Researchers Hijack Printer Using Malicious Firmware Update | eWeek

Researchers Hijack Printer Using Malicious Firmware Update

Nov 29, 2011
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Columbia University researchers demonstrated a bug in common office printers that could be used to forward documents to a remote computer or to remotely send commands that heat up and physically damage the printers, according to a Nov. 29 MSNBC.com report.

Professor Salvatore Stolfo and researcher Ang Cui of Columbia University’s School of Engineering and Applied Sciences showed how a remote machine can scan a document, in this case a tax form, and post sensitive data such as Social Security numbers to Twitter.

Malicious perpetrators can compromise a printer just by tricking a user into printing a booby-trapped document, according to Cui and Stolfo. There is also another way, in which printers configured to print jobs over the Internet can be remotely updated with malicious firmware without the printer owner’s knowledge or awareness, the researchers said.

“These devices are completely open and available to be exploited,” Stolfo said, noting that these machines are commonly connected to the Internet.

The idea that printers can’t be compromised “is nothing new,” Jonathan Gossels, CEO and president of IT compliance and security consulting firm SystemExperts, told eWEEK. Modern printers have always been vulnerable to attack because they are “sophisticated computers in their own right,” he said.

Detecting the malicious firmware would be nearly impossible, according to Cui, since no modern security tool has the ability to scan or repair software running on embedded systems such as printers.

While Cui and Stolfo used Hewlett-Packard’s line of LaserJet printers and the Remote Firmware Update process in their demonstration, they said other vendors’ printers are similarly vulnerable. HP LaserJet printers tend to check to see if a firmware upgrade is included in the data being sent with a print job, but the researchers claimed the machines do not check for a digital signature to verify the firmware update is actually authentic and from HP before installing the update.

“It’s like selling a car without selling the keys to lock it,” Stolfo said.

HP did not immediately respond to a request for comment but told MSNBC that the printers have required digitally signed firmware updates starting in 2009, so the researchers must have used older models. The researchers denied the claim, saying they bought the printer at a major office supply store.

Keith Moore, chief technologist for HP’s printer division, told MSNBC that the likelihood of such an attack is slim.

“Regardless of whether HP is right that newer LaserJet printers are protected against the vulnerability or not, it’s clear that there may be many devices which are potentially at risk of attack,” Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog.

Stolfo and Cui also noted that a hijacked printer could be used to launch attacks on other computers within the corporate network. HP’s Moore said standard print jobs could not be used to initiate a firmware upgrade. Only specially crafted files sent directly to the printer from the Internet can, he said. If that’s the case, this kind of attack could be launched against printers connected to the Internet, but printers behind a corporate firewall would be safe from attack, Moore claimed.

The researchers also demonstrated how sending continuous commands to a printer could cause it to heat up and smoke. The HP printer shut down before a fire could break out, but researchers believed other printers may not have the same kind of thermal switch to protect the machine. This gives attackers “a dangerous new tool that could allow simple computer code to wreak real-world havoc,” MSNBC.com reported.

A malicious individual trying to set a printer to catch fire is “downright unlikely,” but the fact that HP has a huge market share in printers means “a potentially large number may now be more vulnerable to ordinary exploitation,” Gossels said.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.