Hackers can set your printer on fire

Hackers aren't just a threat to your digital life any more. By taking control of your printer, they could potentially burn your house down from the other side of the globe, MSNBC reports.

The security flaw was discovered by researchers Salvatore Stolfo and Ang Cui at Columbia University, and so far it's only been identified in HP LaserJet printers, although they suggest that it could exist in other brands, too. The problem comes from the embedded systems inside the printers, which are basically small computers that are even connected to the internet. Even though today's printers are full-fledged devices connected to the internet, not much thought goes into making them secure.

By hacking into the computer and overloading it with instructions that heat up the fuser – a part of the printer that helps dry the ink – the researchers made the paper in the printer blacken and smoke. In another demo, a thermal switch shut down the printer, causing it to burst into flames.

Before beginning a print job, HP's printers check for firmware updates and download them if they're available. The only problem is that they don't discriminate if the update is coming from Palo Alto or an Eastern European hacker's den. The only way that hackers can take over printers that aren't connected to the internet is to trick the user into trying to print a document containing a virus. The real threat comes from printers with internet connectivity, something that's becoming more and more common in today's mobile world.

In that case, it takes about 30 seconds to rewrite the printer's firmware, replacing it with a virus that is all but undetectable. The hackers don't even need to dupe unwitting users into installing malware. It takes care of itself.

The virus embeds itself so deep into the printer that the only way to detect it would be to remove the computer chips from the printer and run manual tests. “First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” asked Mikko Hypponen, F-Secure's head of research. According to HP, they do.

Keith Moore, the chief technologist at HP's printer division, said that while HP “takes this very seriously,” all of HP's newer printers do require digitally signed firmware updates, and that they have since 2009. He also said that the impact from the vulnerability would be limited, since it only affects LaserJet printers, while most people have InkJet printers in their home.

It's about time that companies started taking security a bit more seriously. Today, everything from our refrigerators to our cars have embedded systems inside them, and they're just as much at risk as our desktops. And, as you can see, these vulnerabilities have very real consequences.  If the idea of hackers cleaning out your bank account scares you, think about them destroying everything you own. We've contacted HP for comment but have yet to recieve a reply.

Image courtesy of MSNBC

Report a problem with article
Previous Story

SkyDrive adds app-centric sharing for Office, HTML5 upload and more

Next Story

Microsoft launches first major Office 365 update

41 Comments

Commenting is disabled on this article.

It's ok, HP's failure rate on JetDirect firmware upgrades greatly outweighs the amount of potential infections.

This does some odd, this is what I do, I service copiers and printers for 17 years, there is a thermofuse in the fuser which will blow if the temp exceeds its rating, which then instantly shuts down the fuser, even if they told the printer to jam at the exit, once a jam is detected the machine shuts down, so not sure how this would be done, will look into this further...

Wow, this is certainly scary if true.

As an aside, do HP Printers really check for a Firmware update before every print job as the article suggests? That seems a bit excessive (And if I just want to print something quick and it decides to install an update - annoying)...

M_Lyons10 said,
Wow, this is certainly scary if true.

As an aside, do HP Printers really check for a Firmware update before every print job as the article suggests? That seems a bit excessive (And if I just want to print something quick and it decides to install an update - annoying)...

I wouldn't be supprised if they did, our CLJ3600N firmware update was done by "printing" it to the printer port using HP upload software it takes it as a print job but realizes its a firmware package then does the update

Tha Bloo Monkee said,
I wanna see a video proving that rogue software can make your printer "burst into flames" like the article says.

Believe me, we looked really hard. They don't seem to have a video, but MSNBC and Columbia are both verifying it.

Denis W said,
Wonder what the error message would be here. "lp0 on fire"?

yeah and then your home automated security system emails you informing you "your house is on fire" lulz.

hardly suprising tho, next hackers will be hacking into your smart TV's

Denis W said,
Wonder what the error message would be here. "lp0 on fire"?

well since that is a true error code in UNIX, it could be the error code those old dot matrix printers did catch on fire when in high speed mode *lol*

fail article fails. I see no mention of how to burn your house down, just that someone can install firmware on your printer. either way, my printer is connected to the same firewall that blocks 90% (over 2 billion ips) of the world, including all 3rd world and eastern block countries. I don't do business with them, their IP's have no business in my network.

SirEvan said,
fail article fails. I see no mention of how to burn your house down, just that someone can install firmware on your printer. either way, my printer is connected to the same firewall that blocks 90% (over 2 billion ips) of the world, including all 3rd world and eastern block countries. I don't do business with them, their IP's have no business in my network.

Well if it actually works, the principle is that the paper catches fire, then causes the house to burn down, which I doubt would happen either. I would've thought the printer would have fuses in the heating elements though.

