back to article Watch out, office bods: A backdoor daemon lurks in HP LaserJets

A range of HP LaserJet printers suffer a security flaw that can leak data and passwords, the US Computer Emergency Response Team (CERT) warns. Users have been told to apply the firmware patches issued by HP that resolve the issue. HP says the security risk arose after it was discovered that several models of HP LaserJets …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    If you expose the Telnet port on your printers to outside attackers / untrusted networks then you have bigger problems than needed a firmware update imo...

    1. Robert Carnegie Silver badge

      Those aren't the only threats.

      Say the boss downloads some NSFW software that compromises his PC - then in this scenario, one of the things that a hacker can do is to connect from the perv-station to the printer. Or, say a disgruntled employee does it. Maybe all that he or she is disgruntled about is being last in line to use the printer, so, silently cancels everyone else's prints. It's still inappropriate to make that possible.

      1. PikeyDawg

        Re: Those aren't the only threats.

        Network security or even air gapping does not ensure protection against external threats (see STUXNET), much less internal.

        Agreed that is ridiculous not to lock down the firewalls, but that only gets you so far... which really isn't far at all. Proper security has to happen at all levels.

        1. Wzrd1

          Re: Those aren't the only threats.

          First thing to do, place all printers onto a segregated vlan that has no external access and only can be accessed by the print server.

          Now, any vulnerability has a modest protection, but it beats absolutely no protection.

      2. Matt Bryant Silver badge
        Pirate

        Re: Robert Carnegie - Those aren't the only threats.

        It's not just a matter of deleting other jobs in the queue, with certain models it's possible to also dump copies out of memory and send them over the LAN to another device. If you have a designated printer just for your MD then it would probably be of interest to competitors to be able to sneak off copies of all the documents he/she prints. Not sure about the MFPs listed, but some of the hp printers also have hard-drives which would make copying other people's print jobs even easier. Leaving debug code active in production kit really is a serious lapse and someone at hp deserves a slapping for it.

    2. Wzrd1

      Not a very good opinion then.

      There is also the insider threat, which is far more common than external threats.

  2. Locky

    Well you could hack it for passwords

    Or you could just change the "ready" message to "Out of Paper" like everyone else does

    1. Anonymous Coward
      Anonymous Coward

      Re: Well you could hack it for passwords

      OMG, my brand new samsung laser does exactly that (well, it says "Paper handling error", but near enough)... does that mean that it's been hacked, or just that the software is crap to begin with???

      (you can't see behind the mask, but tongue is very firmly in cheek!)

    2. Anonymous Coward
      Anonymous Coward

      Re: Well you could hack it for passwords

      PC LOAD LETTER shurely!

      1. Anonymous Coward
        Anonymous Coward

        Re: Well you could hack it for passwords

        What the fuck is PC LOAD LETTER?

        1. Anon

          Re: Well you could hack it for passwords

          PC LOAD LETTER means you forgot to change the paper cassette messages to INSERT 10p THEN PRESS CONTINUE.

        2. Dan 55 Silver badge
          Mushroom

          Re: Well you could hack it for passwords

          It means you should run back to the server at once and check if 'printer on fire' has been written to the console output.

        3. TheVogon
          Mushroom

          Re: Well you could hack it for passwords

          He means "PLEASE LOAD A4 PAPER"

        4. Ken Hagan Gold badge

          Re: What the fuck is PC LOAD LETTER?

          It's the error you get when viewing west-pondian documents on an east-pondian PC with software that is too stupid to make the obvious adjustments.

          1. Anonymous Coward
            Anonymous Coward

            Re: What the fuck is PC LOAD LETTER?

            It's a line from Office Space, if I remembered it correctly...

        5. TeeCee Gold badge
          Happy

          Re: Well you could hack it for passwords

          It means that some 'tard has forgotten to configure Word properly and left it in US Engrish along with the matching stationery defaults.

          What it actually means is; "Good morning/afternoon/evening. Some 'tard has left Word configured in US Engrish. If you have any, you can stuff some of that weird 'US Letter' stationery in the bypass tray, or you can just thump me in 'continue' and I'll print it on good old A4."

    3. Stuart 22 Silver badge
      Happy

      Re: Well you could hack it for passwords ... or upgrade to LaserJet 4L

      My 4L has successfully resisted all hackers since 1995 with no patches (eat your heart out Microsoft). It does now have a USB plug so it can serve as the office CUPS network printer hung off a RaspberryPi.

  3. Destroy All Monsters Silver badge
    Thumb Down

    "So, debug code is typically compiled out altogether in a release build."

    Which actually leads to horrible nightmares with buggy, uninspectable black box software.

    1. Anonymous Coward
      Anonymous Coward

      Um...

      Does it? On printers? When did you last debug a printer?

    2. Dan 55 Silver badge
      Trollface

      Good job leaving everything compiled in leads to predictable code paths and solid reliability so one can forgive the bloat, as can be seen from HP's Windows drivers.

    3. Roland6 Silver badge

      Which actually leads to horrible nightmares with buggy, uninspectable black box software.

      Aah the joys of embedded systems I remember them well!

