HP issues fix for LaserJet flaw

By Kevin McLaughlin on Dec 30, 2011 1:02 PM
Filed under Imaging & Printing

Doesn't mention burning printers.

Hewlett Packard last week issued a fix for a LaserJet printer security vulnerability that researchers from Columbia University recently brought to light in spectacular fashion.

"HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorised access to HP," the company said in a statement.

Last month, Researchers from Columbia University's Computer Science Department said they'd found a way to reverse engineer the Remote Firmware Update function in HP LaserJet printers and trick the printers into accepting and installing malware-filled updates.

From there, researchers said, an attacker could compromise PCs on corporate networks and use them to send a barrage of instructions to a LaserJet printer, thereby causing its ink-drying element to heat up -- and potentially ignite printer paper.

HP's initial response was to acknowledge a "potential security vulnerability" in some of its LaserJet printers, but the company also railed against the Columbia researchers' claims, calling them "sensational and inaccurate".

While researchers have pointed to the potential for attacks on printers and other network-connected devices for years, they've yet to materialise, mainly because the scenarios that would allow for such attacks are unlikely in organisations that have applied security best practices.

Travis Fisher, executive vice president at HP partner Inacom Information Systems said the fact that an attacker would need to find a LaserJet that's connected to the public Internet without a firewall, or have access to the corporate network, would make it difficult for this particular vulnerability to emerge as a major threat.

"If you have a publicly exposed LaserJet printer, this problem should be pretty far down on your list of concerns," Fisher said. "Your first concern should be getting that firewall installed and configured correctly."

Jake Klee, repair services manager at Valley Network Solutions says an attacker that gained access to a corporate network using the LaserJet flaw would likely be more motivated by money than mayhem.

"Let’s say the customer is Wells Fargo. I would guess that after a hacker successfully infiltrated the network, they would be going after all the personal data, instead of trying to make a few printers burn up a fuser," he said.

HP steered clear of mentioning the fire issue in last week's statement, saying only that none of its customers had reported unauthorised access as a result of the flaw.

Some security experts believe the Columbia researchers shouldn't have resorted to mentioning the printer fire angle, since doing so added a hefty dash of hype to what ended up being a legitimate security issue.

However, Peter Bybee, president and CEO of security solution provider Network Vigilance, believes there's a lesson here. The danger of hyping security threats, he says, is the potential for backlash within organisations once the threat is deemed to have been overemphasised.

This sometimes results in ambivalence -- and less spending on security infrastructure -- within organisations, according to Bybee.

"The bottom line here is that product vendors, consultants, and internal IT staff overstate the impact of a security threat because using fear works, and may be the easiest and quickest way to overcome purchasing objections," he said.


This article originally appeared at crn.com

Follow us on Facebook and Twitter

Copyright © 2015 The Channel Company, LLC. All rights reserved.


HP issues fix for LaserJet flaw
Top Stories
AFL star joins Melbourne's Broadband Solutions
Shaun Grigg starts second job at peak of footy career.
Amazon Web Services killing it: revenue up 64%
Cloud vendor also triples operating income.
WestConnex signs national reseller Viatek
Five-year deal with Sydney Motorway Corporation.
Sign up to receive CRN email bulletins
What's the most important factor when partnering with a new vendor?

Latest Comments
CRN Magazine

Issue: 347 | March 2016

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.