If you expose the Telnet port on your printers to outside attackers / untrusted networks then you have bigger problems than needed a firmware update imo...
Watch out, office bods: A backdoor daemon lurks in HP LaserJets
A range of HP LaserJet printers suffer a security flaw that can leak data and passwords, the US Computer Emergency Response Team (CERT) warns. Users have been told to apply the firmware patches issued by HP that resolve the issue. HP says the security risk arose after it was discovered that several models of HP LaserJets …
-
-
Friday 15th March 2013 11:38 GMT Robert Carnegie
Those aren't the only threats.
Say the boss downloads some NSFW software that compromises his PC - then in this scenario, one of the things that a hacker can do is to connect from the perv-station to the printer. Or, say a disgruntled employee does it. Maybe all that he or she is disgruntled about is being last in line to use the printer, so, silently cancels everyone else's prints. It's still inappropriate to make that possible.
-
Friday 15th March 2013 14:04 GMT PikeyDawg
Re: Those aren't the only threats.
Network security or even air gapping does not ensure protection against external threats (see STUXNET), much less internal.
Agreed that is ridiculous not to lock down the firewalls, but that only gets you so far... which really isn't far at all. Proper security has to happen at all levels.
-
Friday 15th March 2013 19:34 GMT Matt Bryant
Re: Robert Carnegie - Those aren't the only threats.
It's not just a matter of deleting other jobs in the queue, with certain models it's possible to also dump copies out of memory and send them over the LAN to another device. If you have a designated printer just for your MD then it would probably be of interest to competitors to be able to sneak off copies of all the documents he/she prints. Not sure about the MFPs listed, but some of the hp printers also have hard-drives which would make copying other people's print jobs even easier. Leaving debug code active in production kit really is a serious lapse and someone at hp deserves a slapping for it.
-
-
-
-
Friday 15th March 2013 11:26 GMT Anonymous Coward
Re: Well you could hack it for passwords
OMG, my brand new samsung laser does exactly that (well, it says "Paper handling error", but near enough)... does that mean that it's been hacked, or just that the software is crap to begin with???
(you can't see behind the mask, but tongue is very firmly in cheek!)
-
-
-
Monday 18th March 2013 09:08 GMT TeeCee
Re: Well you could hack it for passwords
It means that some 'tard has forgotten to configure Word properly and left it in US Engrish along with the matching stationery defaults.
What it actually means is; "Good morning/afternoon/evening. Some 'tard has left Word configured in US Engrish. If you have any, you can stuff some of that weird 'US Letter' stationery in the bypass tray, or you can just thump me in 'continue' and I'll print it on good old A4."
-
-
-
-
Friday 15th March 2013 16:12 GMT Mark Allen
Re: Only for printers less than 3 years old?
No, they mean the patches are only for printers less than 3 years old. HP expect you to replace their printers more often than in the days of the battleships that were the Laserjet 4 and 5. This is why they make them from cheap plastic...
I used to work creating print servers for the OEM market and some of the security "features" left in them would make your hair stand on end!! Us developers would shout about the issues, but no one in Marketing\Sales either cared or wanted to spend any budget on making them truly secure. It all comes down to money.
Example: being able to "upgrade" firmware via TCP port 9100 without a password... just a special code to start the special print job...
-
Saturday 16th March 2013 09:54 GMT Dan 55
Re: Only for printers less than 3 years old?
I'm sure architects and engineers could be found negligible for designing something obviously dangerous. Why is the same not true for software engineers?
Or more to the point, if an architect or engineer says something can't be done, their decision is respected. Meanwhile button pushers get told to shut up and do it anyway.
The question is can this be changed?
-
-
-
Friday 15th March 2013 16:27 GMT Christian Berger
"Telnet is "unencrypted, insecure and out of place in 2013""
Well first of all, the interface probably doesn't run telnet. Telnet is more than just "terminal via TCP/IP", it actually defines ways to exchange capabilities of the terminals like line lengths, etc. This probably isn't done here.
Then such a simple protocol may not be the the most current and hip way to do anything well defined, but this is a debugging aid. This essentially replaces a serial port on an internal pin header. There is nothing "out of place" there, it's just a sane and comfortable way of doing something.
The problem is, that this debug interface is turned on by default and apparently cannot be turned off. That's the problem here. If I pay for my printer, I want to be able to use any debug interface it has, and even flash it with a new firmware whenever I choose to. I paid for the printer it's mine and I want to do whatever I see fit with it.
-
Friday 15th March 2013 18:37 GMT Roland6
It could of been worse
Given there are several MFP's on the list, which will most probably be running some version of Unix, it is interesting that all that seems to be accessible via the telnet debug shell is the ability to read data - now will full root/su access a MFP could be really compromised...
-
Saturday 16th March 2013 00:45 GMT Anonymous Coward
Telnet debug shell?
'HP says the security risk arose after it was discovered that several models of HP LaserJets feature a "telnet debug shell which could allow a remote attacker to gain unauthorized access to data".`
I would have though they would have stripped out all debug directives in the production model? link
-
-
Monday 18th March 2013 08:57 GMT Matt Bryant
Re: Wzrd1 Re: Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".
"......As an example of insecure protocol design." Well, to be fair (quiet, Local Dupe!), telnet wasn't designed with today's Internet in mind. It was originally designed in the much simpler networking World of the Sixties, for use on private campus networks to give remote terminal access, and for use inside secure networks it is still a useful and lightweight tool. It's security issues arise when used outside a secure network.
-
Tuesday 19th March 2013 16:19 GMT Michael Wojcik
Re: Wzrd1 Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".
It was originally designed in the much simpler networking World of the Sixties
True, if by "the Sixties" we mean 1971-1972. RFCs 97, 137, 139, 158, 206, 215, 216, 318, and 393 - February 1971 through October 1972 - describe the original Telnet, from initial thoughts through the first implementations.
-
Tuesday 19th March 2013 18:10 GMT Matt Bryant
Re Wojcik Re: Wzrd1 Ducklin added that Telnet ......
"True, if by "the Sixties" we mean 1971-1972....." Hmmm, I was taught (many, many years ago, admittedly) that Telnet grew out of RFC15 from 1969, which was in turn based on work of Bob "I'm-too-lazy-to-use-three-different-terminals" Taylor in the ARPANET project.
-
-
-
Tuesday 19th March 2013 16:16 GMT Michael Wojcik
Re: Ducklin added that Telnet is "unencrypted, insecure and out of place in 2013".
Ducklin is wrong on all three points.
Telnet certainly can be used without encryption, and insecurely. It can also be used with encryption - via Telnet-over-SSL1, or Telnet with StartTLS2, or Telnet Data Encryption Option3. It can be used with secure authentication mechanisms, using client certificates or pre-standard Telnet-with-SRP4 or Telnet AUTH 5.
The "Telnet is insecure" canard is typically followed by "just use ssh, it's secure", with no mention of the many insecure ways in which ssh is commonly used - like accepting any fingerprint that the server offers.
1 No specific standard, but there are a number of existing implementations.
2 The ID for Telnet with StartTLS expired, but there's at least one open-source implementation.
3 RFCs 2946-2950.
4 For example with the SRP-patched version of TeraTerm Pro.
5 RFCs 2941-2944.
-