HP Memo Spanks Columbia Researchers Over Flaming Printers Flap
Hewlett-Packard is still doing a little damage control from an MSNBC story that emerged yesterday citing researchers at Columbia University saying essentially that HP printers could be hacked in such a way as to make them burst into flames. HP has denied most of the claims.
Printers are Internet-connected devices just like computers. They have their own operating systems and software, and so, in theory, are vulnerable to attacks by hackers just as computers are. There was an old urban myth that in the run-up to the first Iraq War in 1991, hacked HP printers shipped to Iraq were instrumental in shutting down Iraqi radar systems. It wasn’t true — it was published on April 1 of that year by the trade magazine InfoWorld — but the idea stuck, and at least one group of security researchers has been studying the use of Trojans installed into printers.
The Columbia researchers had claimed that a part inside a printer called a fuser, used to dry the ink, could be remotely instructed to overheat, eventually causing paper inside the printer to turn brown and start to smoke.
Conceptually it’s not that different from the Stuxnet attack against the Iranian nuclear research program. The attackers in that case, thought to be Israel with a little help from the U.S., attacked industrial control computers known as SCADA systems that serve as the bridge between typical Windows-based machines and industrial equipment that the SCADA systems control. In the case of Stuxnet, the SCADA systems were controlled — often they have only default passwords or no passwords at all — and the machines they were connected to could be instructed to literally destroy themselves.
Some researchers at the U.S. Department of Energy’s Idaho National Lab did just that in the video below, showing in a controlled environment that a generator could be hijacked over the Internet and made to destroy itself.
But could you do the same thing with a printer? Theoretically, I’d say it’s possible. But in this case, HP says not where its printers are concerned.
Below is an internal HP memo from Vyomesh “VJ” Joshi, the head of HP’s Imaging and Printing Group, that was circulated to employees today.
First off, he says, the fire issue is not true. As noted in the public statement, HP’s printers have a component called a thermal breaker that prevents the fuser from overheating, and it can’t be overcome by a firmware upgrade.
But Joshi also spanks the Columbia researchers for turning to the media and not calling HP first, which is the way security researchers usually operate when they identify a serious vulnerability. There is, he concedes, a vulnerability to malicious firmware modifications, especially on printers that are left unprotected on a network without a firewall running. HP aims to fix that. But usually in these situations, the media doesn’t get called until a fix is ready. “Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available,” he writes.
Joshi’s full memo is below.
From: IPG, Vyomesh Joshi
Sent: Tuesday, November 29, 2011 4:40 PM
Subject: Inaccurate Printer Security Press Coverage
Dear IPG Employees,
As many of you have read today there has been sensational and inaccurate press coverage regarding potential security risks with some HP LaserJet printers. I wanted to make sure you had the most current information and context for this situation. No customer has reported unauthorized access. We have also seen speculation in the media regarding the potential for devices to catch fire due to a firmware change. This claim is inaccurate. We have issued a public statement communicating to customers and partners and refuting inaccurate information.
This information first came to us late last week from a research lab based at Columbia University. As a result, we have identified a specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall or if a malicious effort is made to modify the firmware of the device by a trusted party on the network. Our security team is taking immediate measures to build a firmware upgrade to resolve any potential risk and will be communicating this proactively to customers and partners who may be impacted.
Typically when a security issue is identified, responsible disclosure is followed so that vulnerabilities are not made public until a solution is available. Unfortunately in this situation, a Columbia representative took it upon himself to contact the media and reports were published prior to a solution being available.
We have always taken security very seriously. In fact, HP’s reputation for security continues to be among the highest in the industry. I want to assure you that our security experts are working around the clock to mitigate any potential risk.
We will make every effort to communicate new information as it becomes available.