henric
11-30-2011, 01:12 PM
November 29, 2011 at 2:46 pm
By Lee Mathews
Thanks to email and other forms of digital communication, we don’t print as much as we used to. That might be a very good thing, now that security researchers have turned printers into information stealing machines.
12281
You’ve probably read about some pretty wild hacking here on Sync before, from breaking into home automation systems over power lines to the massive Sony server breaches. Now a group of researchers from Columbia University has discovered a serious flaw in HP printers that could allow a remote hacker to steal data you print — and potentially burn your home or office down.
Yes, really — though the odds are very slim. Here’s how it works:
Hackers remotely search for a vulnerable printer. Once they’ve got a target, they “poison” the printer’s firmware by sending it a series of instructions — either from a computer that is directly attached or via the Internet, if the printer supports it. Once a printer has been compromised, the hacker can alter its programming to do all kinds of nasty things, like transmitting documents that are printed to it back to a remote server. That would allow an attacker to remotely steal all kinds of sensitive information without your knowledge. As far as you know, you’d just be printing out a file.
But could someone actually set your printer ablaze? Possibly. First, it would have to be a laser printer. In a laser printer, a part called the fuser heats up to very high temperatures to bond the toner to the paper. When it’s working during a print job, you can often smell the fuser firing up. Inkjets don’t have a fuser, so they don’t have the quite same potential to start a fire (though electrical issues could still cause problems).
Columbia’s team figures that an attacker could force a compromised printer’s fuser to heat up repeatedly, and that could theoretically cause a fire. Fortunately, nearly all printer manufacturers build a thermal fuse into their fusers. When the fuser exceeds a reasonable operating temperature, the fuse will blow and prevent anything disastrous from happening. Ultimately, the risk of fire isn’t what’s alarming about this research. Rather, it’s the potential for information and identity theft and the possibility that such infected devices could infect additional printers and other networked computers and devices.
While Columbia’s researchers demonstrated their findings on HP LaserJets, it’s possible other brands are susceptible as well. In fact, they say that millions of additional electronic devices that utilize flawed firmware could potentially be exploited the same way.
It’s also worth knowing that this kind of exploit has been known about for years — at least as far back as 2000. For its part, HP has said that its newer printers all feature firmware that include security features that would prevent this kind of attack and says it’s still reviewing the team’s findings. Let’s hope that review is thorough, because Columbia purchased one of the printers used in the demonstration from a retail store in September. Hardly an old printer, and one you’d think wasn’t hackable based on HP’s statement
(Photo Credit: Columbia)
By Lee Mathews
Thanks to email and other forms of digital communication, we don’t print as much as we used to. That might be a very good thing, now that security researchers have turned printers into information stealing machines.
12281
You’ve probably read about some pretty wild hacking here on Sync before, from breaking into home automation systems over power lines to the massive Sony server breaches. Now a group of researchers from Columbia University has discovered a serious flaw in HP printers that could allow a remote hacker to steal data you print — and potentially burn your home or office down.
Yes, really — though the odds are very slim. Here’s how it works:
Hackers remotely search for a vulnerable printer. Once they’ve got a target, they “poison” the printer’s firmware by sending it a series of instructions — either from a computer that is directly attached or via the Internet, if the printer supports it. Once a printer has been compromised, the hacker can alter its programming to do all kinds of nasty things, like transmitting documents that are printed to it back to a remote server. That would allow an attacker to remotely steal all kinds of sensitive information without your knowledge. As far as you know, you’d just be printing out a file.
But could someone actually set your printer ablaze? Possibly. First, it would have to be a laser printer. In a laser printer, a part called the fuser heats up to very high temperatures to bond the toner to the paper. When it’s working during a print job, you can often smell the fuser firing up. Inkjets don’t have a fuser, so they don’t have the quite same potential to start a fire (though electrical issues could still cause problems).
Columbia’s team figures that an attacker could force a compromised printer’s fuser to heat up repeatedly, and that could theoretically cause a fire. Fortunately, nearly all printer manufacturers build a thermal fuse into their fusers. When the fuser exceeds a reasonable operating temperature, the fuse will blow and prevent anything disastrous from happening. Ultimately, the risk of fire isn’t what’s alarming about this research. Rather, it’s the potential for information and identity theft and the possibility that such infected devices could infect additional printers and other networked computers and devices.
While Columbia’s researchers demonstrated their findings on HP LaserJets, it’s possible other brands are susceptible as well. In fact, they say that millions of additional electronic devices that utilize flawed firmware could potentially be exploited the same way.
It’s also worth knowing that this kind of exploit has been known about for years — at least as far back as 2000. For its part, HP has said that its newer printers all feature firmware that include security features that would prevent this kind of attack and says it’s still reviewing the team’s findings. Let’s hope that review is thorough, because Columbia purchased one of the printers used in the demonstration from a retail store in September. Hardly an old printer, and one you’d think wasn’t hackable based on HP’s statement
(Photo Credit: Columbia)