December 06, 2011, 8:52 PM — A lawsuit filed against Hewlett Packard Co last week over a recently discovered vulnerability in its LaserJet printers alleges that the company knew about the flaw for some time but did nothing about it.
The lawsuit was filed in U.S. District Court for the Northern District of California on behalf of all HP LaserJet owners by David Goldblatt of New York, who recently purchased two of the printers.
The lawsuit accuses HP of violating California's consumer protection laws by failing to disclose a defect it knew about to consumers.
Two Columbia University researchers said last week that they discovered a weakness in the HP LaserJet printer's Remote Firmware Update process.
The process allows the LaserJet printer's firmware to be modified or upgraded remotely. However, the printer does not use any mechanism to authenticate firmware upgrade or modification requests. As a result, the printers can be easily fooled into accepting arbitrarily modified firmware, the researchers had noted.
According to the Columbia researchers, the defect allows attackers to not only gain complete remote control of the printer, but also to any network to which the printer is attached.
They also contend that the defect allows attackers to disable the printer from afar.
Goldblatt's lawsuit accuses HP of failing to require the use of digital signatures to authenticate software updates, even though it knew about the potential risks of not using them as far back as April 2010.
The complaint points to an HP-commissioned study called "Think Print, Think Security" that was published in April, 2010, and cites the firmware update issue in a section on printer vulnerabilities.
The complaint excerpts a section from the study explaining that software on some printers can be modified to enable data interception and data transfer to third parties.
"Data can be intercepted and sent to a third party using a number of methods. Firmware on some printers could be modified to add this ability or other special features such as a network sniffer," the study said. "This could be done by either uploading modified firmware or by modifying and replacing a chip on the printer's circuit board."
The lawsuit alleges that HP failed to disclose the defect until it was forced to do after a story on the Columbia researchers and the LaserJet vulnerabilities last week.
The lawsuit seeks remedies under the California Consumers Legal Remedies Act and the California Unfair Competition Law.
An HP spokeswoman said the company does not comment on pending litigation.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .
Read more about security in Computerworld's Security Topic Center.
