Hewlett Packard last week issued a fix for a LaserJet printer security vulnerability that researchers from Columbia University recently brought to light in spectacular fashion.
"HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorised access to HP," the company said in a statement.
Last month, Researchers from Columbia University's Computer Science Department said they'd found a way to reverse engineer the Remote Firmware Update function in HP LaserJet printers and trick the printers into accepting and installing malware-filled updates.
From there, researchers said, an attacker could compromise PCs on corporate networks and use them to send a barrage of instructions to a LaserJet printer, thereby causing its ink-drying element to heat up -- and potentially ignite printer paper.
HP's initial response was to acknowledge a "potential security vulnerability" in some of its LaserJet printers, but the company also railed against the Columbia researchers' claims, calling them "sensational and inaccurate".
While researchers have pointed to the potential for attacks on printers and other network-connected devices for years, they've yet to materialise, mainly because the scenarios that would allow for such attacks are unlikely in organisations that have applied security best practices.
Travis Fisher, executive vice president at HP partner Inacom Information Systems said the fact that an attacker would need to find a LaserJet that's connected to the public Internet without a firewall, or have access to the corporate network, would make it difficult for this particular vulnerability to emerge as a major threat.
"If you have a publicly exposed LaserJet printer, this problem should be pretty far down on your list of concerns," Fisher said. "Your first concern should be getting that firewall installed and configured correctly."
Jake Klee, repair services manager at Valley Network Solutions says an attacker that gained access to a corporate network using the LaserJet flaw would likely be more motivated by money than mayhem.
"Let’s say the customer is Wells Fargo. I would guess that after a hacker successfully infiltrated the network, they would be going after all the personal data, instead of trying to make a few printers burn up a fuser," he said.
HP steered clear of mentioning the fire issue in last week's statement, saying only that none of its customers had reported unauthorised access as a result of the flaw.
Some security experts believe the Columbia researchers shouldn't have resorted to mentioning the printer fire angle, since doing so added a hefty dash of hype to what ended up being a legitimate security issue.
However, Peter Bybee, president and CEO of security solution provider Network Vigilance, believes there's a lesson here. The danger of hyping security threats, he says, is the potential for backlash within organisations once the threat is deemed to have been overemphasised.
This sometimes results in ambivalence -- and less spending on security infrastructure -- within organisations, according to Bybee.
"The bottom line here is that product vendors, consultants, and internal IT staff overstate the impact of a security threat because using fear works, and may be the easiest and quickest way to overcome purchasing objections," he said.
This article originally appeared at crn.com
Issue: 330 | August 2014
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.