Malware Triggering Printers to Explode?

Back in 2006, PC Pitstop in partnership with D2 Worldwide – helped to expose the troubling levels of LiIon battery volatility and the risks of exploding laptops.

That was then…Now – A New Problem

Researchers at the Columbia University School of Engineering and Applied Science have uncovered a vunerability that leaves tens of millions of common office printers open to devasting malware infections – including attacks that could cause the printers to catch on fire.

The story was first revealed in an article posted on msnbc.com.

Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com. They say there’s no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there’s no way to tell if hackers have already exploited it.–MSNBC

Printer security flaws have long been theorized, but the Columbia researchers say they’ve discovered the first-ever doorway into millions of printers worldwide. In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.

In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.–MSNBC

Columbia professor Salvatore Stolfo was later quoted by thestar as saying;

“Some of the media outlets incorrectly (and inappropriately) reported about ‘burning printers.’ We were not able to burn any printer. In fact, our test showed that the thermal switch in the HP 2055DC printer design cuts power to the printer we tested if the fuser heats too much. That is good news for HP that their cutoff switch worked.

“Unfortunately, too many media outlets ignored our finding and reported the opposite.”

Although the testing at Columbia was limited to particular HP LaserJet printers, the researchers (in a quick online search) were able to identify 40,000 devices ( including DVD players, telephone conference tools, even home appliances) and others commonly connected to the internet that could face similar mechanical or physical attacks. It is not known – how many of these devices include a temperature safe guard that could prevent a fire – like the HP printers in this test.

HP’s response (11/29/2011):

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

HP has sold 100 million LaserJet printers since 1984.

Full text of HP response.

What Should You Do?

Look for HP to release firmware updates in the near future for the affected printers. Also be aware that the same situation can exist for routers, if you do not change the default password.

PC World: 7 Ways to Protect Your Printers

Updates:


Wired.com: HP Hit With Lawsuit Over Flaming-Printer Hack

Security Week: HP Printer Firmware Vulnerabilities: FUD or Fire?

“The focus of HP is on the fire issue, but they don’t say anything to address the real issue, which is the fairly indefensible position of not cryptographically authenticating their printer software updates,” Security expert Kurt Stammberger, VP of Market Development at device security firm Mocana told SecurityWeek. “Fires notwithstanding, printers are still a great place to launch and attack against a network, because they are so broadly connected.”

(Visited 8 times, 1 visits today)

8 thoughts on “Malware Triggering Printers to Explode?

  1. This is mainly related to HP printers were by they are fed remote instructions continuously that can cause them to heat up. That’s what can cause them to catch on fire.

  2. I’ve noticed a trend toward an increase in sensationalism at PC Pitstop that causes me some concern. I signed on originally because your articles were interesting and useful, and more or less kept to the technical subject at hand. Perpetuating rumors and inuendoes has become the hallmark of main stream news media, and it is very disappointing to see this trend creeping into the computer communications field. Sorry to see it happen, particularly at PC Pitstop. Think long and hard about this, as the result may be a reduction in readership.

  3. The bad guys are always one step ahead of the good guys but in the end we will not only survive but will have a much improved product than we would have because this makes the manufacturers improve its hardware and software at a faster rate .

  4. I have not slept a wink since I heard that printers could explode. The fear, no the abject terror, is making my life a hell.

    There is normal fear like a terrorist attack or aircraft crashing or an asteroid crashing into earth and destroying mankind – and then there is real deep palpable fear – the fear that your printer could explode.

    I mean…..I mean…..it has as much chance of happening as winning the lottery so that doubles the fear. It could happen. It could happen. It could happen a little voice in my head repeats over and over.

    I lay there in the dark my palms sweaty, my heart racing, it could happen…..it could happen. Oh, how could Pitstop be so cruel.

  5. Thermal cut-off devices used in other technologies is a physical switch that opens above a pre-determined temperaure. They would be useless if an over-ride other than a direct hardwired bypass could be acheived.

    • This is the only answer that makes any sense. The laser jet printer doesn’t use a fuzer to dry the ink. Laser jet printers don’t use ink to dry. Inkjet printers use ink, laser printers use TONER. The fuzer is the same as that is used in plane paper copiers. As stated, the temperature is controlled with a thermal switch and a thermal fuze as a fail-safe device to prevent such of an occurrence.

      I’ve worked in copier repair for 21 years, so I’m a little bit familiar with the subject.

  6. The laptop folks had to invent the wheel for themselves! The RC model airplane folks could have set them straight, they had been struggling with explosion/fire prone Lithium-Ion batteries for several years and had finally discovered what was causing the fires just when the laptop makers were first experiencing fires

Leave a Reply

Your email address will not be published. Required fields are marked *