HP LaserJet Printers suffer from huge security flaw

MSNBC has reported an apparent security risk that may affect millions of HP LaserJet printer owners; giving hackers the opportunity to steal data or physically destroy your printer through uncertified software updates.

Ang Cui and Salvatore Stolfo of Columbia University identified the problem and its route to originate from the fact that the HP LaserJet printers they tested didn't require a signature or certificate of authenticity for their remote software updates.  With this in mine, they were able to exploit this update cycle, slipping their own software into the machine.

This flaw does not affect the variety of Hp's InkJet printers used in homes; but the millions of LaserJets in business use since 1984 are at risk, and as printers are pretty much always 'trusted devices,' they could be used to launch mass attacks within whole corporate networks. 

The demonstration shows a pretty significant amount of control over the printer.  One presents how they can forward the data of one's tax return sent to an infected printer to a secondary computer, showing the possibility of bank fraud.  But the second is the most visually startling, as they send instructions to the printer to heat up the fuselage until smoke appeared.  The printer's thermal switch shut it down; but an over-ride to this would have meant an explosion.

HP's response is one that remains dubious as to how to answer such a claim: they cannot confirm nor deny the researcher's claims.  But they do dispute the widespread vulnerability of the exploit, saying that the likelihood in real life is low.

Source: MSNBC