Hacking somebody's printer remotely seems like a silly idea -- how would you pick up your fraudulent documents? But researchers at Columbia say they've found a way to do it, and one effect could be setting the things on fire from afar. In fact, aside from some vague references to identity theft in the MSNBC report that broke the story, setting a printer on fire seems like the only concrete effect criminals can achieve in the newly discovered hack. Theoretically, the vulnerability in Hewlett-Packard printers that makes them susceptible to control from outside hackers could be used to establish a "beachhead" in otherwise secure computer networks. Update: HP is pushing back hard against the report, saying safety devices in its printers can't be overcome by hacking its software. See the full statement below. But as scientists demonstrated their findings, they went for the dramatic:
Printer security flaws have long been theorized, but the Columbia researchers say they've discovered the first-ever doorway into millions of printers worldwide. In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper – eventually causing the paper to turn brown and smoke.
In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.
HP, for its part, "said Monday that it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but generally disputes the researchers’ characterization of the flaw as widespread," MSNBC reported. Even so, this will probably make that desk by the office printer into even less-coveted real estate.
Update: HP released a statement Tuesday afternoon denying the report that a hacker could make one of its printers catch fire. The statement reads:
Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.
HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.
The rest of its response reads: