Experts: HP LaserJet Fire Claims Bunk, But Vulnerability Bears Watching


The recently uncovered vulnerability in Hewlett-Packard LaserJet printers is an issue that needs to be fixed, but the notion that remote attackers could use the flaw to set the devices on fire is preposterous.

That's according to security solution providers CRN spoke with on Monday, who believe that the Columbia University researchers who are claiming that this is possible are playing up this particular aspect of their discovery of a vulnerability in HP LaserJet printers in order to attract attention.

"While the security of embedded systems is important, sensationalist, headline grabbing stories like this do nothing to improve security," said Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based solution provider. "They serve to scare people into action, which is about the worst possible way to improve security."

"The 'catching-on-fire' sensationalism appears to have just been used to draw unnecessary attention," said David Sockol, president and chief executive of Emagined Security, San Carlos, Calif.

However, it's clear that Columbia University researchers have uncovered a potentially serious security issue. The National Vulnerability Database has assigned the LaserJet vulnerability a CVSS base score of 10 out of 10. There are alarming implications for companies here that go beyond a printer fire.

Over the past several months, the Columbia University researchers reverse engineered the Remote Firmware Update function in HP LaserJets in a way that allows device firmware to be wiped, and if one were so inclined, replaced with rigged firmware that could be used for malicious purposes.

If they were successful in exploiting the flaw, remote attackers could siphon off the contents of print jobs containing confidential data, or leverage a compromised web-connected printer to gain access to other parts of the corporate network, according to the Columbia researchers. Even a non-financially motivated attacker could wreak havoc by using the vulnerability to carry out denial of service attacks.

While attacks on printers and other embedded systems have yet to materialize, Peter Bybee, president and CEO of San Diego, Calif.-based Network Vigilance, a security solution provider, says they're eminently plausible due to the lack of attention these devices typically receive from security administrators.

"Print servers have been an overlooked vulnerability within networks for a long time, not just with HP but also with many of the Xerox multifunction printer/copiers," Bybee said. "It’s just that most organizations don’t spend much time trying to harden them."

HP is working on a fix for the LaserJet vulnerability, and in the MSNBC report, Keith Moore, chief technologist for HP's Imaging and Printing Group, said HP has required digital signatures for printer firmware updates since 2009. But until HP issues a fix, older LaserJets would appear to be vulnerable.

Sockol, for his part, says HP should have addressed this issue previously. "There is no reason that a third party should be installing software or firmware in the printer," Sockol said. "HP should be using digital signatures validated on Hardware Security Modules (HSM) to ensure that all updates are legitimate."

HP last week railed against the initial LaserJet report, calling it "sensational and inaccurate." However, it's not clear whether HP objected to the printer fire claim or the claims about how the LaserJet flaw could be exploited, or both. HP didn't respond to request seeking clarification on this point.

Nonetheless, while the Columbia researchers appear to have injected some adrenaline into the discussion, the fact that HP is working on a fix for the LaserJet vulnerability shows that even when there isn't fire, sometimes smoke is enough to get people's attention.