn't you be protecting your, network (business and/or home) yourself.
Do you really allow your devices to be updated remotely, from an outside un-secure source.
Maybe, your internet fridge or toaster. But, I would even put them behind a firewall and allow no access.

Just my opionion, as I said... and, a wee little rant.

Link to a good article and the court filings. (Notice it was E-filed.)
(Probably printed out on a hacked HP laser printer.)

Related Video Sorta

[pantherx12]

I hope this dude gets thrown out on his arse.

Pretty much anything with software on it can be hacked given time .

[faramir]

Quote:

Originally Posted by Kreij

I don't really see him winning this case and he is probably just banking on the fact it will be cheaper for HP to just settle the claim, and payout something, than fight it out in court.

I hope HP takes that greedy bastard to court and bleeds him dry in lawyer and court fees. He has no case and is obviously just fishing for money.