HP’s printer division is walking on the hot coals today, as the company has been named in a class action lawsuit.
The suit states that “HP Printers suffer from a design defect in the software (which is also sometimes referred to as “firmware”) that is resident on the HP Printers, which allows computer hackers to gain access to the network on which the HP Printers are connected, steal sensitive information, and even flood the HP Printers, themselves, with commands that are able to control the HP Printers and even cause physical damage to the HP Printers themselves.”
Despite a feature story on MSNBC referencing the work of security researchers at Columbia University, HP vehemently denies their printers can catch fire but they did acknowledge an exploitable software vulnerability exists in a Security Bulletin issued on November 30, 2011. That same security bulletin advises HP LaserJet owners to “act as soon as possible” and provides a recommended resolution in a document called "HP Imaging and Printing Security Best Practices - Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs" – a 93 page downloadable PDF!
Whether or not the allegations are proven in a court of law remains to be seen; but the real issue facing all technology suppliers is that more legal actions are likely to occur. Just last year, a UK High Court ruled in favor of the plaintiff, London’s Kingsway Hall Hotel that sued Red Sky, a company that had supplied it a hotel management application for losses due to defective software. Red Sky’s stipulation that “customers could not take action against it for the poor performance of its software was unfair and could not be enforced,” the High Court said.
In this case with HP, whether the US courts go the same way as their peers across the pond is to be determined. What is certain is that the pervasiveness of software in all aspects of business is translating into concern and legal action by enterprises to hold their software suppliers more accountable. Even our industry’s .org’s, like SANS, are suggesting the enterprise “protect themselves” by providing recommended Application Security Procurement Language to include in vendor contracts.
Of course an alternative for enterprises is to simply demand that anything with a sniff of software must be validated as secure by an independent agency (ala the Underwriters Labs model). Indeed the PCI initiative by credit card companies has proven that such security-related self-regulation is possible, even with all the grumbling that goes along with it. The software industry has the means to improve its software security posture – the question is whether it has the will to do so before customers or worse the legal system require them to do so.
Also interesting that earlier today the webpage for a Wired magazine article on the HP lawsuit appears to be exclusively sponsored by Dell with ads like this one (let’s hope Dell has tested the software on their printers):
Oh, and by the way, I have a HP LaserJet on my home network and there’s no way I’m reading a 93 page document to learn how to secure it! That may be a sad commentary on the typical technology consumer (I am one), but now that I’m relatively reassured that the printer won’t catch fire and burn my house down, I’ll take the risk. But I’d feel a whole lot better if HP had just sold me a printer without exploitable software vulnerability in it in the first place.