Feeds

back to article Watch out, office bods: A backdoor daemon lurks in HP LaserJets

A range of HP LaserJet printers suffer a security flaw that can leak data and passwords, the US Computer Emergency Response Team (CERT) warns. Users have been told to apply the firmware patches issued by HP that resolve the issue. HP says the security risk arose after it was discovered that several models of HP LaserJets feature …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

If you expose the Telnet port on your printers to outside attackers / untrusted networks then you have bigger problems than needed a firmware update imo...

17
1
Bronze badge

Those aren't the only threats.

Say the boss downloads some NSFW software that compromises his PC - then in this scenario, one of the things that a hacker can do is to connect from the perv-station to the printer. Or, say a disgruntled employee does it. Maybe all that he or she is disgruntled about is being last in line to use the printer, so, silently cancels everyone else's prints. It's still inappropriate to make that possible.

3
0

Re: Those aren't the only threats.

Network security or even air gapping does not ensure protection against external threats (see STUXNET), much less internal.

Agreed that is ridiculous not to lock down the firewalls, but that only gets you so far... which really isn't far at all. Proper security has to happen at all levels.

2
0
Silver badge
Pirate

Re: Robert Carnegie - Those aren't the only threats.

It's not just a matter of deleting other jobs in the queue, with certain models it's possible to also dump copies out of memory and send them over the LAN to another device. If you have a designated printer just for your MD then it would probably be of interest to competitors to be able to sneak off copies of all the documents he/she prints. Not sure about the MFPs listed, but some of the hp printers also have hard-drives which would make copying other people's print jobs even easier. Leaving debug code active in production kit really is a serious lapse and someone at hp deserves a slapping for it.

1
0
Bronze badge

Not a very good opinion then.

There is also the insider threat, which is far more common than external threats.

0
0
Bronze badge

Re: Those aren't the only threats.

First thing to do, place all printers onto a segregated vlan that has no external access and only can be accessed by the print server.

Now, any vulnerability has a modest protection, but it beats absolutely no protection.

0
0

Well you could hack it for passwords

Or you could just change the "ready" message to "Out of Paper" like everyone else does

4
0
Anonymous Coward

Re: Well you could hack it for passwords

OMG, my brand new samsung laser does exactly that (well, it says "Paper handling error", but near enough)... does that mean that it's been hacked, or just that the software is crap to begin with???

(you can't see behind the mask, but tongue is very firmly in cheek!)

1
0
Anonymous Coward

Re: Well you could hack it for passwords

PC LOAD LETTER shurely!

5
0
Anonymous Coward

Re: Well you could hack it for passwords

What the fuck is PC LOAD LETTER?

2
1

Re: Well you could hack it for passwords

PC LOAD LETTER means you forgot to change the paper cassette messages to INSERT 10p THEN PRESS CONTINUE.

3
0
Happy

Re: Well you could hack it for passwords ... or upgrade to LaserJet 4L

My 4L has successfully resisted all hackers since 1995 with no patches (eat your heart out Microsoft). It does now have a USB plug so it can serve as the office CUPS network printer hung off a RaspberryPi.

3
0
Silver badge
Mushroom

Re: Well you could hack it for passwords

It means you should run back to the server at once and check if 'printer on fire' has been written to the console output.

0
0
Bronze badge
Mushroom

Re: Well you could hack it for passwords

He means "PLEASE LOAD A4 PAPER"

0
1
Gold badge

Re: What the fuck is PC LOAD LETTER?

It's the error you get when viewing west-pondian documents on an east-pondian PC with software that is too stupid to make the obvious adjustments.

4
0
Anonymous Coward

Re: What the fuck is PC LOAD LETTER?

It's a line from Office Space, if I remembered it correctly...

1
1
Gold badge
Happy

Re: Well you could hack it for passwords

It means that some 'tard has forgotten to configure Word properly and left it in US Engrish along with the matching stationery defaults.

What it actually means is; "Good morning/afternoon/evening. Some 'tard has left Word configured in US Engrish. If you have any, you can stuff some of that weird 'US Letter' stationery in the bypass tray, or you can just thump me in 'continue' and I'll print it on good old A4."

0
0
Silver badge
Thumb Down

"So, debug code is typically compiled out altogether in a release build."

Which actually leads to horrible nightmares with buggy, uninspectable black box software.

2
0
Anonymous Coward

Um...

Does it? On printers? When did you last debug a printer?

0
0
Silver badge
Trollface

Good job leaving everything compiled in leads to predictable code paths and solid reliability so one can forgive the bloat, as can be seen from HP's Windows drivers.

1
0
Bronze badge

Which actually leads to horrible nightmares with buggy, uninspectable black box software.

Aah the joys of embedded systems I remember them well!

