Researchers from Columbia University say that hackers is a simple way to, without noticing the firmware of LaserJet printers from HP can update. HP, the case examines, denies for now that it is a large-scale problem.
According to the researchers, check LaserJet printers for 2009 came on the market a firmware update with a digital signature. Because such printers are often via ethernet to a corporate network are linked, the LaserJet firmware to be updated through print jobs that are run on Linux – and Mac-based computers. This checks the software of the printer or the firmware file has a signature to check the authenticity guarantee.
The lack of control in the firmware update process, which is only 30 seconds long, it would be serious safety risks to deliver, say the researchers. So they sent a command to a LaserJet printer to a tax form to print. The printer, that modified firmware, sent the document to another computer. This scanned the document and clears out the form, a social security number to distilling. This was then a Twitter account is published.
Troublemakers HP LaserJets can also sabotage through the fuser, which is used to the ink on the paper to dry, continuous heat up, allowing the printer to fire can fly. In practice, the researchers were able to the LaserJet, however, not ignite, because a protection system against overheating the printer off.
HP, together with the researchers, the problem should be investigate, states in a comment that there is no risk that older LaserJet models in fire fly by sabotaged firmware, because the protection system against overheating regardless of the firmware works and on any laser printer of the brand is present. Also, the printer manufacturer that the most vulnerable LaserJets with the companies behind a firewall, which reduces the danger of an attack from the internet is limited, and that has not yet been proven that engineered print jobs a printer can be re-programmed. In addition, system administrators can remote-setup tool places the printer off.
The researchers suggest, however, that HP the problem trivializes. So they would have a quick scan on the internet for forty thousand vulnerable LaserJets have found. Moreover, it can be hard to be an effective solution for the vulnerability to be found. For example, a compromised firmware update the door for future updates, simply close it. In addition, it would be extremely difficult to detect whether or not a LaserJet with modified firmware is infected. They propose that companies might have no other choice than LaserJets that no control on the firmware exercise as quickly as possible to phase out. In addition, they are not that printers from other manufacturers have similar vulnerabilities.