HP sued over security flaw in printers
New Yorker sues HP after researchers show how they can compromise an HP printer, steal data, and make it overheat via a remote update feature.
A lawsuit against Hewlett-Packard alleges that the company sold LaserJet printers that it knew had a security flaw in them that could allow hackers to steal data, take control of networks and even cause physical damage to printers through overheating.
The suit, filed last week in district court in San Jose, Calif., accuses HP of knowingly selling printers with a design defect that renders them "highly vulnerable to attacks by hackers." The plaintiff, David Goldblatt of New York, said he would not have purchased two HP printers had he known about the problems. It alleges HP violated the California laws designed to protect consumers and prohibit fraudulent or deceptive business practices and seeks class-action status.
The issue stems from the fact that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or modifications downloaded to the printers, according to the lawsuit.
"As a result of HP's failure to require the use of digital signatures to authenticate software upgrades, hackers are able to reprogram the HP Printers' software with malicious software without detection," the suit says. "Once the HP printers' software is maliciously reprogrammed, the HP printers can be remotely controlled by computer hackers over the Internet, who can then steal personal information, attack otherwise secure networks, and even cause physical damage to the HP printers, themselves."
An HP spokesman told CNET via e-mail today that the company does not comment on pending litigation.
The security issue was raised by researchers in the computer science department at Colombia University's School of Engineering and Applied Science in late November. They told MSNBC that the printers' "Remote Firmware Update" feature, which checks for software updates whenever a new printing job starts, could allow hackers to install customized firmware that would grant them full control of the printer.
In one demonstration, a researcher printed a tax return on an infected printer, which then sent the document to a second computer that tweeted the Social Security number on a Twitter feed. In a second demonstration, researchers fed instructions to a compromised HP printer to cause the printer's fuser--a component that dries the ink once it is applied--to heat up and cause the paper to smoke and turn brown, according to the lawsuit.
"Because the HP Printers do not contain a 'thermal switch,' the HP printers, themselves, can be physically damaged," the suit alleges. The lawsuit references an April 2010 paper commissioned by HP titled "Think Print, Think Security," which said "data can be intercepted and sent to a third party using a number of methods. Software on some printers could be modified to add this ability or other special features such as a network sniffer. This could be done by either uploading modified software or by modifying and replacing a chip on the printer's circuit board."
Digital signature technology has been included in printers since 2009, which addresses the flaw, but the lawsuit claims that tens of million of HP printers are affected.
At the time of the report, HP refuted the research, calling it "sensational and inaccurate," and saying that HP hadn't received any complaints from customers.
"The specific vulnerability exists for some HP LaserJet devices if placed on a public Internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network," the statement said. "In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade."
In addition, HP dismissed concerns about the intentional overheating threat. "HP LaserJet printers have a hardware element called a "thermal breaker" that is designed to prevent the fuser from overheating or causing a fire," the statement said. "It cannot be overcome by a firmware change or this proposed vulnerability."
HP also said it was working on a firmware upgrade to protect printers against the threat but did not say when that would be available.