Feeds

back to article HP admits to backdoors in storage products

Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July. The issue, which seems to have existed since 2009, was brought to the attention of The Register by Technion, the blogger who earlier published an undocumented backdoor in the company' …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

They will provide a patch and they will allow you to disable that support account. HP will just have a new private back door account though.

Who thought it was a good idea to have a support account that could reset the device to factory defaults? How many customers screwed their config up so bad and locked themselves out that they had to call HP to wipe the box?

Not as bad a Netscreen firewalls though; if you have the serial number, you can use it to wipe a firewall as long as you can get access via CLI or GUI to it.

3
0
Mushroom

Re: Who thought it was a good idea...

Some baboon who wanted to report to upper management; "See! I've streamlined support!!!!!11!ONE!1!"

3
0
Anonymous Coward

"...HP will just have a new private back door account though...."

Of course. There is no hardware reset switch anymore, so to avoid lost passwords bricking the device, they will always have to have a backdoor into it.

0
0
Bronze badge
Facepalm

"f course. There is no hardware reset switch anymore, so to avoid lost passwords bricking the device, they will always have to have a backdoor into it."

Yes, in their wisdom HP decided that the support account is more secure than hardware reset switch.

Most of the kit from various vendors is resettable if you have physical access to it and is generally not an issue as most corporate environments have physical access controls in place to stop just anyone fiddling with the kit .

I'd like to know how they came to the conclusion that remote access is more secure than requiring physical access. I would kind of understand if they had opted for combination of the two, so that you would need one method to enable the other method (for a brief time period before it automatically times out again).

3
0
Bronze badge

yep, what exactly was wrong with the physical switch?

Config reset switch may cause trouble, if it is a temptingly looking red button on the back panel. Inside the controller unit it's reasonably secure. Certainly better than any remote access solutions.

Perhaps it was done for the so-called "dark sites" with no permanent staff? But still not a good explanation. In that case, driving n+n miles would be a proper punishment for screwing up.

0
0
Silver badge
Paris Hilton

I'd like to know how they came to the conclusion that remote access is more secure than requiring physical access.

Business Analysts and a Decision Chain of Monkeys?

1
0
Anonymous Coward

"Business Analysts and a Decision Chain of Monkeys?"

Cost of doing it in software $0.00; the cost of a button $0.10. So, software was free whereas a button costs money on each machine.

0
0
Silver badge

But no other HP products?

Do they expect people to think that this is a one off and they didn't do the same thing on some (ALL?) of their other products...

9
0
Black Helicopters

Re: But no other HP products?

HP acquired LeftHand in 2008/2009. So whilst the tin-foil hat brigade might think they intermediately backdoored it, it seems more likely to me that it was there all along but became HPs problem at that point.

3
0
Silver badge
FAIL

Help Please

All your backdoor are belong to us.

5
0
Gold badge
Mushroom

Hmm. A mass reset of *all* HP storage products *everywhere*.

Good thing neither the NSA nor GCHQ rely on them isn't it?

Cloud because well it could come close to ending civilization as we know it.

0
1
Black Helicopters

LeftHand OS

http://www.merriam-webster.com/dictionary/sinister :

Definition of SINISTER

1

archaic : unfavorable, unlucky

2

archaic : fraudulent

3

: singularly evil or productive of evil

4

a : of, relating to, or situated to the left or on the left side of something; especially : being or relating to the side of a heraldic shield at the left of the person bearing it

b : of ill omen by reason of being on the left

0
1
Silver badge

Complex passwords?

"credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters"

So what? Why would anyone want to use a complex, hard to remember password with some strange C0mBinAtion of characters? All that happens is that the lusers end up writing it down on a sticky note under the keyboard. Strong passwords do not have to be complex or hard to remember.

0
1
Yag

Re: Complex passwords?

well... the sticky note under keyboard is probably more secure than a lot of other method I saw (worst offender was : "I'll just write them in a plain text file named 'passwords.txt' and stick it in my USB key")

1
0
Gold badge

Re: Complex passwords?

More relevant is that it doesn't matter what the password is, or how complex, if is the same on every box!.

I have a file somewhere of "standard passwords" for the default admin accounts on all sorts of hardware; once your device is on this list, it is not secure, regardless of howmany %$º{Ç in the password.

9
0
Bronze badge

Re: Complex passwords?

"credentials would not pass complexity tests required by many websites as they use no numerals, symbols or capital letters"

or vowels?

fycnrdthsyrprttysmrt

(is not my actual password)

0
0
Silver badge
Meh

Re: Complex passwords?

It's a complex/lawyersafe way of saying that it is "admin"

(just guessing and no-one shall act on information alleged or not alleged to be true in this statement)

1
0
Silver badge
Coat

Re: Complex passwords?

I'm guessing it is more along the lines of "hewlettpackard" or "icarlyfiorina"

0
0
Gold badge
Unhappy

Re: Complex passwords?

"More relevant is that it doesn't matter what the password is, or how complex, if is the same on every box!."

And that's the real b**ger of this issue.

It's a universal hole in everyone's hardware.

But you have to ask how many other mfgs do it?

The trouble is properpassword management is a PITA.

Store them on a secure website? Congratulations all your passwords belong to the USG.

0
0
Facepalm

Re: Complex passwords?

For the love of Pete at least make the serialnumber part of the login or password, that way your customers at least have a chance in fending off the haxors. Using "admin" and the serial number would at least narrow access down to reasonable levels or at least not to everyone plus dog. Yikes!

0
0

OK, not great but...

You'd still need access to the MGMT VLAN to do anything with it anyway.

1
0
Linux

Re: OK, not great but...

Yes, well as long as there are no back doors in your routers too.

2
0
Boffin

Complexity !

Complexity is irrelvant in passwords,what's important is length.

"hp magic backdoor password"

is a better password than

"hp43!@#!ohOH"

0
0
Silver badge
Thumb Down

Re: Complexity !

No.

0
0
Silver badge

Re: Complexity !

"Complexity is irrelvant in passwords,what's important is length."

What's important is the number of bits of entropy in the password (although I guess you could say that's the length when expressed in binary). I reckon your second password counts as about 60 bits. Written English has only 1-3 bits of entropy per character, so there's a good chance your passwords pretty similar in strength - it's certainly not definitely the case that the password you say is better really is the better one.

3
0
Happy

Re: Complexity !

Yes, and any random line from Omar Khayyam - easy to remember but difficult to break.

0
0
Anonymous Coward

In all fairness...

If you leave your storage array exposed to the outside world, you're asking for this sort of thing to happen. Anyone running major storage that's not on a private LAN or heavily ACL'ed should consider a career change.

2
1
Bronze badge
Paris Hilton

Ooo - imagine that!

0
0

And people said I was paranoid for avoiding HP storage products? LOL!!!

0
0
x50

This is fairly common practice in the industry. Some vendors (EMC) may have additional security measures in place (ESRS) to access the equipment but most large storage vendors have vendor accounts on the arrays, many hidden from their customers.

Many start ups are taking this more seriously and I've seen an increase of devices from start up that require you to manually start a reverse tunnel to allow them access to the arrays. Ask your large vendors to start utilizing similar practices for better security.

0
0
This topic is closed for new posts.