  4. SharePoint-Bytes

    Old (black)hat Information

    This kind of vulnerability is as old as they come along with listening in on public SNMP. Seems people forget what they've learned in past situations and do it all again. Life imitating TELNET.

  5. ecofeco Silver badge

    Let's not forget...

    ...webcams and microphones!

  6. Anonymous Coward
    Anonymous Coward

    What happened to the paperless office?

    Oh, it went the way of Adobe and PDFs, which are far worse at security.

  7. Anonymous Coward
    Anonymous Coward

    Only for printers less than 3 years old?

    I guess we're safe, so - we can't afford to replace ours!

    1. Mark Allen
      Facepalm

      Re: Only for printers less than 3 years old?

      No, they mean the patches are only for printers less than 3 years old. HP expect you to replace their printers more often than in the days of the battleships that were the Laserjet 4 and 5. This is why they make them from cheap plastic...

      I used to work creating print servers for the OEM market and some of the security "features" left in them would make your hair stand on end!! Us developers would shout about the issues, but no one in Marketing\Sales either cared or wanted to spend any budget on making them truly secure. It all comes down to money.

      Example: being able to "upgrade" firmware via TCP port 9100 without a password... just a special code to start the special print job...

      1. Dan 55 Silver badge

        Re: Only for printers less than 3 years old?

        I'm sure architects and engineers could be found negligible for designing something obviously dangerous. Why is the same not true for software engineers?

        Or more to the point, if an architect or engineer says something can't be done, their decision is respected. Meanwhile button pushers get told to shut up and do it anyway.

        The question is can this be changed?

  8. Christian Berger

    "Telnet is "unencrypted, insecure and out of place in 2013""

    Well first of all, the interface probably doesn't run telnet. Telnet is more than just "terminal via TCP/IP", it actually defines ways to exchange capabilities of the terminals like line lengths, etc. This probably isn't done here.

    Then such a simple protocol may not be the the most current and hip way to do anything well defined, but this is a debugging aid. This essentially replaces a serial port on an internal pin header. There is nothing "out of place" there, it's just a sane and comfortable way of doing something.

    The problem is, that this debug interface is turned on by default and apparently cannot be turned off. That's the problem here. If I pay for my printer, I want to be able to use any debug interface it has, and even flash it with a new firmware whenever I choose to. I paid for the printer it's mine and I want to do whatever I see fit with it.

  9. Roland6 Silver badge

    It could of been worse

    Given there are several MFP's on the list, which will most probably be running some version of Unix, it is interesting that all that seems to be accessible via the telnet debug shell is the ability to read data - now will full root/su access a MFP could be really compromised...

  10. Anonymous Coward
    IT Angle

    Telnet debug shell?

    'HP says the security risk arose after it was discovered that several models of HP LaserJets feature a "telnet debug shell which could allow a remote attacker to gain unauthorized access to data".`

    I would have though they would have stripped out all debug directives in the production model? link

  11. Wzrd1

    Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

    I'm forced to disagree. It most certainly does have a place in 2013.

    As an example of insecure protocol design.

    1. Matt Bryant Silver badge
      Boffin

      Re: Wzrd1 Re: Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

      "......As an example of insecure protocol design." Well, to be fair (quiet, Local Dupe!), telnet wasn't designed with today's Internet in mind. It was originally designed in the much simpler networking World of the Sixties, for use on private campus networks to give remote terminal access, and for use inside secure networks it is still a useful and lightweight tool. It's security issues arise when used outside a secure network.

      1. Michael Wojcik Silver badge

        Re: Wzrd1 Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

        It was originally designed in the much simpler networking World of the Sixties

        True, if by "the Sixties" we mean 1971-1972. RFCs 97, 137, 139, 158, 206, 215, 216, 318, and 393 - February 1971 through October 1972 - describe the original Telnet, from initial thoughts through the first implementations.

        1. Matt Bryant Silver badge
          Happy

          Re Wojcik Re: Wzrd1 Ducklin added that Telnet ......

          "True, if by "the Sixties" we mean 1971-1972....." Hmmm, I was taught (many, many years ago, admittedly) that Telnet grew out of RFC15 from 1969, which was in turn based on work of Bob "I'm-too-lazy-to-use-three-different-terminals" Taylor in the ARPANET project.

    2. Michael Wojcik Silver badge

      Re: Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".

      Ducklin is wrong on all three points.

      Telnet certainly can be used without encryption, and insecurely. It can also be used with encryption - via Telnet-over-SSL1, or Telnet with StartTLS2, or Telnet Data Encryption Option3. It can be used with secure authentication mechanisms, using client certificates or pre-standard Telnet-with-SRP4 or Telnet AUTH 5.

      The "Telnet is insecure" canard is typically followed by "just use ssh, it's secure", with no mention of the many insecure ways in which ssh is commonly used - like accepting any fingerprint that the server offers.

      1 No specific standard, but there are a number of existing implementations.

      2 The ID for Telnet with StartTLS expired, but there's at least one open-source implementation.

      3 RFCs 2946-2950.

      4 For example with the SRP-patched version of TeraTerm Pro.

      5 RFCs 2941-2944.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022