Millions of printers at risk of hacks, say researchers

Researchers at Columbia University have said they have uncovered a major security flaw in printers that could lead to data theft, vandalism or even a risk of fire.

They say that the vulnerability, which involves rogue firmware updates that reprogram the printers and take control, could affect millions of devices already installed, that there is no easy fix, and no way to tell if it's already been exploited.

The problem, reported by msnbc.com, could affect printers on networks with internet connectivity, according to Columbia professor Salvatore Stolfo who led the research. In a demonstration referenced in the original report, one printer was hacked to overheat internal components, charring paper and creating smoke before the printer's hardware protection shut it down. Another demonstration caused a printer to send data from a printed document to another computer, which automatically extracted information.

Firmware updates are trusted, said the researchers, and do not have digital signatures guaranteeing their origin. Although HP said in response to the claims that only printers before 2009 lack this security feature, the researchers said they had bought one of the printers found to be vulnerable from an office supply store in September 2011.

Modern printers are basically computers which run complex embedded operating systems and have extensive networking and processing capabilities, but lack most if not all of the security features that networked PCs have evolved over the years.