All things considered, says David Goldblatt, he would not have bought a printer that could be hacked and set ablaze.
Goldblatt is the lead plaintiff in a class action lawsuit, filed Thursday against HP in California, claiming that the IT giant should have warned customers about the flaws ahead of time.
In a nutshell, the flaw is a pretty bad one. HP LaserJet printers built before 2009 will accept remote firmware updates without properly checking where they come from. This means that — at least in theory — a hacker could cook up a malicious firmware update and upload it to a printer to make it stop working, spy on print jobs, or maybe even set the printer on fire by overworking the printer’s fuser — the part of the printer that dries ink on the paper.
HP says that it’s never heard of its printers being hacked by criminals and that its printers have “thermal breakers” that would prevent this kind of hacker inferno. But the company has acknowledged the underlying problem in a security alert.
The lawsuit seeks unspecified damages to be paid out to HP LaserJet customers (InkJet printers can’t do the remote firmware upgrade).
But how could HP have known about the defects, which were discovered by researchers at Columbia University and publicized late last month in an MSNBC story? That’s where things get a little fuzzy. Goldblatt’s attorneys cite a 2010 report commissioned by HP and written by analyst firm Quocirca, that describes some high-level security risks to printers, without spelling out specific attacks. The report states:
Data can be intercepted and sent to a third party using a number of methods. Firmware on some printers could be modified to add this ability or other special features such as a network sniffer. This could be done by either uploading modified firmware or by modifying and replacing a chip on the printer’s circuit board.
After citing this passage, the lawyers ding HP for failing to disclose this “defect” or taking steps to remedy it.
The problem is that the Quocira report doesn’t spell out the fact that some LaserJets do firmware updates without digital certificates.
HP isn’t saying anything about the lawsuit. “We cannot provide any comment on pending litigation,” says HP spokesman Michael Thacker.
(Photo: Chelsea Oakes/Flickr)