back to article HP printer hack risk prompts update

Users of HP LaserJet printers need to apply a firmware update following the discovery of a potentially troublesome vulnerability. The security bug creates a means for hackers to gain access to files sent to printers via the web administration console on vulnerable machines. A security advisory from HP explains various versions …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

...something obvious...

This is an internal exploit only, 'cos you've got to get in thru the company firewall first.

....and if they're happy with that (and you can view files on the LAN) then they're probably not too bothered about you being able to see the printer config.

Printing the random documents you find in the cache is only going to get you ones containing Betty's shopping list and Barney's list of pr0n sites (as any fule no).

The best way to get a copy of sensitive data is always going to be this:

1, stand next to printer.

2, steal document

If anyone says that they've lost a document (and you want to keep a copy) then think about photocopying it. Then you can miraculously "find" their document in the pile of paper you now have with you...

0
0
G2
Joke

musical printer

i guess the printers could be made to download mp3s then, eh ? :P

/LOL

0
0
Silver badge
Paris Hilton

What?

Who the fuck forwards *any* ports from the outside world to their *printer* ?

Paris. Because even she is too smart for that.

(hmm ..... I've just had an idea for a new form of spamming ..... try IP addresses in turn to see if port 9100 is open).

0
0
Anonymous Coward

@A J Stiles

That would be a great idea for a piece of ware - once inside an organisation scan local subnets and print stuff out.

0
0
Bronze badge

HP Malware

An OfficeJet printer driver I installed the other day, consumed 650Mb!

0
0
Bronze badge

re What?

The people who forward ports from the outside world to their printers include people who have personnel who work outside the office and who sometimes need to connect to devices inside the office. Including printers.

0
0
Stop

@James O'Shea

"who sometimes need to connect to devices inside the office"

That's what a VPN is for.

0
0
Boffin

Re re What?

One word: VPN.

FTW!

(PS: Is "VPN" a "word"?!?)

0
0
Anonymous Coward

Other problems

Administrators regularly fail to change the default admin password, or even set one in the first place. A while back I did a network scan at the university I was at. Found the main printer in the administration building, no security whatsoever. I had complete access to the configuration, print queue, recently printed documents, everything. A malicious hacker could have kept himself entertained for weeks, causing trouble for users until they learned to secure it.

0
0
Anonymous Coward

which hole ridden cheese are you?

Postscript malware. Again. LOL.

http://catless.ncl.ac.uk/Risks/10.35.html#subj8 (et al.)

0
0
Lee
Thumb Up

Printing from home?

Hang on, it's hardly convenient - I'm at home and my printout is appearing in the office 50 miles away?

I like our solution - no direct printing and employee badge is needed to collect your output.

Yet....for some crazy reason, you still find unclaimed output on the printer. I usually dump it in the shredder bins - that usually learns them ;)

0
0

@Lee

I can't work anywhere that requires an employee badge. Or uniform for that matter.

0
0
Silver badge
Boffin

@ James O'Shea

If, for some unspecified reason, you really want someone to have the ability to print to the office printer while they're physically away from the office, there are better ways of doing it than throwing port 9100 open to 0.0.0.0/0. How about setting up an SSH tunnel, and tying it to the static IP address of the broadband connection you provided so that your employee could work from home?

Of course, there's still the issue of what exactly they are going to do with their printout anyway, if they're not there to pick it up .....

0
0
Bronze badge

printing remotely

It usually wouldn't be stuff the remote user wanted, but stuff that had to be printed for someone at the office. And it'd usually be guys who were not merely away from the office, but out on the road. As in connecting in via dial-up from St. Lucia or backwoods Costa Rica or some such. VPN? Wa dat? They were lucking to get a modem...

0
0
Silver badge

@ James O'Shea

"[N]ot merely away from the office, but out on the road. As in connecting in via dial-up from St. Lucia or backwoods Costa Rica or some such."

Ah, point taken. But still, why not just use `chmod a+r` on the file on the server where it's located (so anyone can read it), then get someone who is actually in the office to print it? Or, if it's actually on the person's own laptop, scp it to a server inside the office? The PostScript representation required by the printer often is much larger than the original file, so chances are it'll even work out quicker that way anyway (especially if they're using a modem).

I'm surprised nobody is using this to send spam directly to printers. Or at the very least to pull some variant of the old

$ echo @PLJ RDYMSG DISPLAY="INSERT COIN" |nc 12.34.56.78 9100

trick, maybe changing the message to "BUY VIAGRA 1.99" or something similar.

0
0
This topic is closed for new posts.

Forums