Although most people tend to think of printers as dumb boxes sitting by their desk, a new study from Columbia University researchers has found that they may be surprisingly vulnerable to sophisticated hacking attacks.
Are your printers a potential security threat?
Speaking to MSNBC's Red Tape recently, the researchers said that internet-connected printers could be used to steal personal data, access supposedly secure networks or even to cause a fire through deliberate overheating.
The researchers, who studied HP's networked LaserJet printers, told MSNBC that the devices' "Remote Firmware Update" feature is acutely vulnerable to attack. That feature, which checks for software updates whenever a new printing job starts, could allow hackers to install customised firmware that would grant them full control of the printer. The printers studied by the Columbia team lack digital signatures and thus don't check the source of a firmware update — which makes it relatively easy for hackers to spoof the printer with malicious firmware.
The stakes are high. According to the researchers, there is no easy way to detect the breach, and since security software doesn't analyse printers, hackers could have near-complete freedom of action after seizing control of a printer. Making matters worse, removing the malicious firmware is nearly impossible.
As worrisome as that might be, printer security woes have been around for years.
In 2006 at the Black Hat security conference, security expert Brendan O'Connor demonstrated how easy it is for hackers to gain access to a printer and cause trouble in the office. O'Connor showed how hackers, within minutes, can perform all kinds of tasks, including mapping an organisation's network and accessing previously printed documents.
"Stop treating them as printers," O'Connor warned IT managers during his presentation. "Treat them as servers, as workstations."
That said, O'Connor's findings came at a time when networked printers were mostly found in the enterprise. Now, they're everywhere. And the Columbia researchers say that due to the sheer number of networked printers in the wild, the flaw it discovered could affect millions of people around the globe.
But before you jump to turn off your printer, the flaw the researchers found is only an issue in older printer models. Since 2009, printers have included digital signature technology, which addresses the flaw. But that doesn't make the researchers feel any safer. As they pointed out to MSNBC, the number of printers suffering from the flaw "could be much more than 100 million".
Keith Moore, HP's chief technologist for the printer division, told MSNBC in an interview that although his company takes the flaw "very seriously", he's suspect that it could be as widespread as the researchers say, adding that his initial studies reveal a low likelihood that hackers would exploit it.
"This (vulnerability) is probably not as broad as what I had heard in their first announcement," Moore told MSNBC, citing his assertion that — contrary to what the researchers say — HP printers don't look for new firmware on typical print jobs. "It sounds like we disagree on what the exposure might be."
HP did not immediately respond to a request for comment on the MSNBC report.