Is Your Printer An Open Invitation To Steal?

Columbia University researchers have found a new class of computer security flaws involving printers that could impact millions of businesses, consumers, and government agencies.

The researchers say that certain Hewlett-Packard (HP) LaserJet printers can be remotely controlled over the Internet, enabling computer hackers to steal personal information, attack normally secure networks, and cause physical damage to hardware.

HP's Keith Moore says the initial research suggests the likelihood that the vulnerability can be exploited in the real world is low.

However, the Columbia researchers claim the security vulnerability is so fundamental that it could affect tens of millions of printers and other hardware that use flawed firmware.

The firmware flaw runs embedded systems such as computer printers, which increasingly include functions that make them operate more like computers.

"These devices are completely open and available to be exploited," says Columbia professor Salvatore Stolfo.

For example, the researchers showed how a hijacked computer could be given a command to continuously heat up the printer's fuser, eventually causing the paper to turn brown and smoke.

The researchers also found that printers automatically accept software updates from unknown sources, making them vulnerable to viruses that can be remotely installed.