Fire Logs At Christmas

Imagine that while you’re asleep, some cybercriminal in a time zone half-way around the world, hacks into your printer to: hijack it as a copy machine, commit identity theft, take control of your network, or even send commands that cause it to overheat and catch on fire.

In a recent update, MSNBC News reported that researchers at Columbia University have found flaws in printers that could allow them to be hacked. Cybercriminals can remotely control printers over the Internet and potentially steal information, attack secure networks and even cause physical damage.

The flaw takes advantage of HP Laserjets’ remote firmware update process. Every time a printer accepts a print job it checks to see if the firmware update is included in that job. However, the printers do not discriminate the source of the update software – allowing anyone to erase the operating software and install malware. This process only takes about 30 seconds and there is no way any Anti-Virus software can scan this since the software runs on embedded chips in the printer.

In one demonstration, the researchers showed how a hijacked computer could be given instructions that would continuously heat up the printers’ fuser, eventually causing the paper to burn and smoke. While some printers have a thermal switch that would shut the printer down, others do not and could be used as fire starters.

In another, researchers printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

While HP plays down the findings and continues to research the flaw, the researchers felt compelled to go public with the findings given that HP, with 42 percent of the market is by far the dominant printer seller worldwide selling 50 million printers annually.

Bim Parmar

Bim oversees all aspects of global marketing including corporate communications, product marketing, demand generation, and the company’s presence on the Web. He has over 16 years of experience in Enterprise and Security software working at McAfee Security and Business Objects.