Thursday, December 8th 2011
Researchers at Columbia University have investigated the security of HP network printers and have found them wanting. The basic problem is the complexity of the devices and the fact that the authenticity of firmware updates for these devices isn't checked by using a digital signature. MSNBC published an exclusive story, explaining how by using a hacked computer, the researchers could make their test printers do various nasties, such as continuously heat the fuser unit until the paper singed, at which point the printer shut off due to the built-in safety device, a thermal switch which cannot be overridden by software. They could also be programmed to spread viruses, which would be very dangerous, as these attacking printers would be within the firewall perimeter, allowing them unrestricted access to the soft underbelly of the network. And as the MSNBC article put it so well: "Few companies are prepared to protect themselves from an attack by their own printer." Quite, seems ridiculous at first sight, doesn't it? The researches focused on HP printers, which are by far the most popular brand out there, but say that there are similar vulnerabilities within all devices which employ embedded networked computers, leaving them wide open to attack, hence the industry should wake up to this threat and fix their systems before hackers start to exploit these for real. HP for their part, played down the overall threat and disagreed on several points made by the researchers. Also, the attacks were carried out using Linux and Mac computers and the suggestion seems to be that it's somehow harder to do with a Windows computer. There's a lot more detail at the MSNBC article and readers are encouraged to check it out.