SirEvan said,
fail article fails. I see no mention of how to burn your house down, just that someone can install firmware on your printer. either way, my printer is connected to the same firewall that blocks 90% (over 2 billion ips) of the world, including all 3rd world and eastern block countries. I don't do business with them, their IP's have no business in my network.

Well if it actually works, the principle is that the paper catches fire, then causes the house to burn down, which I doubt would happen either. I would've thought the printer would have fuses in the heating elements though.

The only problem i have is this.

The fuzer doesnt hold any paper, so now idea how he got the paper to burst into flames.
Also in the fuzer is a thing called a Thermister, it lets the printer know it works, it WILL blow under normal use, let alone if its overheated. When the thermister blows the printer shuts down as there will be no more current to the fuzer, it will stop heating.
Now on the machines that i worked on like the Panasonic DL80( i think it was a DL80, and the richo's, the Fuzer lamp was made of glass with a common fuze in there, that again will blow if it gets to hot.

I HIGHLY doubt any of this is REMOTLY possable

Hell-In-A-Handbasket said,
The only problem i have is this.

The fuzer doesnt hold any paper, so now idea how he got the paper to burst into flames.
Also in the fuzer is a thing called a Thermister, it lets the printer know it works, it WILL blow under normal use, let alone if its overheated. When the thermister blows the printer shuts down as there will be no more current to the fuzer, it will stop heating.
Now on the machines that i worked on like the Panasonic DL80( i think it was a DL80, and the richo's, the Fuzer lamp was made of glass with a common fuze in there, that again will blow if it gets to hot.

I HIGHLY doubt any of this is REMOTLY possable

Fuses, with an s

Hell-In-A-Handbasket said,
The only problem i have is this.

The fuzer doesnt hold any paper, so now idea how he got the paper to burst into flames.
Also in the fuzer is a thing called a Thermister, it lets the printer know it works, it WILL blow under normal use, let alone if its overheated. When the thermister blows the printer shuts down as there will be no more current to the fuzer, it will stop heating.
Now on the machines that i worked on like the Panasonic DL80( i think it was a DL80, and the richo's, the Fuzer lamp was made of glass with a common fuze in there, that again will blow if it gets to hot.

I HIGHLY doubt any of this is REMOTLY possable


Wouldn't most of those detections and shutdowns be controlled by the firmware? hence if the firmware is hacked those safety protocols could be removed!

SkyyPunk said,

Wouldn't most of those detections and shutdowns be controlled by the firmware? hence if the firmware is hacked those safety protocols could be removed!

No as if the fuse is blown it would not pass current, the thermister is part of the circut, thus not heating up. Same with a light bulb, if the curcut is not complete, no light

SkyyPunk said,

Wouldn't most of those detections and shutdowns be controlled by the firmware? hence if the firmware is hacked those safety protocols could be removed!

You don't read good:
"When the thermister blows the printer shuts down as there will be no more current to the fuzer, it will stop heating."

It can't continue heating.

SkyyPunk said,

Wouldn't most of those detections and shutdowns be controlled by the firmware? hence if the firmware is hacked those safety protocols could be removed!

no, you'd never put a safety measure controlled by software, its always a physical fail safe, kinda like a normal fuse it will blow when over current, you wouldn't want firmware saying eh your over current, keep going

Good thing they didn't find this back when Windows 98 was around, and you could get into almost any computer without a password... Could you imagine the rash of fires started by script kiddies?

Crisps said,
Well if not the printer, that DGL-4500 in the pic sure will burn your house down.
I have a new D-link N "gaming" router, and it doesn't get hot at all...so umm yeah, fail joke

tsupersonic said,
I have a new D-link N "gaming" router, and it doesn't get hot at all...so umm yeah, fail joke

No, you just seem to fail to understand what a joke is. Jokes don't have to be true you know. But if they are, I feel sorry for the poor soul who's mother makes a bus do a wheelie...

dead.cell said,

No, you just seem to fail to understand what a joke is. Jokes don't have to be true you know. But if they are, I feel sorry for the poor soul who's mother makes a bus do a wheelie...
No, jokes just have to be funny, and that was not funny at all. Sure, if he made a comment about the iPhone and heat, that would be a lol (after yesterday's story of an iPhone exploding on a plane). Or another device that gets hot, but that dlink doesn't, so yep, standing by my point

tsupersonic said,
No, jokes just have to be funny, and that was not funny at all. Sure, if he made a comment about the iPhone and heat, that would be a lol (after yesterday's story of an iPhone exploding on a plane). Or another device that gets hot, but that dlink doesn't, so yep, standing by my point

Just because you don't like the joke doesn't mean it's not funny.

Crisps said,
Well if not the printer, that DGL-4500 in the pic sure will burn your house down.
As a D-Link owner this joke personally offends me!