HP Refutes 'Sensational' Claims Of LaserJet Printer Pyrotechnics

Researchers from Columbia University's Computer Science Department say they've reverse engineered the Remote Firmware Update function in HP LaserJets in a way that tricks the printers into accepting and installing malware-filled updates, according to a Tuesday report from MSNBC.com.

The researchers claim that the HP LaserJets don't check for a digital signature to verify that the updates are legitimate, and that this could allow a remote attacker to gain access to a company's network by sending a malware-filled print job to a Web-connected printer.

In another scenario outlined by the researchers, a compromised PC could send repeated instructions to a printer that could cause its "fuser," or ink-drying element, to heat up and catch on fire. The researchers identified the flaw over a period of months and notified HP last week, according to the MSNBC.com report.

In a statement issued Tuesday, HP also said its LaserJets contain a "thermal breaker" that's designed to prevent the fuser from overheating and catching on fire. "Speculation regarding potential for devices to catch fire due to a firmware change is false," HP said in the statement.

HP did acknowledge finding a "potential security vulnerability" in some of its LaserJet printers but said no customers have reported unauthorized access to the devices. The vulnerability exists for HP LaserJets connected to the public Internet without a firewall, and printers on private networks could be impacted if trusted parties on the network were to maliciously tweak their firmware, HP said.

"In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade," HP said in the statement. HP is working on a firmware upgrade for the issue and will be reaching out to customers and partners that may be impacted.

In the meantime, HP is recommending that LaserJet owners keep their printers behind a firewall and disable remote firmware upgrades on printers where possible.

Ken Phelan, CTO of Gotham Technology Partners, a solution provider based in Montvale, N.J., says most printer related security issues to date have been limited to spam and other annoyances. However, he said utilities and manufacturing firms need to be aware of the potential for these systems to be significantly damaged in attacks.

"Embedded systems pose real security problems, but only to the extent that they are material to the operations of a company," Phelan said.

In February 2009, HP issued an alert to customers about a security vulnerability in some LaserJet printers and HP Digital Senders, warning that it could be exploited remotely to gain access to files on the printer through its Web administration console.