0
0

Old (black)hat Information

This kind of vulnerability is as old as they come along with listening in on public SNMP. Seems people forget what they've learned in past situations and do it all again. Life imitating TELNET.

1
0
Silver badge

Let's not forget...

...webcams and microphones!

0
0
Bronze badge

What happened to the paperless office?

Oh, it went the way of Adobe and PDFs, which are far worse at security.

1
0
Anonymous Coward

Only for printers less than 3 years old?

I guess we're safe, so - we can't afford to replace ours!

0
0
Facepalm

Re: Only for printers less than 3 years old?

No, they mean the patches are only for printers less than 3 years old. HP expect you to replace their printers more often than in the days of the battleships that were the Laserjet 4 and 5. This is why they make them from cheap plastic...

I used to work creating print servers for the OEM market and some of the security "features" left in them would make your hair stand on end!! Us developers would shout about the issues, but no one in Marketing\Sales either cared or wanted to spend any budget on making them truly secure. It all comes down to money.

Example: being able to "upgrade" firmware via TCP port 9100 without a password... just a special code to start the special print job...

1
0
Silver badge

Re: Only for printers less than 3 years old?

I'm sure architects and engineers could be found negligible for designing something obviously dangerous. Why is the same not true for software engineers?

Or more to the point, if an architect or engineer says something can't be done, their decision is respected. Meanwhile button pushers get told to shut up and do it anyway.

The question is can this be changed?

1
0
Silver badge

"Telnet is "unencrypted, insecure and out of place in 2013""

Well first of all, the interface probably doesn't run telnet. Telnet is more than just "terminal via TCP/IP", it actually defines ways to exchange capabilities of the terminals like line lengths, etc. This probably isn't done here.

Then such a simple protocol may not be the the most current and hip way to do anything well defined, but this is a debugging aid. This essentially replaces a serial port on an internal pin header. There is nothing "out of place" there, it's just a sane and comfortable way of doing something.

The problem is, that this debug interface is turned on by default and apparently cannot be turned off. That's the problem here. If I pay for my printer, I want to be able to use any debug interface it has, and even flash it with a new firmware whenever I choose to. I paid for the printer it's mine and I want to do whatever I see fit with it.

4
0
Bronze badge

It could of been worse

Given there are several MFP's on the list, which will most probably be running some version of Unix, it is interesting that all that seems to be accessible via the telnet debug shell is the ability to read data - now will full root/su access a MFP could be really compromised...

0
0
IT Angle

Telnet debug shell?

'HP says the security risk arose after it was discovered that several models of HP LaserJets feature a "telnet debug shell which could allow a remote attacker to gain unauthorized access to data".`

I would have though they would have stripped out all debug directives in the production model? link

0
0
Bronze badge

Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

I'm forced to disagree. It most certainly does have a place in 2013.

As an example of insecure protocol design.

0
1
Silver badge
Boffin

Re: Wzrd1 Re: Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

"......As an example of insecure protocol design." Well, to be fair (quiet, Local Dupe!), telnet wasn't designed with today's Internet in mind. It was originally designed in the much simpler networking World of the Sixties, for use on private campus networks to give remote terminal access, and for use inside secure networks it is still a useful and lightweight tool. It's security issues arise when used outside a secure network.

0
0
Bronze badge

Re: Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

Ducklin is wrong on all three points.

Telnet certainly can be used without encryption, and insecurely. It can also be used with encryption - via Telnet-over-SSL1, or Telnet with StartTLS2, or Telnet Data Encryption Option3. It can be used with secure authentication mechanisms, using client certificates or pre-standard Telnet-with-SRP4 or Telnet AUTH 5.

The "Telnet is insecure" canard is typically followed by "just use ssh, it's secure", with no mention of the many insecure ways in which ssh is commonly used - like accepting any fingerprint that the server offers.

1 No specific standard, but there are a number of existing implementations.

2 The ID for Telnet with StartTLS expired, but there's at least one open-source implementation.

3 RFCs 2946-2950.

4 For example with the SRP-patched version of TeraTerm Pro.

5 RFCs 2941-2944.

1
0
Bronze badge

Re: Wzrd1 Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

It was originally designed in the much simpler networking World of the Sixties

True, if by "the Sixties" we mean 1971-1972. RFCs 97, 137, 139, 158, 206, 215, 216, 318, and 393 - February 1971 through October 1972 - describe the original Telnet, from initial thoughts through the first implementations.

1
0
Silver badge
Happy

Re Wojcik Re: Wzrd1 Ducklin added that Telnet ......

"True, if by "the Sixties" we mean 1971-1972....." Hmmm, I was taught (many, many years ago, admittedly) that Telnet grew out of RFC15 from 1969, which was in turn based on work of Bob "I'm-too-lazy-to-use-three-different-terminals" Taylor in the ARPANET project.

0
0
This topic is closed for new posts.