back to article HP plugs password-leaking printer flaw

Security flaws in a range of HP printers create a way for hackers to lift administrator's passwords and other potentially sensitive information from vulnerable devices, infosec experts have warned. HP has released patches for the affected LaserJet Pro printers to defend against the vulnerability (CVE-2013-4807), which was …

COMMENTS

This topic is closed for new posts.
  1. Mr C

    Make a hole in the air

    I am pleasantly surprised that someone took the time and effort to probe a consumer device for security holes.

    I am pretty sure that the vast majority of devices known in existence have holes in them, somehow, but so few of them have been found out.

    Built in 'forgotten' backdoors with root-access? Buffer overflow vulnerabilities? Unencrypted communications over networks? The list goes on and on.

    I am not sure how much it matters though, as the average john-doe will still be pretty safe even with devices with holes in em. I can't possibly imagine my neighbor trying to hack my printer to gain access, it seems the stuff movies are made of.

    Having said that, I'm pretty sure intelligence agencies are happily making a list of how to compromise your fridge though :)

    1. Anonymous Coward
      Anonymous Coward

      Re: Make a hole in the air

      That depends upon who your neighbour is.

      What if you live in a block of flats?

      Or of your office is near to that of a competing company?

      1. Anonymous Coward
        Thumb Down

        Re: Make a hole in the air

        "That depends upon who your neighbour is.

        What if you live in a block of flats?

        Or of your office is near to that of a competing company?"

        And what can they do other than mess up settings for a laugh? These are printers , they just print. This isn't a security issue, just an annoyance issue.

        1. David Austin

          Re: Make a hole in the air

          Reading through this, The biggest potential problem is being able to extract the Wifi settings, letting you hook in a rogue device to the network

        2. Phil O'Sophical Silver badge

          Re: Make a hole in the air

          Some printers can scan, and can be configured to send the scan results to multiple places...

        3. Ian 55

          Re: Make a hole in the air

          See internetcensus2012.bitbucket.org/paper.html - last year there were about 200,000 printers visible on the internet and someone used many of them - and hundreds of thousands of other insecure devices - to create a huge botnet.

    2. Arthur 1

      Re: Make a hole in the air

      As someone who works in an industry where I regularly deal with embedded hardware (third party and otherwise) and tying it to software, I can say that even most firmware designed for high security installations is 1980s levels of vulnerable. Usually you can telnet to a root shell with no password, sometimes it's hidden on a high port, and very often if you know the HTTP API (whether CGI commands, RESTful or occasionally a web service) password authentication isn't even done. Also, encrypting passwords on the wire is arcane magic that nobody should ever even consider.

      But that's okay, it's not like we sell security related devices to enterprise, government and military. I'm definitely not aware of several AFBs in the US which could be totally compromised by a six year old with a user manual...

  2. SteveK

    The more things change, the more they stay the same...

    I remember 10 years or so discovering that the admin password for HP Jetdirect cards was retrievable in plaintext via SNMP, with the default public community string...

  3. Captain Scarlet

    Its only the small ones only MD's have

    Ah thats ok then, they'll break before someone attempts to hack (Or even print) one of them.

  4. Anonymous Coward
    Anonymous Coward

    Already said that this was a bad idea.

    http://forums.theregister.co.uk/forum/1/2010/06/07/hp_email_ready_printers/

This topic is closed for new posts.

Other stories you might like