It seems, though HP is yet to confirm it, that researchers from Columbia University have found a security hole in “tens of millions” of HP LaserJet printers that allows a remote hacker to install new and dangerous firmware on the device. In one example, the researchers used the vulnerability to hack a printer’s fuser — the heating element that bonds the toner pigment to the paper — causing the paper to turn brown and begin to smoke.

The attack vector is depressingly simple: Every time a vulnerable LaserJet printer accepts a print job, it scans that job to see if it includes a firmware update. Unvelievably, the printer doesn’t then check the source of the update; HP doesn’t digitally sign its updates, and the printer isn’t looking for HP’s signature. In other words, you can reverse engineer one of HP’s firmware updates, program your own, and then insert it into a print job. You can install whatever software you like on millions of network- and internet-connected LaserJet printers.

Beyond the terrifying burning-paper example, Columbia also showed some hacked firmware that detected when a tax return was being printed, and then extracted the Social Security number and forwarded it to a Twitter feed. Really, though, the possibilities of what a hacked printer could do are endless; it’s effectively just another computer on the network. You could make a botnet out of hacked printers, even.

Now, at first this might sound like a local vulnerability — many printers are connected to the internet via the LAN, but they’re hidden behind NAT and hard to reach — but what if an employee at a company is spear-phished with a hacked-firmware-laden PDF or DOC? The main problem, though, is that HP and its customers have no real way of patching this hole. There’s no global update that HP can trigger. Even worse, there’s no way for companies to tell if their printers have been hacked. The only real solution would be to replace every printer in the office. It’s worth noting that other (non-HP) printers, copiers, and all-in-one thingamajigs are probably vulnerable to a similar attack, too.

To be honest, we shouldn’t be surprised that such a hole exists; depressed, perhaps, but not surprised. You might not be aware, but almost every network- or internet-connected device, from a car’s on-board telematics to a self-aware refrigerator, is a computer — as in a processor, network interface, some memory, and an operating system. In the case of printers, it’s usually a computer running VxWorks or an embedded version of Linux. These devices, like your Android phone, Linux server, or Windows PC, are just as vulnerable to malware, viruses, and SQL injection. As you know, manufacturers generally take shortcuts to get their products to market sooner — and if there has never been a known case of the device being exploited, such as the case with printers, you can see why HP might skimp when it comes to security measures.

It’s a very similar story to the hackable insulin pump or opening a car door via SMS. It’s not hard to secure these systems, it just doesn’t seem like a worthwhile activity until a security researcher shows a proof-of-concept attack — and then everyone moves very, very rapidly to patch the hole before the metaphorical ship sinks. The problem here, though, is that most cases of “security through obscurity” occur in rare, off-the-grid devices. There might only be a few thousand wireless insulin pumps in the world, and they’re not connected to the internet. HP has sold 100 million LaserJet printers since 1984, and they’re all connected to the internet or a computer.

Read more at MSNBC

Update @ 15:44 ET: HP has posted a response on the situation. Basically, it suggests that every LaserJet printer has a “thermal breaker,” which would prevent paper (or the printer?) from catching fire. The rest of the release basically confirms that there’s a gaping security hole and that they’re working on a firmware fix. With no centralized update service, though, it’s safe to assume that unpatched printers will be around for years to come.

[Image credit: Chris Hills — and that’s an InkJet, not a LaserJet, incidentally]