updated 05:25 pm EST, Tue November 29, 2011
Deny forced firmware update can cause fires
HP has issued a statement claiming that reports of a major LaserJet security exploit was "sensational and inaccurate." The company emphatically claimed that speculation that devices could catch fire due to a firmware change are false. While downplaying the risk, HP is, at the same time, working on a firmware fix for the problem.
Talk of physically damaging the printers through hacks was both unreported and technically impossible, HP said. Each LaserJet has a thermal breaker, a protective device designed to prevent a printer's fuser from overheating or potentially causing a fire. There has been some speculation that, due to a security issue, the breaker could be compromised by an unauthorized firmware upgrade, causing the printer to burst into flames.
The security threat was real, however. A printer on a public network or directly linked to the Internet without a firewall is vulnerable to malicious firmware pushed to the printer. It's also possible, in the instance of Linux or Mac environments, for a specially formatted corrupt print job to trigger a firmware upgrade. HP insisted that no such breaches have happened so far.
HP didn't say when the firmware upgrade would be available. In the meantime, they are recommending to LaserJet owners that they placing printers behind a firewall, which includes most home routers. They also suggest, where possible, disabling the remote firmware upload capability on an exposed printer.