Exploding HP Printers Turn Out to Be Not So Explosive

Reports of the printers’ fiery deaths were greatly exaggerated.

David Zaxarchive page

December 28, 2011

It was an image so sensational it was destined to make headlines. “Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire?” asked MSNBC’s Bob Sullivan in November. That’s right: your seemingly harmless printer, sitting innocuously beside your desk, was a ticking time bomb.

The image was the result of a bit of white-hat hacking by researchers at Columbia University, who told Sullivan they’d discovered a “new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.” The researchers, lead by Salvatore Stolfo, had uncovered the flaw, they said, in HP printers, and told HP about it a week before going public. Stolfo and another researcher named Ang Cui demonstrated how they could hijack a printer and cause it to heat up the device’s fuser–something that, if a thermal switch hadn’t kicked in, could theoretically have caused the thing to burst into flames. HP quickly fired back against what it called “inaccurate claims.” But the story, if not the printers, had already blown up.

Now the story comes full circle. Even if some of the reporting may have tended towards the sensational, HP did indeed have a security hole to plug. On Friday, they announced that they finally did so, building a firmware update. HP said it received “no customer reports of unauthorized access.” Even so, better safe than sorry. In a press release, HP also reiterated its suggestion to “follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.”

So was it all much ado about nothing? Yes and no. It probably was unlikely that HP printers were ever going to burst into flames and burn down your house due to the malicious actions of a hacker across the world. But there’s an underlying lesson to be learned here: that certain of our connected devices are often less well protected than others, and that we would do well to begin to take their security seriously. As Sullivan pointed out, printers are often trusted by the devices they communicate with, meaning gaining control over a printer can sometimes be a stepping stone to infiltrating deeper into a person’s or organization’s network. “There’s no focus on the security of these devices we take for granted and we carry into secure environments every day,” said Stolfo.

That’s something to take seriously, even if the somewhat absurd image of a spontaneously combusting LaserJet was not.