Pre-2009 HP printers vulnerable to hackers, say researchers


Pre-2009 HP printers vulnerable to hackers, say researchers

Warwick Ashford

A security flaw found in, but not necessarily limited to, HP printers can be exploited by hackers to take full control of printer functions, according to researchers at Columbia University.

The researchers said no pre-2009 HP printers have built-in security and will automatically accept any firmware update from any source, according to US reports.   

Initial reports by MSNBC said hackers could even set printers ablaze remotely, but HP has since issued a statement to refute the claim.

However, HP said it is “building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted”.

Until a firmware upgrade is available, HP recommends customers follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling the remote firmware upload option on exposed printers.

HP also highlighted the fact that all of its printers from 2009 onwards include digital signing to prevent this type of exploit, but the researchers said that still leaves tens of millions of devices vulnerable.

The security flaw on the pre-2009 machines allows hackers to send customised firmware to a printer that could enable them to render a user's printer useless, waste toner or overheat the device.

The researchers warned that once a printer is compromised, any update from HP will be useless, and said the same flaw could affect other printer makers although this is yet to be tested.

Photo: Thinkstock

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy