The headlines were inflammatory in every sense of the word: In November 2011, two Columbia University researchers recognized a security vulnerability in HP printers and set one ablaze.

Professors Salvatore Stolfo and Ang Cui realized that every time an HP printer accepted a print job, the printer was programmed to scan the job for a firmware update — but in printers produced before 2009, the scan did not check the source.

So, hackers or curious Columbia University professors could send their own firmware updates to one of millions of Internet- and network-connected printers. The firmware update could attack the fuser, causing paper to burn, or — in another frightening test case from Stolfo and Cui — scan a printing tax return for a Social Security number and post it on Twitter.

HP scrambles to cover the vulnerability

HP responded swiftly to what it called “sensational and inaccurate reporting,” pointing out that no consumer had reported an instance of unauthorized access and that each HP printer had a thermal breaker to prevent the fuser from overheating.

HP stated: “HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.” By the end of the year, HP had issued the firmware update, but not before a class-action lawsuit had been filed.

HP’s headache resulted in more consumers realizing the vulnerability of the “Internet of Things” — the hundreds of network-connected devices that make life easier, but are also relatively easy to hack, should someone take a notion.

Photo: anutin / Shutterstock

Kate Johanns

Posted by Kate Johanns

Kate Johanns is a communications professional and freelance writer with more than 13 years of experience in publishing and marketing.

Leave a reply

Your email address will not be published. Required fields are marked *