Security flaws in a range of HP printers create a way for hackers to lift administrator's passwords and other potentially sensitive information from vulnerable devices, infosec experts have warned. HP has released patches for the affected LaserJet Pro printers to defend against the vulnerability (CVE-2013-4807), which was …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Thursday 8th August 2013 10:16 GMT Mr C

Make a hole in the air

I am pleasantly surprised that someone took the time and effort to probe a consumer device for security holes.

I am pretty sure that the vast majority of devices known in existence have holes in them, somehow, but so few of them have been found out.

Built in 'forgotten' backdoors with root-access? Buffer overflow vulnerabilities? Unencrypted communications over networks? The list goes on and on.

I am not sure how much it matters though, as the average john-doe will still be pretty safe even with devices with holes in em. I can't possibly imagine my neighbor trying to hack my printer to gain access, it seems the stuff movies are made of.

Having said that, I'm pretty sure intelligence agencies are happily making a list of how to compromise your fridge though :)

2 0
1. Thursday 8th August 2013 10:32 GMT Anonymous Coward
  
  Re: Make a hole in the air
  
  That depends upon who your neighbour is.
  
  What if you live in a block of flats?
  
  Or of your office is near to that of a competing company?
  
  0 1
  1. Thursday 8th August 2013 11:07 GMT Anonymous Coward
    
    Re: Make a hole in the air
    
    "That depends upon who your neighbour is.
    
    What if you live in a block of flats?
    
    Or of your office is near to that of a competing company?"
    
    And what can they do other than mess up settings for a laugh? These are printers , they just print. This isn't a security issue, just an annoyance issue.
    
    0 0
    1. Thursday 8th August 2013 11:12 GMT David Austin
      
      Re: Make a hole in the air
      
      Reading through this, The biggest potential problem is being able to extract the Wifi settings, letting you hook in a rogue device to the network
      
      0 0
    2. Thursday 8th August 2013 11:19 GMT Phil O'Sophical
      
      Re: Make a hole in the air
      
      Some printers can scan, and can be configured to send the scan results to multiple places...
      
      0 0
    3. Friday 9th August 2013 17:25 GMT Ian 55
      
      Re: Make a hole in the air
      
      See internetcensus2012.bitbucket.org/paper.html - last year there were about 200,000 printers visible on the internet and someone used many of them - and hundreds of thousands of other insecure devices - to create a huge botnet.
      
      0 0
2. Thursday 8th August 2013 14:19 GMT Arthur 1
  
  Re: Make a hole in the air
  
  As someone who works in an industry where I regularly deal with embedded hardware (third party and otherwise) and tying it to software, I can say that even most firmware designed for high security installations is 1980s levels of vulnerable. Usually you can telnet to a root shell with no password, sometimes it's hidden on a high port, and very often if you know the HTTP API (whether CGI commands, RESTful or occasionally a web service) password authentication isn't even done. Also, encrypting passwords on the wire is arcane magic that nobody should ever even consider.
  
  But that's okay, it's not like we sell security related devices to enterprise, government and military. I'm definitely not aware of several AFBs in the US which could be totally compromised by a six year old with a user manual...
  
  0 0
Thursday 8th August 2013 12:14 GMT SteveK

The more things change, the more they stay the same...

I remember 10 years or so discovering that the admin password for HP Jetdirect cards was retrievable in plaintext via SNMP, with the default public community string...

1 0
Thursday 8th August 2013 12:59 GMT Captain Scarlet

Its only the small ones only MD's have

Ah thats ok then, they'll break before someone attempts to hack (Or even print) one of them.

0 0
Friday 9th August 2013 16:37 GMT Anonymous Coward

Already said that this was a bad idea.

http://forums.theregister.co.uk/forum/1/2010/06/07/hp_email_ready_printers/

0 0