Printers On Fire

Hacking remote printers is not a new topic in security. At this year's Defcon 19, researcher Deral Hailand demonstrated how he could gain Admin access to a multifunction printer could enable you to access sensitive documents that have been scanned or printed recently. Previous attacks were shown almost a decade ago at DefCon 10 in sessions Network Printers and Other Network Devices, Vulnerabilities and Fixes and Attacking Network Embedded Systems. And some hacks on HP printers even go back as far as 1997.

While these are all valid attacks designed to access proprietary network data, researchers this week found that they could physically set a printer on fire and do so remotely.

At the Computer Science Department of Columbia University’s School of Engineering and Applied Science professor Salvador Stolfo, assisted by Ang Cui, found that HP printers check for new software updates with each print job. So the researchers reverse engineered the software that allows firmware upgrades through a process called "Remote Firmware Update" and discovered the firmware doesn't check the source of the update. Apparently HP doesn't use digital signatures to verify the upgrade software’s authenticity.

Possible results? A remote command could instruct an HP printer to continuously heat the fuser element which dries the ink once it’s applied to paper. Eventually this would cause the paper to catch fire. In a demonstration for Bob Sullivan of MSNBC, who first wrote about this attack, the printer shut itself off before it could immolate itself. According to Sullivan's report, HP has sold 100 million LaserJet printers since 1984,

But Stolfo and Cui aren't convinced the problem is HP-specific. They have started to look at other printer vendors for similar vulnerabilities.

Update: Ang Cui and Jonathan Voris will present more details on this attack at the upcoming 28th Chaos Communication Congress to be held at end of December in Berlin.