Although most people tend to think of printers as dumb boxes sitting by your desk, a new study from Columbia University researchers has found that they may be surprisingly vulnerable to sophisticated hacking attacks.
Speaking to MSNBC's Red Tape recently, the researchers said that Internet-connected printers could be used to steal personal data, access supposedly secure networks, or even to cause a fire through deliberate overheating.
The researchers, who studied HP's networked LaserJet printers, told MSNBC that the devices' "Remote Firmware Update" feature is acutely vulnerable to attack. That feature, which checks for software updates whenever a new printing job starts, could allow hackers to install customized firmware that would grant them full control of the printer. The printers studied by the Columbia team lack digital signatures and thus don't check the source of a firmware update--which makes it relatively easy for hackers to spoof the printer with malicious firmware.
The stakes are high. According to the researchers, there is no easy way to detect the breach, and since security software doesn't analyze printers, hackers could have near-complete freedom of action after seizing control of a printer. Making matters worse, removing the malicious firmware is nearly impossible.
As worrisome as that might be, printer security woes have been around for years.
In 2006 at the Black Hat security conference, security expert Brendan O'Connor demonstrated how easy it is for hackers to gain access to a printer and cause trouble in the office. O'Connor showed how hackers, within minutes, can perform all kinds of tasks, including mapping an organization's network and accessing previously printed documents.
"Stop treating them as printers," O'Connor warned IT managers during his presentation. "Treat them as servers, as workstations."
That said, O'Connor's findings came at a time when networked printers were mostly found in the enterprise. Now, they're everywhere. And the Columbia researchers say that due to the sheer number of networked printers in the wild, the flaw it discovered could affect millions of people around the globe.
But before you jump to turn off your printer, the flaw the researchers found is only an issue in older printer models. Since 2009, printers have included digital signature technology, which addresses the flaw. But that doesn't make the researchers feel any safer. As they pointed out to MSNBC, the number of printers suffering from the flaw "could be much more than 100 million."
Keith Moore, HP's chief technologist for the printer division, told MSNBC in an interview that although his company takes the flaw "very seriously," he's suspect that it could be as widespread as the researchers say, adding that his initial studies reveal a low likelihood that hackers would exploit it.
"This (vulnerability) is probably not as broad as what I had heard in their first announcement," Moore told MSNBC, citing his assertion that--contrary to what the researchers say--HP printers don't look for new firmware on typical print jobs. "It sounds like we disagree on what the exposure might be."
In a follow-up statement to CNET, HP took a more direct stance against the researchers' findings. The company told CNET that the researchers' report is "sensational and inaccurate," and so far, it hasn't received a single complaint from customers who have been exposed to the flaw.
"While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access," the company told CNET in a statement. "The specific vulnerability exists for some HP LaserJet devices if placed on a public Internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network.
"In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade," HP continued.
To address the issue, HP says that it's currently working on a firmware upgrade to safeguard against the threat. The company didn't say when it would launch.
Updated at 11:16 a.m. PT to include more details and at 1:26 p.m. PT to include HP's statement.