HP Laserjet printer security problems
HP's printer division has confirmed a potential vulnerability in older Laserjet printers that allows attackers to install specially crafted firmware on devices. The issue exists because updates for older models are deployed without digital signatures, which means that the printers will accept and install any firmware. In certain circumstances, the software can also be updated remotely, allowing attackers to gain control of a printer by injecting code.
According to reports in the US media, researchers at Columbia University managed to use specially crafted software to overheat a printer's fuser, which could, potentially, even cause fires, though the researchers admitted that a "thermal breaker" shut down their target printer. HP points out that "thermal breakers" are designed to prevent printer overheating and fires, are included in all its printers, and that they "cannot be overcome by a firmware change or this proposed vulnerability".
HP has announced plans to fix the vulnerability but until then, customers are advised to place their printers behind firewalls and disable the remote update features. However, network printer attacks have been a general risk since before this problem was discovered, and, especially, unpatched software vulnerabilities have threatened printer security for quite some time. Back in January at the ShmooCon conference, two pen testers impressively demonstrated how to gain remote access to printers in a corporate network. Products by Canon, Toshiba and Xerox have also repeatedly been affected by similar problems.