back to article HP storage: more possible backdoors

Technion, the blogger who recently turned up an undocumented back door in HP's StoreOnce, has turned up similar issues in other HP products - publicised on support forums by the company, but unnoticed at the time. According to his trawling of various HP support forums, he has told The Register there appear to be company …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Any sources on this one? The "lolware" guy previously posted a partially-complete rant without specifying versions or publishing details of correspondence, which was frustrating to actual security researchers and customers.

    I'm willing to try this out, but without technical detail, can you confirm this is an issue? Did HP have a comment on this one?

  2. Anonymous Coward
    Anonymous Coward

    They're based in NSA controlled territory

    You can bet that, if the backdoors weren't put there for the NSA, now the NSA knows about them, he'll be there at HPs office with a secret warrant.

    I bet HP even 'voluntarily' revealed the security vulnerability, the way that Microsoft revealed zero day leaks to the NSA... which they use in Stuxnet.

    Sorry HP, I like my router, but it had to go, because I can't trust it doesn't have an NSA backdoor. Likewise I'd be a chump to use your storage kit for any business.

    1. Matt Bryant Silver badge

      Re: AC Re: They're based in NSA controlled territory

      You and ge really need to ditch the tinfoil hats and actually do some reading on the matter. The very documented "undocumented" hpsupport login previously "exposed" by this twit gave nothing more than engineer access to the base OS of the D2D and no access to data, and you had to get onto the console to use it, so not much use to The Big Bad Man.

      1. Tombone

        It gives them full access to everything remotely

        Well one of us needs to read:

        "That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code"

        So they have an account on the system. The account can be used to set passwords for other accounts, so it has access to those accounts too. (at minimum)

        “Call support. They can reset the password remotely.”

        So it's a *remote* backdoor too. NSA can even listen in on the calls.

        So the article says the exact opposite. HP is in NSA land, which mean if you're running HP kit and its connected to the net, you need to as a matter of urgency take it offline and replace it with more trusted kit. Personally I switched to Thomson (a router) kit, but I'd also have accepted Korea and German kit.

        I'm betting it also lets them remote upgrade the firmware, which likely makes it a total root remote exploit. It's the sort of dumb choice made by people who put in backdoors.

        Business 101, you have a legal obligation to protect your business data from foreign snooping, your employees from foreign snooping, the company financial data from foreign snooping, bank transactions the lot. It sucks, but that's the world as it is now.

    2. Tom Paine

      Re: They're based in NSA controlled territory

      So which alternative vendor have you switched to? Huawei?

  3. g e

    Hmmm let me see...

    If I made some software and put a back door into it, I think I'd go to prison or at least expect to be sued lots and lots by every single customer whose shit I'd intentionally compromised.

    Unless that backdoor was for the NSA, presumably.

    1. Velv
      Big Brother

      Re: Hmmm let me see...

      Depends if its a back door or if its part of the support contract (I agree it should probably be clearer).

      This is software running on specific hardware that users have a support contract for with HP. This is not MS Office that you can install on any device in your home or company. You should at least attempt to compare oranges and pears.

      Yes, a "back door" or "support access" is a potential attack vector - but what does it actually take to exploit? What is the residual risk after all the mitigating factors have been taken into account. Now, if its proven HP haven't taken security seriously, FAIL on HP.

    2. swschrad

      revenue enhancement mechanism

      you all realize that classically, the backdoor also represented a revenue enhancement and retainment device. "OK, Mr. bigshot, so you're not renewing your support contract. May I remind you that on the 31st, we will recover our software at the end of support?" mostly when the ripcord is pulled, the customer quickly signs up at a, ahhh, less-special discount.

      1. Matt Bryant Silver badge

        Re: swschrad Re: revenue enhancement mechanism

        "....we will recover our software at the end of support...." Gosh, what a horrific story! So, tell me, when has this actually happened with any hp kit? Please excuse me for asking for some form of verifiable event, it's not really that I think you're talking out of your recturm, honest.

        My experience with software and hardware from a wide selection of vendors is that, at worst, out-of-license software simply refuses to carry out new tasks until a new license key is applied, and nothing was ever "recovered" and no data deleted.

