
Unpacking HP Firmware Updates - sobermanman
https://jsof-tech.com/unpacking-hp-firmware-updates-part-1/
======
rshnotsecure
This article is bringing to light a lot of stuff that needs to be said about
printers.

Also somewhat depressingly, HP is definitely the most secure printing company.
That's not a very high standard though. But what it means is everything these
guys have found...is much worse worse at every other printer company. HP was
the first printer company to join HackerOne I believe, shockingly they still
make some of their server brands in the US, and the security options on their
entry level enterprise printers (m406) show at least some effort was put into
them (for instance only allowing SNMPv3).

Yet at the same time, why can I only have a max 16 character password on the
web management portal? Why does the username _have_ to be "admin" which is
obviously super easy to guess?

NOTE: I first saw this article as a promoted tweet on Twitter. This was
hilarious to me because it was the first time I had had a relevant promoted
tweet shown to me where I also didn't feel like the party involved was being
misleading in some sort of way.

EDIT: Had trouble accessing their site. Some things to note that they found:

\- Why do you have to download the updates manually from HP? Why can't the
printer check? Why is it not automated? This process is awful. Do you then
upload the zip file of the update to the printer or the bin file inside, or is
it the bin file plus the md5 hash?

\- PCL and PJL are languages that predate IP. Very insecure and so many things
that have never been fixed.

~~~
reid
The analysis in TFA is of the previous generation OfficeJet Pro 8720 which was
introduced in 2016.

This is fascinating but I'm looking forward to folks poking around at the
current generation of printers because HP changed a lot about the firmware
security lately.

I recently purchased an HP OfficeJet Pro 9015 which was introduced in early
2019. This newer printer has automated firmware updates enabled by default.
The new generation OfficeJet Pro 8025, 8035, 9015, 9025 and similar offers
several security benefits over the previous generation according to a report
[1]:

\- Firmware Integrity and Secure Boot

\- Automatic Firmware Recovery/Self-Healing BIOS

\- Run-Time Code Integrity

\- Automatic Firmware Update

Agreed: HP is the most secure printing company from what I can understand.
Nobody else in the printer business has these security features in their
products. Security elements like secure boot, firmware integrity, and
automatic updates are things I expect now.

[1]: [https://www.keypointintelligence.com/media/2240/hp-
officejet...](https://www.keypointintelligence.com/media/2240/hp-officejet-
pro.pdf)

~~~
eyalitki
Glad to hear that they took our advice, and enabled automatic firmware updates
by default. We suggested this feature when we helped them fix the fax
vulnerabilities (DEFCON 26 - What The FAX?!), happy to see they listened.

~~~
reid
And speaking of printer vulns, I believe it'd be really interesting to
investigate IPP over USB as a attack vector to pwn otherwise secured hosts.

Despite using a VPN which forwards all of my network traffic on macOS, I can
still access my printer's web server because of the automatically configured
IPP-USB connection which provides a reverse proxy to the printer's embedded
web server over USB. I haven't seen many articles detailing how this works and
how it's secured...

------
sobermanman
We reverse engineered an HP printer. Our first of a four-part blog series
documenting the HP printer firmware update format.

~~~
mshook
We killed your DBMS: Error establishing a database connection

~~~
sobermanman
The site is back on! Enjoy the read

------
NikolaeVarius
Relevant Defcon Talk
[https://youtu.be/qLCE8spVX9Q?t=671](https://youtu.be/qLCE8spVX9Q?t=671)

~~~
eyalitki
Happy to see that people still remember our talk :)

------
polygot
Mirror: [http://archive.is/O6Sn7](http://archive.is/O6Sn7)

------
sobermanman
The site is back on! Enjoy the read [https://jsof-tech.com/unpacking-hp-
firmware-updates-part-1/](https://jsof-tech.com/unpacking-hp-firmware-updates-
part-1/)

