HP storage: more possible backdoors Technion, the blogger who recently turned up an undocumented back door in HP's StoreOnce, has turned up similar issues in other HP products - publicised on support forums by the company, but unnoticed at the time. According to his trawling of various HP support forums, he has told The Register there appear to be company …
Any sources on this one? The "lolware" guy previously posted a partially-complete rant without specifying versions or publishing details of correspondence, which was frustrating to actual security researchers and customers.
I'm willing to try this out, but without technical detail, can you confirm this is an issue? Did HP have a comment on this one?
You can bet that, if the backdoors weren't put there for the NSA, now the NSA knows about them, he'll be there at HPs office with a secret warrant.
I bet HP even 'voluntarily' revealed the security vulnerability, the way that Microsoft revealed zero day leaks to the NSA... which they use in Stuxnet.
Sorry HP, I like my router, but it had to go, because I can't trust it doesn't have an NSA backdoor. Likewise I'd be a chump to use your storage kit for any business.
You and ge really need to ditch the tinfoil hats and actually do some reading on the matter. The very documented "undocumented" hpsupport login previously "exposed" by this twit gave nothing more than engineer access to the base OS of the D2D and no access to data, and you had to get onto the console to use it, so not much use to The Big Bad Man.
Well one of us needs to read:
"That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code"
So they have an account on the system. The account can be used to set passwords for other accounts, so it has access to those accounts too. (at minimum)
“Call support. They can reset the password remotely.”
So it's a *remote* backdoor too. NSA can even listen in on the calls.
So the article says the exact opposite. HP is in NSA land, which mean if you're running HP kit and its connected to the net, you need to as a matter of urgency take it offline and replace it with more trusted kit. Personally I switched to Thomson (a router) kit, but I'd also have accepted Korea and German kit.
I'm betting it also lets them remote upgrade the firmware, which likely makes it a total root remote exploit. It's the sort of dumb choice made by people who put in backdoors.
Business 101, you have a legal obligation to protect your business data from foreign snooping, your employees from foreign snooping, the company financial data from foreign snooping, bank transactions the lot. It sucks, but that's the world as it is now.
Depends if its a back door or if its part of the support contract (I agree it should probably be clearer).
This is software running on specific hardware that users have a support contract for with HP. This is not MS Office that you can install on any device in your home or company. You should at least attempt to compare oranges and pears.
Yes, a "back door" or "support access" is a potential attack vector - but what does it actually take to exploit? What is the residual risk after all the mitigating factors have been taken into account. Now, if its proven HP haven't taken security seriously, FAIL on HP.
you all realize that classically, the backdoor also represented a revenue enhancement and retainment device. "OK, Mr. bigshot, so you're not renewing your support contract. May I remind you that on the 31st, we will recover our software at the end of support?" mostly when the ripcord is pulled, the customer quickly signs up at a, ahhh, less-special discount.
"....we will recover our software at the end of support...." Gosh, what a horrific story! So, tell me, when has this actually happened with any hp kit? Please excuse me for asking for some form of verifiable event, it's not really that I think you're talking out of your recturm, honest.
My experience with software and hardware from a wide selection of vendors is that, at worst, out-of-license software simply refuses to carry out new tasks until a new license key is applied, and nothing was ever "recovered" and no data deleted.
That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code – and the accounts have existed since as far back as 2009.
As has been demonstrated many times over, any remotely-accessible login provides a potential attack vector, should the userid and password be discovered by attackers.
OK now show us all a single customer who make their HP backend storage 'publicly accessable'.
If you're classifying this as a security 'backdoor' then presumably the well known default accounts and passwords for SAN switches are security backdoors? At least if you make them publicly accessable.
Now about this password... you do realize many vendors use specially written password generators for accounts such as the one you're talking about here. Where a unique time limited password is generated for the account when login is needed, like IBM for example, who have done exactly that on IBM support accounts on their enterprise systems for years.
Security backdoor my arse.
Right, because attackers only ever come through the public Internet-facing interfaces. Of course they do. Everything else -- hey, it's inside the firewall, so it MUST be secure! I bet you run anti-virus software, too, just in case. Gosh, if only networks and sites that get hacked were as smart as you are!
any remotely-accessible login provides a potential attack vector
When you're commenting upon an article which is about remotely accessible logins being used as an attack vector, it's useful to address the point being made. Like I did.
Now if you want to talk about someone posing as an employee and walking through the door, we could do that.
Or if you want to talk about a cracker compromising a public facing server, and launching an attack from that server, we could do that.
Neither of those is about accessing a remotely accessible login on the HP box though is it?
"The hardware used to include a hard-reset button to set the factory defaults but this was removed as a security measure (that is, so insiders couldn't give themselves admin privileges to hardware they shouldn't access by resetting it). However, the solution seems to Technion no better: administrative password recovery is now carried out remotely by HP support."
...or to ensure customers keep paying HP support contracts.
(Yes of course companies pay support, however when hardware gets nearer end of life it may still be in use for non-critical tasks and often not worth paying the support costs for).
re its Virgins, so they can do what they want,
actually a good point,
I still think of the thing as a modem, with MY router, which it has not been since the 'upgrade' to the superhub.
so now I need a firewall / router that can handle the 100 Mb connection speed,
now thats another problem
If this is the feature that was removed around version 9, it's not really a big deal.
With console access to a node from the default login menu you could hold down shift and type LHN to bring up a support menu.
From this menu you could select that you required a support shell, a one time challenge is displayed on the screen and HP have a response generator.
No hidden account, no default system password, just a pretty secure manner to serve a customer need.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
