Feeds

back to article Samsung printers have secret admin account

Some Samsung printers, including models the Korean company made for Dell, have a backdoor administrator account coded into their firmware, says US CERT. The brief vulnerability notice does not mention which models have the account, but does say “The vendor has stated that models released after October 31, 2012 are not affected …

COMMENTS

This topic is closed for new posts.
Bronze badge

There was obviously a reason for this.

Why didn't you make any suggestion what that might be?

(And I am not just posting this to get a silver badge too neither so there.)

0
1
Gold badge

Re: There was obviously a reason for this.

An obvious candidate would be installation. I'll bet the thing comes with an "easy setup for retards" installation disk and the setup routine needs to be able to talk to the thing.

They want the password fixed so that the setup routine always works, even on subsequent invocations. 10/10 for idiot-friendliness, 0/10 for common sense.

<Smug>

I'm not posting this just to get a silver badge either.

</Smug>

0
2
Anonymous Coward

Experimental downvote

Is it possible to expunge someone's gold badge?

5
0
Gold badge

Re: Experimental downvote

Good question. Maybe we could have a gold badge with teeth marks - a temp replacement when a gold badger (sorry, could't resist that one) has been misbehaving :).

Having said that, Gold badges do not always relate to commentard contributions, I think the introducing article made that clear (however, I've been reading El Reg from practically the moment they went live so I reckon I have chalked up enough comments by now to support platinum, diamond and moon rock levels :).

In general, I think it's good to have some badgering (that's enough - Ed) because some people know how to control themselves online and will only say things they will also say in your face - even anon - whereas others see the online life as an opportunity to let out Mr Hyde with no consideration for the consequences or impact they may have on others. A bit of a feedback loop may assist the latter realise that they are still communicating with other human beings, not just some text on a screen.. Oh, and that laws do exist..

That is, of course, entirely my opinion - as always.

0
0
Headmaster

Re: I'm not posting this just to get a silver badge either.

Steady on, old chap. That sort of thing just isn't cricket...

1
0

Re: Experimental downvote

Possibly not in this v1 release, but if that's the case, I'm sure it'll be baked in by v2!

0
0
Silver badge
Boffin

Re: I'm not posting this just to get a silver badge either.

<Smug> wasn't one of the new HTML tags, sorry TeeCee.

0
0
Bronze badge

"As a general good security practice, only allow connections from trusted hosts and networks."

http://www.kb.cert.org/vuls/id/281284

0
0
Silver badge

nice, so only internal pranksters can mess things up.

"sorry , couldnt print the TPS, printer was on the fritz. herp derp"

0
0
Facepalm

And as Printers ..

... are trusted hosts and tend to have access to every machine that might need to print in the building.

0
0
Bronze badge

Pretty amatuerish...

...don't get me wrong, heads should roll over this, but is it really such a big problem?

You do a security audit. You identify the devices that don't need Internet access. You block them. That includes printers so the story ends there.

Allowing naked Internet access to and from devices that have no reason to be doing so is akin to running a Windows installation without AV, with the big but that it is a lot easier to effectively fix.

1
0
Anonymous Coward

Re: Pretty amatuerish...

Security audits - you reckon small businesses have the time / skills / more than a basic firewall / NAT - or what if it's more than just their printers - Smart TVs, Galaxy devices - ouch.

If they do it once - why not again - guess it's if you believe it was a mistake?

1
0
Silver badge

Re: Pretty amatuerish...

I'm also wondering about permissions for internet access for that oh so helpful printer management software (which seems to be bundled with the driver, or vice versa), that keeps popping up and asking me if I want it to go check for driver updates or order supplies. Can I trust it? How do I know if I really can?

Note: My printer comments are based on my experience of my cheapo Dell laser colour printer, I wonder what amazing powers the expensive ones have. Ten years ago, I had an HP scanner (the bundled and necessary software actually) that tried three different ways to access the internet, so I blocked each one as Zone Alarm pointed the attempts out to me.

I block everything from accessing the internet, unless it stops it from working or stops the computer from working, and that includes some Microsoft Windows services and most application update services. Most people, especially home/SoHo users are not aware of the potential problems and feel they can trust something if they've paid money for it.

0
0
Bronze badge

Re: Pretty amatuerish... @frank ly

Not sure if you are talking about a network printer or something directly attached to a pc. For a network printer, not setting the default gateway IP should restrict its communications to the local network,

0
0
Silver badge

Re: Pretty amatuerish...

Forget internet access, what those earnings figures that are due to be announced next week. What if someone got hold of them a little early? Perhaps they patched the firmware to email a copy of everything to a laptop left in a corner with a 3g usb stick in it? Or for better stealth, connect to someone's phone over wireless when they walk into range.

