Researchers at Columbia University, studying under government and industry grants, have demonstrated that any HP LaserJet made before 2009 could be remotely instructed by computer hackers to overheat and catch fire. Apparently there are about 100 million such printers out there and this means that millions of businesses, consumers, government agencies, etc, may be at risk. MSNBC.com was the first to report the issue.
In one demonstration, Columbia professor Salvatore Stolfo and colleague Ang Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.
What’s more, fixing the flaw will not be easy. “If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective. Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui said. “This is nothing like fixing a virus on your PC.”
HP is investigating the issue. “Until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more,” said Keith Moore, chief technologist for HP’s printer division. “If this turns out to be the broad (problem) that’s being discussed…we will reach out to customers and get it fixed. We support our customers and value their trust.”