Hackers aren't just a threat to your digital life any more. By taking control of your printer, they could potentially burn your house down from the other side of the globe, MSNBC reports.
The security flaw was discovered by researchers Salvatore Stolfo and Ang Cui at Columbia University, and so far it's only been identified in HP LaserJet printers, although they suggest that it could exist in other brands, too. The problem comes from the embedded systems inside the printers, which are basically small computers that are even connected to the internet. Even though today's printers are full-fledged devices connected to the internet, not much thought goes into making them secure.
By hacking into the computer and overloading it with instructions that heat up the fuser – a part of the printer that helps dry the ink – the researchers made the paper in the printer blacken and smoke. In another demo, a thermal switch shut down the printer, causing it to burst into flames.
Before beginning a print job, HP's printers check for firmware updates and download them if they're available. The only problem is that they don't discriminate if the update is coming from Palo Alto or an Eastern European hacker's den. The only way that hackers can take over printers that aren't connected to the internet is to trick the user into trying to print a document containing a virus. The real threat comes from printers with internet connectivity, something that's becoming more and more common in today's mobile world.
In that case, it takes about 30 seconds to rewrite the printer's firmware, replacing it with a virus that is all but undetectable. The hackers don't even need to dupe unwitting users into installing malware. It takes care of itself.
The virus embeds itself so deep into the printer that the only way to detect it would be to remove the computer chips from the printer and run manual tests. “First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” asked Mikko Hypponen, F-Secure's head of research. According to HP, they do.
Keith Moore, the chief technologist at HP's printer division, said that while HP “takes this very seriously,” all of HP's newer printers do require digitally signed firmware updates, and that they have since 2009. He also said that the impact from the vulnerability would be limited, since it only affects LaserJet printers, while most people have InkJet printers in their home.
It's about time that companies started taking security a bit more seriously. Today, everything from our refrigerators to our cars have embedded systems inside them, and they're just as much at risk as our desktops. And, as you can see, these vulnerabilities have very real consequences. If the idea of hackers cleaning out your bank account scares you, think about them destroying everything you own. We've contacted HP for comment but have yet to recieve a reply.
Image courtesy of MSNBC
41 Comments - Add comment