Don't throw away your HP printers just yet.
MSNBC released an "exclusive" report quoting two Columbia University researchers as saying that millions of HP printers are open to potentially devastating online hacks. While the security holes appear to be very real, there's a great deal of question about whether the attacks could ever be implemented in a real-world situation -- and there are steps you can take at your corporate firewall right now to mitigate the threat.
The fundamental problem stems from the way HP printers validate firmware updates prior to applying them. Or more accurately, the way HP printers don't bother to validate firmware updates prior to applying them.
Salvatore Solfo, a professor at Columbia, and Ang Cui, a doctoral student, have been looking at security holes with HP printer firmware. It's entirely possible that similar vulnerabilities exist with other printers, so don't take this flaw as an indictment of HP -- yet.
According to MSNBC's report, Solfo and Cui "described the flaw in a private briefing for federal agencies two weeks ago. They told Hewlett-Packard about it last week." In fact, details about the security hole started circulating more than a month ago, and Cui and Jonathan Voris, a doctoral student at Polytechnic Institutue of NYU, are due to present a paper on the topic at the 28th Chaos Communications Congress next month.
Solfo, Cui, and Voris say they have found a way to hijack the firmware in HP printers. The problem stems from the fact that HP doesn't require authentication for firmware updates -- no code signing, no validation, no password or manual supervisor intervention prior to a firmware patch being installed. Cui says, "We can actually modify the firmware of the printer as part of a legitimate document. It renders correctly, and at the end of the job there's a firmware update. ... In a super-secure environment where there's a firewall and no access -- the government, Wall Street -- you could send a résumé to print out."
Of course, none of the antivirus manufacturers has routines that will identify rogue remote firmware update files, nor do they have scanners for printer firmware.