Imagine: Your printer, at rest in your home office as you’re away at work or maybe out shopping. Suddenly it powers up, humming, making that familiar mechanical shuffling sound so many printers emit during startup. But after a few minutes, tendrils of smoke start to leak from its crevices. The paper in the feeder yellows and crinkles. And then you arrive, thankfully just in time to yank the plug from the wall and stop the machine from all but bursting into flames.
Sound a little ridiculous? It’s not–up to the part about things bursting into flames, anyway, and printer maven Hewlett Packard says all of its printers include a “thermal breaker” to prevent them from catching fire. But the rest describes what researchers at Colombia University managed to do, according to MSNBC, demonstrating several apparently serious vulnerabilities in ordinary office printers, vulnerabilities that might be exploited by hackers who have the opposite of your best interests at heart.
The idea’s simple, and underlies the methods used today to gain illicit access to computers and related deices: Give a computing device too many balls to juggle by exploiting some programmatic mechanic and it chokes. That’s essentially how hacktivist groups like Anonymous and LulzSec smashed corporate and governmental security measures this year, hobbling web servers and knocking sites and services offline–even allegedly crippling the CIA’s website back in June.
According to MSNBC, the Colombia University researchers are calling this a “new class of computer security flaws,” one in which hackers might gain remote access to printers and either forward secure print jobs to other devices, potentially exposing sensitive information, or cause actual, physical harm to the printer. The reason it’s new, they say, is that printers have become more computer-like, functioning more like standalone computers on networks. But since they’re not viewed in security terms as discrete, vulnerable client computing devices, they lack the inbuilt, progressive defense measures common to traditional computers.
The real gotcha, according to the researchers, is the fact that you can’t easily fix this flaw, nor is it obvious if hackers have already exploited it.
“The problem is, technology companies aren’t really looking into this corner of the Internet. But we are,” said Columbia professor Salvatore Stolfo, speaking to MSNBC. “The research on this is crystal clear. The impact of this is very large. These devices are completely open and available to be exploited.”
No surprise, HP disagrees, claiming its printers are safe from bursting into flames thanks to the inbuilt thermal breaker. That “cannot be overcome by a firmware change or this proposed vulnerability,” said the company in a statement reacting to the research, adding that “speculation regarding potential for devices to catch fire due to a firmware change is false.”
But while HP says “No customer has reported unauthorized access,” it does acknowledge the security flaw, though it then misleadingly says that it only affects non-firewalled printers, glossing over the fact that if a firewall’s breached, the potential to hack and damage a device like a printer remains.
In the meantime, HP says it’s “building a firmware upgrade to mitigate this issue,” and recommends placing printers behind firewalls and, “where possible, disabling remote firmware upload on exposed printers.”