This can be accomplished because some HP LaserJet printers do not validate the origin of remote firmware updates before applying them, Salvatore Stolfo, a professor of computer science at Columbia who directed the research, told SCMagazineUS.com on Tuesday. That means anyone can reprogram the devices with malicious firmware.
Everytime an HP LaserJet printer accepts a print job, it checks to see if a firmware upgrade has been included, Stolfo said. The printer does not, however, look for a digital signature to verify that the firmware actually came from HP.
The researchers, funded by government and industry grants, have been investigating the vulnerability for several months, and disclosed the issue to HP last week.
“What we did is find a way to change the core firmware of the device – change it entirely,” Stolfo said. “By rewriting the firmware, we can inject any functions and features we wish.”
In lab demonstrations, the researchers even were able to leverage the vulnerability to overheat the printer's fuser – a ink-drying component – to cause paper to turn brown and smoke. In that demonstration, a thermal switch shut the printer down before a fire was started.
An attacker could also cause a hacked device to duplicate all print jobs on a remote printer, disable the machine, or gain access to corporate networks, Stolfo said. Adversaries may already know about the bug.
Further, the flaw could be exploited by simply tricking a user into printing a file containing malware. Moreover, if the printer was configured to accept jobs via the internet, an attacker remotely could update the machine's firmware with a malicious version, without requiring any user interaction.
“Done well, it's completely stealthy,” Stolfo said. “You wouldn't know the printer has that malicious capability. The printer sitting next to you right now could be infected and you wouldn't know it.”
An HP executive told MSNBC, which first reported the news, that the firm's printers since 2009 have required digitally signed firmware upgrades. HP did not immediately respond when contacted by SCMagazineUS.com on Tuesday.
“HPs latest printers and firmware are better protected, and the flaw is unlikely to exist in the latest models, but that doesn't account for the large number of printers deployed with the previous generation of flawed software,” Stolfo said.
Plus, the researchers believe the vulnerability extends beyond just HP printers.
“We haven't checked with other manufacturers, but the suspicion is that there are other manufacturers with the same flaw,” Stolfo said.
The researchers are withholding technical details of the glitch until later this year while they work with HP on a mitigation strategy, Stolfo said. One of the options they are exploring would essentially involve leveraging the flaw to inject security software into affected devices.
Stolfo said he hopes news of the bug will ultimately drive embedded device makers to improve security.
For many years, researchers have known that printer hacks, while not common, are certainly feasible.
And this is not the first time HP printers have been discovered to be vulnerable to cyberattack. Last September, researchers at web security firm Zscaler disclosed that certain models of HP combination printer and scanner devices contain a feature that could allow for corporate espionage. And HP, in 2006, warned customers of a recently vulnerability in two of its printer models that could make personal information accessible to hackers.