  4. Anonymous Coward
    Anonymous Coward

    That suggests the devices include an HP-accessible support account has been incorporated into the LeftHand 9.0 and higher code – and the accounts have existed since as far back as 2009.

    As has been demonstrated many times over, any remotely-accessible login provides a potential attack vector, should the userid and password be discovered by attackers.

    OK now show us all a single customer who make their HP backend storage 'publicly accessable'.

    If you're classifying this as a security 'backdoor' then presumably the well known default accounts and passwords for SAN switches are security backdoors? At least if you make them publicly accessable.

    Now about this password... you do realize many vendors use specially written password generators for accounts such as the one you're talking about here. Where a unique time limited password is generated for the account when login is needed, like IBM for example, who have done exactly that on IBM support accounts on their enterprise systems for years.

    Security backdoor my arse.

    1. Tom Paine

      Right, because attackers only ever come through the public Internet-facing interfaces. Of course they do. Everything else -- hey, it's inside the firewall, so it MUST be secure! I bet you run anti-virus software, too, just in case. Gosh, if only networks and sites that get hacked were as smart as you are!

      1. Anonymous Coward
        Anonymous Coward

        any remotely-accessible login provides a potential attack vector

        When you're commenting upon an article which is about remotely accessible logins being used as an attack vector, it's useful to address the point being made. Like I did.

        Now if you want to talk about someone posing as an employee and walking through the door, we could do that.

        Or if you want to talk about a cracker compromising a public facing server, and launching an attack from that server, we could do that.

        Neither of those is about accessing a remotely accessible login on the HP box though is it?

  5. Down not across Silver badge

    "The hardware used to include a hard-reset button to set the factory defaults but this was removed as a security measure (that is, so insiders couldn't give themselves admin privileges to hardware they shouldn't access by resetting it). However, the solution seems to Technion no better: administrative password recovery is now carried out remotely by HP support."

    ...or to ensure customers keep paying HP support contracts.

    (Yes of course companies pay support, however when hardware gets nearer end of life it may still be in use for non-critical tasks and often not worth paying the support costs for).

    1. Pookietoo

      RE: when hardware gets nearer end of life ...

      ... you rip the cover off and short the two obvious solder pads that used to connect the reset switch?

  6. a_mu

    Virgin media modems also ?

    Been talking with virgin media support,

    they have told me what mac and IP address's I have on my network, how long the modem has been connected and lots of other stuff.

    wonder what other back doors there are in the "super hub "

    1. Anonymous Coward
      Anonymous Coward

      Re: Virgin media modems also ?

      wonder what other back doors there are in the "super hub "

      That'll depend upon what version of firmware it's running, like whether the wireless works or not, or whether you get good download speeds or not.

    2. Pookietoo
      Big Brother

      Re: Virgin media modems also ?

      That's a device that belongs to Virgin and is connected directly to their network - of course they want to manage it remotely. If you don't want them snooping around "your" LAN then put a router in the way.

      1. a_mu

        Re: Virgin media modems also ?

        re its Virgins, so they can do what they want,

        actually a good point,

        I still think of the thing as a modem, with MY router, which it has not been since the 'upgrade' to the superhub.

        so now I need a firewall / router that can handle the 100 Mb connection speed,

        now thats another problem

  7. Tom Paine

    It's not just HP who sprinkle poorly documented / unconfigurable backdoors across their products:

    There's a great line in there from the Dell support person posting on the thread. You'll know it when you see it...

    1. Anonymous Coward


      I really wanted to work next weekend...

  8. ChickenSoup

    If this is the feature that was removed around version 9, it's not really a big deal.

    With console access to a node from the default login menu you could hold down shift and type LHN to bring up a support menu.

    From this menu you could select that you required a support shell, a one time challenge is displayed on the screen and HP have a response generator.

    No hidden account, no default system password, just a pretty secure manner to serve a customer need.

  9. Anonymous Coward
    Anonymous Coward

    Required by NSA?

    I understand these back doors are not in faact features by engineerws just to show how cool they are. They are required by the NSA so they can spy on you!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022