Your laser printer might burn through plenty of paper. But a new study claims that innocuous-looking printer could be a gateway for remote hackers out to steal your identity—and maybe even physically burn you.
According to MSNBC, researchers at Columbia University claim they have discovered a new class of online vulnerability: bogus firmware updates to networked laser printers. The researchers told the news website that clever hackers can reverse-engineer the software commands used internally by laser printers and then create bogus updates, which are loaded when unsuspecting victims send a duplicitous document to the printer.
The bogus updates, say the researchers, can be designed to steal printed data—say a person's online banking statement—or even physically damage the printer. In one test demonstrated to MSNBC, for example, the researchers caused a printer's thermal infuser—used to heat and dry the printer's ink toner—to overheat and cause the printer to smolder.
Researchers at the Computer Science Department of Columbia University’s School of Engineering and Applied Science said they conducted the vulnerability research using printers made by HP. Columbia professor Salvatore Stolfo, who directed the research, told MSNBC:
The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.
According to MSNBC, federal authorities as well as HP have been briefed by the researchers of their discovered vulnerabilities. Keith Moore, chief technologist for HP's printer division, told MSNBC that the company is still assessing the discovery and takes the possible security threat "very seriously,” Moore believes that the risk to ordinary consumers is low, though, since the vulnerabilities may apply only to newer, networked laser printers.
UPDATE: HP has issued a statement refuting some of the "inaccurate claims" made by the researchers.
HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
The statement also said that while "a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access." The company is working to address the issue and will notify customers when a fix is available. In the meantime, HP stresses concerned consumers can find more information about protected printing at its website: www.hp.com/go/secureprinting.
For tips on how to protect your computers and personal data, check out Consumer Reports Guide to online security.
Exclusive: Millions of printers open to devastating hack attack, researchers say [MSNBC]