0
0
Anonymous Coward

Nice - perhaps we should give their equipment more scrutiny - wonder how many other devices have back doors - would make a nice botnet.

0
0
Silver badge

Didn't that get done 10 years ago with HP or Lexmark devices?

0
0
Bronze badge
Stop

Careful Now. Down with that Sort of Thing!

“The vendor has stated that models released after October 31, 2012 are not affected by this vulnerability.” Which will be welcome relief for those who acquired a printer in the last month.

Except the chances are that that device has been sat in a warehouse/shipping container/factory for a while and may still be vulnerable. I'm not sure if Samsung printers have a 'built on' date printed on them, but id be worried on any new Samsung printers for at least the next year.

4
0
Thumb Up

Re: Careful Now. Down with that Sort of Thing!

"that models released after October 31, 2012 are not affected"

This is almost as good as the BMW key coding thing and their PR response.

What it should say is "Every printer we made in the last decade is probably affected by this vulnerability"

0
0

Re: Careful Now. Down with that Sort of Thing!

Great - so any models and existing stock up to a few weeks ago are probably vulnerable and will rely on users to update them - can't really see that happening. Perhaps Samsung should offer a product recall?

0
0
Facepalm

Re: Careful Now. Down with that Sort of Thing!

Note it says "models released" not "printers manufactured"...

0
0
Big Brother

Im still wondering why the hell this equipment has a hidden Admin account configured thta the OWNERS of the machine are not informed of / able to easily access. On what possible grounds do they think they are justified in creating this access?

That shrinks the list of possible replacements for the dead HP crud even further.

0
0

I would guess someone thought it'd be a good idea so that engineers could log in easily or somesuch. Hell it might even be a testing account which they never thought to remove.

Either way, it's a bad bad thing to ship equipment with hidden accounts.

1
0
Silver badge

Helloooo!

Add radius authentication to the feature set and always use that for testing.

It ain't rocket science!

(go-go silver!)

0
1

I wonder if the reason for this is that the printers run a cut-down version of Linux and they left root with a default password. Very easy for a developer that is not security minded to do that sort of thing.

1
0

I wonder how happy people would be if their car manufacturer did something similar. Not very I suspect. With all these smart TVs and devices being able to do more it's a serious concern.

1
0
Anonymous Coward

Samdung, swiss cheese security. Their phones had a special phone number that would reset them. What next?

2
3
Anonymous Coward

It's really p*ss poor - chances of buying any Samsung kit in the future have dropped significantly.

0
0
Bronze badge
Devil

I just love

The Samsung network printer ad that showed up when I was reading this article.

Perfect placement!

1
0
Anonymous Coward

Windowsesqe security blunder

When will idiots stop baking in hideous security blunders like this, didn't they learn anything from the issues caused by windows secret admin account.

0
1
Anonymous Coward

Re: "Idiots"

When will idiots learn what a question mark is for?

0
0
Anonymous Coward

Shamsung can do no wrong in my eyes

bless em

0
1
TRT
Silver badge

Re: Shamsung can do no wrong in my eyes

Yeah. I think it's a bit mean singling the guy out for criticism like this. After all, he gave us all a great laugh when he joined Apple.

0
0
Bronze badge

What OTHER devices might have them baked in?

Tabs, Notes? Other devices?

1
0
Silver badge
Happy

Hi

No comment.

Just taking my SILVER badge out for a spin!

WooT

0
2
Silver badge

dont worry the solution for this is to never leave paper in the rack. that way the hackers can log in through the back door but they can't print any of their nefarious designs

0
0
Unhappy

Except when you come in the next day and load it back up, walk away to get a coffee and come back to 500 pages gone?

0
0
Silver badge
Coat

At least now we know...

...why the RIAA was issuing summons to IP addresses owned by printers and accusing them of sharing music on p2p networks.

Mines the one with the badge on ;-)

1
0

Re: At least now we know...

Let me guess Samsungs Terms and Conditions totally remove any responsibility for this or any damage caused even though it was almost certainly wilful or at least negligent?

0
1

Re: At least now we know...

The Unfair Contract Terms Act 1977 would probably strike such clauses out. Getting Samsung into Court to get such a result is the hard part.

0
0
Bronze badge
Thumb Down

It doesn't follow...

“The vendor has stated that models released after October 31, 2012 are not affected by this vulnerability.” Which will be welcome relief for those who acquired a printer in the last month."

The welcome relief will happen only when all the models released before 31 Oct 2012 have been sold - which could perhaps be anything up to a year later?

0
0

Annoyware

If we could have access to that backdoor perhaps we could prevent the samsung printer from claiming that it was out of toner and refusing to accept a nicely shaken 'empty' cartridge as a replacement.

0
0
This topic is closed for new posts.