ID: IRCNE2011111324
Date: 2011-11-30
According to "computerworld", Millions of Hewlett Packard Co.'s LaserJet printers contain a security weakness that could allow attackers to take control of the systems, steal data from them and issue commands that could cause the devices to overheat and catch fire, according to two researchers from Columbia University.
Printers from other vendors likely have the same issue, the researchers said. The security researchers findings was first published by MSNBC.com earlier today.
"While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access," the company said.
It disputed media reports that the flaw would let hackers set LaserJet printers on fire and said that safety mechanisms built into the printers precluded that from happening.
The vulnerability exists in the LaserJet printer's Remote Firmware Update process. Because of weak authentication measures, the printers can be fooled into accepting arbitrarily modified firmware by anyone with logical access to the device, Stolfo said in an interview.
The LaserJet printers that were tested do not require firmware updates to be digitally signed, allowing anyone to essentially instruct the printer to erase its existing operating software and overwrite it with a malicious one.
Attackers could gain total control of the printer and rewrite its software so that it would be impossible to reset it, he said.
The flaw allows attackers to steal documents from a compromised printer, or to use the device as a launch pad for attacking computers attached to it.
"The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall," the company said. "In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network."
LaserJet printers in some Linux or Mac environments could be compromised by someone sending the device a corrupt print job, the company said.
- 2