back to article HP printer hack risk prompts update

Users of HP LaserJet printers need to apply a firmware update following the discovery of a potentially troublesome vulnerability. The security bug creates a means for hackers to gain access to files sent to printers via the web administration console on vulnerable machines. A security advisory from HP explains various versions …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    ...something obvious...

    This is an internal exploit only, 'cos you've got to get in thru the company firewall first.

    ....and if they're happy with that (and you can view files on the LAN) then they're probably not too bothered about you being able to see the printer config.

    Printing the random documents you find in the cache is only going to get you ones containing Betty's shopping list and Barney's list of pr0n sites (as any fule no).

    The best way to get a copy of sensitive data is always going to be this:

    1, stand next to printer.

    2, steal document

    If anyone says that they've lost a document (and you want to keep a copy) then think about photocopying it. Then you can miraculously "find" their document in the pile of paper you now have with you...

  2. G2
    Joke

    musical printer

    i guess the printers could be made to download mp3s then, eh ? :P

    /LOL

  3. A J Stiles
    Paris Hilton

    What?

    Who the fuck forwards *any* ports from the outside world to their *printer* ?

    Paris. Because even she is too smart for that.

    (hmm ..... I've just had an idea for a new form of spamming ..... try IP addresses in turn to see if port 9100 is open).

  4. Anonymous Coward
    Anonymous Coward

    @A J Stiles

    That would be a great idea for a piece of ware - once inside an organisation scan local subnets and print stuff out.

  5. b166er

    HP Malware

    An OfficeJet printer driver I installed the other day, consumed 650Mb!

  6. James O'Shea

    re What?

    The people who forward ports from the outside world to their printers include people who have personnel who work outside the office and who sometimes need to connect to devices inside the office. Including printers.

  7. Anonymous Coward
    Stop

    @James O'Shea

    "who sometimes need to connect to devices inside the office"

    That's what a VPN is for.

  8. Jon Minhinnick
    Boffin

    Re re What?

    One word: VPN.

    FTW!

    (PS: Is "VPN" a "word"?!?)

  9. Anonymous Coward
    Anonymous Coward

    Other problems

    Administrators regularly fail to change the default admin password, or even set one in the first place. A while back I did a network scan at the university I was at. Found the main printer in the administration building, no security whatsoever. I had complete access to the configuration, print queue, recently printed documents, everything. A malicious hacker could have kept himself entertained for weeks, causing trouble for users until they learned to secure it.

  10. Anonymous Coward
    Anonymous Coward

    which hole ridden cheese are you?

    Postscript malware. Again. LOL.

    http://catless.ncl.ac.uk/Risks/10.35.html#subj8 (et al.)

  11. Lee
    Thumb Up

    Printing from home?

    Hang on, it's hardly convenient - I'm at home and my printout is appearing in the office 50 miles away?

    I like our solution - no direct printing and employee badge is needed to collect your output.

    Yet....for some crazy reason, you still find unclaimed output on the printer. I usually dump it in the shredder bins - that usually learns them ;)

  12. Norfolk Enchants Paris

    @Lee

    I can't work anywhere that requires an employee badge. Or uniform for that matter.

  13. A J Stiles
    Boffin

    @ James O'Shea

    If, for some unspecified reason, you really want someone to have the ability to print to the office printer while they're physically away from the office, there are better ways of doing it than throwing port 9100 open to 0.0.0.0/0. How about setting up an SSH tunnel, and tying it to the static IP address of the broadband connection you provided so that your employee could work from home?

    Of course, there's still the issue of what exactly they are going to do with their printout anyway, if they're not there to pick it up .....

  14. James O'Shea

    printing remotely

    It usually wouldn't be stuff the remote user wanted, but stuff that had to be printed for someone at the office. And it'd usually be guys who were not merely away from the office, but out on the road. As in connecting in via dial-up from St. Lucia or backwoods Costa Rica or some such. VPN? Wa dat? They were lucking to get a modem...

  15. A J Stiles

    @ James O'Shea

    "[N]ot merely away from the office, but out on the road. As in connecting in via dial-up from St. Lucia or backwoods Costa Rica or some such."

    Ah, point taken. But still, why not just use `chmod a+r` on the file on the server where it's located (so anyone can read it), then get someone who is actually in the office to print it? Or, if it's actually on the person's own laptop, scp it to a server inside the office? The PostScript representation required by the printer often is much larger than the original file, so chances are it'll even work out quicker that way anyway (especially if they're using a modem).

    I'm surprised nobody is using this to send spam directly to printers. Or at the very least to pull some variant of the old

    $ echo @PLJ RDYMSG DISPLAY="INSERT COIN" |nc 12.34.56.78 9100

    trick, maybe changing the message to "BUY VIAGRA 1.99" or something similar.

This topic is closed for new posts.

Other stories you might like