
HP Ink Printers Remote Code Execution - Yhippa
https://support.hp.com/us-en/document/c06097712
======
jdlyga
Best printer decision I've ever made was to buy a Brother laser printer. It's
like going from a flip phone to a smart phone. I rarely print anything, but
when I do it's reliable, fast, and very easy to use. I buy toner maybe once
every few years.

~~~
js2
Worst printer decision I've ever made was to buy a Brother laser printer. The
fusing roller deteriorated within a year and the warranty replacement process
was more trouble than it was worth. I gave up after several back-and-forth
interactions with their customer support that weren't going anywhere.

The best printer decision I've ever made is my current printer, an HP
OfficeJet 8620 with an ink subscription program. This HP has printed 9620
trouble-free pages since I purchased it a bit over two years ago (May, 2016).
Yes, the per-page cost is relatively expensive, but it's the least hassle I've
ever had with a printer. New ink just magically shows up in the mail shortly
before I need it and I mail the old cartridges back for recycling. I haven't
heard "honey/dad, the printer is broken/jammed/out-of-ink/won't-print again"
since I purchased it.

My first printer was an Apple thermal printer, my second an Epson MX 100, so
I've dealt with _a lot_ of printers over the years, from Apple, Epson, Canon,
Brother, HP, and maybe other brands I'm forgetting.

I previously tried things like bulk ink tanks and refilling toner cartridges.
Not worth the hassle.

I'm glad you're happy with your Brother. Mine had great initial reviews, but
then when I checked back on Amazon a year later other folks has the same fuser
roller issue:

[https://www.amazon.com/gp/customer-
reviews/R16HGOAIYLS1IJ/re...](https://www.amazon.com/gp/customer-
reviews/R16HGOAIYLS1IJ/ref=cm_cr_dp_d_rvw_ttl?ie=UTF8&ASIN=B00BQU141C)

Maybe it was specific to that model (HL-3170CDW). I don't know.

~~~
jacob019
I second this. My company went through a dozen brothers before switching to HP
and Xerox. Brother printers are fine for occasional use but they don't hold up
for daily office use.

------
phelmig
This reminds me of this [1] talk at 28c3 (Ang Cui on how to exploit HP
printers by sending a modified PDF to them). Which lead to one of the most
hilarious IT-Sec headlines [2]

[1]
[https://www.youtube.com/watch?v=njVv7J2azY8](https://www.youtube.com/watch?v=njVv7J2azY8)
[2] [http://gawker.com/5863388/hackers-could-turn-your-printer-
in...](http://gawker.com/5863388/hackers-could-turn-your-printer-into-a-
flaming-death-bomb)

~~~
larkeith
Luckily, there's an error code for that:
[https://en.wikipedia.org/wiki/Lp0_on_fire](https://en.wikipedia.org/wiki/Lp0_on_fire)

------
jaclaz
There is IMHO some form of "disconnection" between using "certain":

>Two security vulnerabilities have been identified with certain HP Inkjet
printers.

and then list more than 200 (two hundred) printer models.

~~~
readyp1
Maybe so, but "certain", from a grammatical standpoint, implies that they
_know_ exactly which models are affected, which in turn implies that it is not
the _entirety_ of their printers that are affected. Maybe that's not the case,
and every single printer they make is affected, but that's just my thought on
it ¯\\_(ツ)_/¯

~~~
jaclaz
I don't know, by reading "certain HP Inkjet printers" I imagined that it would
imply a small number of "known" affected models (all belonging to the Inkjet
family, of course).

It seems to me that the given list could be better summed up with something
_like_ :

"All HP Inkjet printers manufactured in the last _n_ years, with the exception
of models A, B and C"."

------
ipython
Is there an open source method to upgrade the firmware? The HP website lists
two methods: first using their “eprint” web service where you have to accept
some BS terms of service (no thanks) or opaque binary blobs for Windows or
Mac.

~~~
JTbane
Random fact: Richard Stallman may have been spurred to start the GNU Project
due to the fact that he could not easily modify the source code of a printer.

~~~
yjftsjthsd-h
Which makes it ironic that there are still no open source printers. There are
even open source 3D printers, but putting ink on paper is still annoyingly out
of reach.

~~~
swiley
Just 3D print movable type and call it a day.

~~~
yjftsjthsd-h
I did once consider just 3D printing a single very thin layer :-)

More practically, a 3D printer is probably only a half step removed from a
decent _plotter_ if you just replace the head with a pen or something.

------
lmns
For whatever reason my printer (8610) provides an automatic update via the
webinterface, but it can't find any update. Also the HP firmware updater for
macOS isn't signed. Oh well.

~~~
rogueresearch
Where do you find a firmware updater for macOS? Only instructions I see
require connecting the printer to the public internet, which I'd rather not
do.

------
NullPrefix
Tried reading the information, but can't understand if RCE is on the printer
fimrware or the PC host. Anyone know?

~~~
tonysdg
Firmware. From Resolution section:

> HP has provided firmware updates for impacted printers as set forth in the
> table below.

------
krylon
Fortunately, my trusty old LaserJet 1010 does not have a network interface.
But I suspect that outside of organizations dealing with classified data,
printer security is fairly terrible, anyway.

~~~
reaperducer
_But I suspect that outside of organizations dealing with classified data,
printer security is fairly terrible, anyway._

You’d be surprised. One org I worked for had a Kyocera all kitted our for
HIPAA compliance.

I looked through the manual for it once and it glossed over a number of very
interesting data handling techniques. The only one I remember off the top of
my head is that after a print job, the internal hard drive would scrub itself
and repeatedly write garbage data over the location of the previous print job.

To the user it was seamless, except for the occasional tiny “Purging hard
drive data” notice at the bottom of the printer’s screen.

~~~
krylon
Well, in a way, companies that need to be HIPAA-compliant deal with kind-of
classified data. I should have chosen my wording more carefully.

------
danesparza
Hmmm ... I'm curious why this article is getting any traction on HN. Is it the
novelty of remote code execution on a printer? This isn't news:

Defcon presentation from Defcon 19 (I swear I remember something earlier than
this, but this is just from a quick search)
[https://www.defcon.org/images/defcon-19/dc-19-presentations/...](https://www.defcon.org/images/defcon-19/dc-19-presentations/Heiland/DEFCON-19-Heiland-
Printer-To-Pwnd.pdf)

Also: [https://github.com/RUB-NDS/PRET](https://github.com/RUB-NDS/PRET)

~~~
Sohcahtoa82
Because this is a new vulnerability.

Does PRET even still work? I'd be surprised if the vulnerabilities that allow
PRET to work haven't been patched.

------
londons_explore
I wonder if anyone actually writes to them to ask for a pgp signed version of
the security bulletin...

------
floatboth
Is anyone going to develop custom firmware / jailbreak for the vulnerable
printers?

------
Qerub
HP's "The Wolf" commercials (feat. Mr. Robot^WChristian Slater) totes up their
printers as "the world's most secure printing":
[https://www.youtube.com/watch?v=DkajtSOAyec](https://www.youtube.com/watch?v=DkajtSOAyec)
:)

------
baybal2
I think it has something to do with their recently announced bounty.

