HP Issues Fix For LaserJet Flaw, Doesn't Mention Burning Printers


Hewlett Packard last week issued a fix for a LaserJet printer security vulnerability that researchers from Columbia University recently brought to light in spectacular fashion.

"HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP," the company said in a Dec. 23 statement.

Last month, Researchers from Columbia University's Computer Science Department said they'd found a way to reverse engineer the Remote Firmware Update function in HP LaserJet printers and trick the printers into accepting and installing malware-filled updates.

From there, researchers said, an attacker could compromise PCs on corporate networks and use them to send a barrage of instructions to a LaserJet printer, thereby causing its ink-drying element to heat up -- and potentially ignite printer paper.

HP's initial response was to acknowledge a "potential security vulnerability" in some of its LaserJet printers, but the company also railed against the Columbia researchers' claims, calling them "sensational and inaccurate".

While researchers have pointed to the potential for attacks on printers and other network-connected devices for years, they've yet to materialize, mainly because the scenarios that would allow for such attacks are unlikely in organizations that have applied security best practices.

Travis Fisher, executive vice president at Inacom Information Systems, a Salisbury, Md.-based solution provider and HP partner, said the fact that an attacker would need to find a LaserJet that's connected to the public Internet without a firewall, or have access to the corporate network, would make it difficult for this particular vulnerability to emerge as a major threat.

"If you have a publicly exposed LaserJet printer, this problem should be pretty far down on your list of concerns," Fisher said. "Your first concern should be getting that firewall installed and configured correctly."

Jake Klee, repair services manager at Valley Network Solutions, Fresno, Calif., says an attacker that gained access to a corporate network using the LaserJet flaw would likely be more motivated by money than mayhem.

"Let’s say the customer is Wells Fargo. I would guess that after a hacker successfully infiltrated the network, they would be going after all the personal data, instead of trying to make a few printers burn up a fuser," he said.

HP steered clear of mentioning the fire issue in last week's statement, saying only that none of its customers had reported unauthorized access as a result of the flaw.

Some security experts believe the Columbia researchers shouldn't have resorted to mentioning the printer fire angle, since doing so added a hefty dash of hype to what ended up being a legitimate security issue.

However, Peter Bybee, president and CEO of San Diego, Calif.-based security solution provider Network Vigilance, believes there's a lesson here. The danger of hyping security threats, he says, is the potential for backlash within organizations once the threat is deemed to have been overemphasized.

This sometimes results in ambivalence -- and less spending on security infrastructure -- within organizations, according to Bybee.

"The bottom line here is that product vendors, consultants, and internal IT staff overstate the impact of a security threat because using fear works, and may be the easiest and quickest way to overcome purchasing objections," he said.