
Tens of millions of HP LaserJet printers vulnerable to hacking - ukdm
http://www.extremetech.com/computing/106945-tens-of-millions-of-hp-laserjet-printers-vulnerable-to-hacking
======
nicpottier
At first this seems like ho-hum news a bit, but if their claims that you might
be able to set a printer on fire using this are true, then HOLY FUCK!

How many million HP printers are there in how many million offices filled with
how many vulnerable PCs?

I'm not usually one to be alarmist, but are we one clever worm away from
Printergeddon?

~~~
mrsebastian
If I was HP -- or a third-party toner provider -- I would release a worm that
forces printers to use two or three times the usual amount of ink...

~~~
pbhjpbhj
Even better surely is to just tell the printer to report the toner as empty
after say 30% use (like manufacturers do with inkjet carts!). Then when the
customer sends the toner cart in you can recycle the toner (or just top it up
and reset the cart or whatever) and sell it back to the customer ... instant
sales increase.

Of course after a little while the customers going to notice a problem. So
then you can sell them a fix (patched firmware) or a new printer. Play it
right and you get to run the same scam again then ...

~~~
pak
Brother already does this. When the printer tells you that toner is empty on a
Brother laser printer, you usually have about 15-20% left. However, the
printer will refuse to print anything. The solution is (no joke) to put tape
over the sensor window on the cartridge, and you can get another 1000 pages or
so.

<http://www.fixyourownprinter.com/forums/laser/39806>

Proud owner of a Brother laser printer here. My guess is that this is how they
can afford to sell the printers for so cheap (usually underselling HP).

------
robododo
It's not shocking at all that they allow firmware updates through the print
port. That's very typical.

What's shocking is the claim that the update isn't signed. I'm at a loss as to
how to describe how terrifically awful that is. It's /so/ shocking to me, I
have a hard time believing it. If true, it's astoundingly negligent on their
part.

------
d99kris
_It’s worth noting that other (non-HP) printers, copiers, and all-in-one
thingamajigs are probably vulnerable to a similar attack, too._

Well anything produced to be mass/IT-managed probably provides an easy method
for firmware upgrading. And all firmware encryptions/checksums/etc are of
course (at least theoretically) crackable.

I don't see how this could come off as a surprise to anyone in the industry.

------
j45
Wow. I worked on HP printers a long time ago and didn't hear of anything this
crazy.

Personally I stopped using HP a while back, thanks for sharing..!

------
zanst
this is f*cking awesome. I feel like I'm in 80s. Thanks, HP.

