HP Printers Susceptible to Online Attack

Many of us update our software or install the latest antivirus programs to reduce the chances of becoming the victims of a hacker. But is it possible for our hardware components to entice hackers as well?

Hewlett-Packard recently issued a warning to select laser printer owners urging them to update the firmware of their devices or risk the prospect of leaving themselves open to a malicious attack.

In a public advisory, HP warned that certain laser printers are confirmed to have been affected, including 10 different LaserJet models (ranging from the 2410 to the 9050 models), two Color LaserJet models and the 9200C Digital Sender model (a sheet-fed document scanner). (Source: com.au)

All owners of these devices are asked to download and install firmware upgrades right away.

The computer glitch was discovered by the security services firm Digital Defense, who later reported the problem to Hewlett-Packard.

Apparently, hackers are able to exploit a bug in the web-based control interface of the printer. Basically, an uninvited guest has the potential to rummage through your arbitrary system configuration files and look over some of your cached documents.

Why bother with an attack of this kind?

Digital Defense believes that the thrill of exposing vulnerability, more than having access to restricted files, is what drives certain people to malicious behavior. These people are using directory transversal attacks to target innocent people.

A directory transversal attack is an HTTP-based exploit that lets hackers access restricted directories and execute commands outside of the server's root directory.

While some analysts have downplayed the severity of outsiders being able to view printer configurations, others are nevertheless concerned over the invasion of privacy that these attacks perpetuate. (Source: macworld.co.uk)

Those turned off by the prospect of downloading and installing security patches also have the option of simply disabling the online control interface and running their laser printer offline.

In any case, users are urged to act fast in deciding to patch or disable their printers in an effort to reduce or eliminate the prospect of becoming the victim of an attack.