Wednesday, December 7, 2011

Bug allows HP printers to be remotely hacked, set on fire
Researchers at Columbia University in New York have discovered a vulnerability in Hewlett-Packard LaserJet printers that could allow attackers to steal sensitive documents, gain control of corporate networks, or even set the affected device on fire.
This can be accomplished because some HP LaserJet printers do not validate the origin of remote firmware updates before applying them, Salvatore Stolfo, a professor of computer science at Columbia who directed the research, told on Tuesday. That means anyone can reprogram the devices with malicious firmware.
Everytime an HP LaserJet printer accepts a print job, it checks to see if a firmware upgrade has been included, Stolfo said. The printer does not, however, look for a digital signature to verify that the firmware actually came from HP. The researchers, funded by government and industry grants, have been investigating the vulnerability for several months, and disclosed the issue to HP last week.