TCPglobal - news, views and issues on total cost of printing

Subscribe to TCPGlobal

Alarming news emerging of printer hacking dangers

Issue #1122 – Alarming reports have been emerging in the press over the last week or so suggesting that Hewlett-Packard (the only manufacturer named so far) laser printers could be susceptible to catching fire as a result of a hacking attack. Firstly, is this seriously a possibility and, secondly, surely the alarming factor here is not the danger of catching fire but what could happen to a user’s information and printer control?

It appears that it has been proven by a university in the US that hackers could gain access to laser printers, upload custom firmware and set the fuser to overheat. In theory, this could cause the printer to burst into flames.

Burning PrinterKeep warm and save the rainforest this Christmas
buy a network laser printer and invite a hacker to dinner

In practice, this could never happen. Hewlett-Packard has responded with a statement pointing out that all its laser printers are fitted with a failsafe thermal breaker that will cause the printer to shut down long before any danger point is reached.

I can confirm the fact that Hewlett-Packard builds safety measures into its printers!! In printer tests over the last couple of years, we have become extraordinarily frustrated by the Hewlett-Packard devices going into ‘cool-down’ mode for more than a minute after printing every five pages or so! This is because we have been pushing pages through the machine at a fair rate (as much as 2,500 pages in a day). This throughput means that the fuser does not have a chance to cool off as it would under expected normal use. We found that the printer would shut itself off into this frustrating repeated ‘cool-down’ mode after about four and a half hours of heavy printing, during which around 950 pages passed through the machine.

Even if the rogue firmware managed to override this safety device, the fuser would still be shut down long before it reached danger-point.

So, having dismissed that scaremongery as irrelevant, what are the real issues here?

We are now quite familiar with internet-connected printers. Hewlett-Packard is mentioned here most importantly because every printer and multifunction device over the $99 price point are equipped with the company’s ePrint technology, multi-function devices with web-apps, and its prominence in this capability. This is what makes these printers particularly vulnerable.

However, it is not necessarily only web enabled printers that may be vulnerable here. The suggestion is that a wide range of laser printers from a wide range of manufacturers could be vulnerable, especially older, network connected, models when security implications were not so evident.

However, as we have indicated, it is not the danger of bursting into flames that is the concern here but the very fact that there are vulnerabilities that allow hackers to gain access to an organisation’s print devices. It would be much easier and less detectable to set the firmware of the device to forward all sorts of information onto the internet to be captured by the hacker.

This could include the data stream itself – imagine your confidential financial documentation, MI5 or CIA intelligence or political materials being broadcast to an external entity? Also vulnerable could be pass codes for ‘follow-me’ style printing, pass codes for access to copy and fax functions and scan-to-archive documents. In theory, hackers could also load software to add functions to onboard workflow applications to cause havoc within the organisation’s operations.

Hewlett-Packard, in conjunction with assuring customers that their printers could not burst in to flames, has also announced that it will issue firmware updates to shut off the vulnerability.

This situation does, however, underline the fact that being at the cutting edge has its dangers and that unimagined scenarios have to be imagined and thought through as part of the technology development, or ‘inventing’, process.

~ END ~