This article is bringing to light a lot of stuff that needs to be said about printers.
Also somewhat depressingly, HP is definitely the most secure printing company. That's not a very high standard though. But what it means is everything these guys have found...is much worse worse at every other printer company. HP was the first printer company to join HackerOne I believe, shockingly they still make some of their server brands in the US, and the security options on their entry level enterprise printers (m406) show at least some effort was put into them (for instance only allowing SNMPv3).
Yet at the same time, why can I only have a max 16 character password on the web management portal? Why does the username have to be "admin" which is obviously super easy to guess?
NOTE: I first saw this article as a promoted tweet on Twitter. This was hilarious to me because it was the first time I had had a relevant promoted tweet shown to me where I also didn't feel like the party involved was being misleading in some sort of way.
EDIT: Had trouble accessing their site. Some things to note that they found:
- Why do you have to download the updates manually from HP? Why can't the printer check? Why is it not automated? This process is awful. Do you then upload the zip file of the update to the printer or the bin file inside, or is it the bin file plus the md5 hash?
- PCL and PJL are languages that predate IP. Very insecure and so many things that have never been fixed.
The analysis in TFA is of the previous generation OfficeJet Pro 8720 which was introduced in 2016.
This is fascinating but I'm looking forward to folks poking around at the current generation of printers because HP changed a lot about the firmware security lately.
I recently purchased an HP OfficeJet Pro 9015 which was introduced in early 2019. This newer printer has automated firmware updates enabled by default. The new generation OfficeJet Pro 8025, 8035, 9015, 9025 and similar offers several security benefits over the previous generation according to a report [1]:
- Firmware Integrity and Secure Boot
- Automatic Firmware Recovery/Self-Healing BIOS
- Run-Time Code Integrity
- Automatic Firmware Update
Agreed: HP is the most secure printing company from what I can understand. Nobody else in the printer business has these security features in their products. Security elements like secure boot, firmware integrity, and automatic updates are things I expect now.
Glad to hear that they took our advice, and enabled automatic firmware updates by default. We suggested this feature when we helped them fix the fax vulnerabilities (DEFCON 26 - What The FAX?!), happy to see they listened.
And speaking of printer vulns, I believe it'd be really interesting to investigate IPP over USB as a attack vector to pwn otherwise secured hosts.
Despite using a VPN which forwards all of my network traffic on macOS, I can still access my printer's web server because of the automatically configured IPP-USB connection which provides a reverse proxy to the printer's embedded web server over USB. I haven't seen many articles detailing how this works and how it's secured...
Shlomi from JSOF here. The firmware we looked at was an OfficeJet Pro 8720 with a relatively new firmware version From latest 2019. We've seen some of the features that you're talking about including Automatic firmware update, and others we weren't looking for. The firmware can be downloaded from the web For the purposes of reverse engineering for security research.
We will be going into further details and more information in the next post in the series.
My understanding is the 2019 hardware has secure boot -- which the 2016 hardware cannot support.
The 2016 era hardware has relatively modern firmware versions available, but the hardware security is likely different and therefore the potential hacks will be different. Lots of opportunity to explore.
Interesting writeup. Any appetite for looking at other HP firmwares? We owners of HP 608G tablets have suffered for years after an irreversible firmware update introduced a permanent touchscreen lag.
Also somewhat depressingly, HP is definitely the most secure printing company. That's not a very high standard though. But what it means is everything these guys have found...is much worse worse at every other printer company. HP was the first printer company to join HackerOne I believe, shockingly they still make some of their server brands in the US, and the security options on their entry level enterprise printers (m406) show at least some effort was put into them (for instance only allowing SNMPv3).
Yet at the same time, why can I only have a max 16 character password on the web management portal? Why does the username have to be "admin" which is obviously super easy to guess?
NOTE: I first saw this article as a promoted tweet on Twitter. This was hilarious to me because it was the first time I had had a relevant promoted tweet shown to me where I also didn't feel like the party involved was being misleading in some sort of way.
EDIT: Had trouble accessing their site. Some things to note that they found:
- Why do you have to download the updates manually from HP? Why can't the printer check? Why is it not automated? This process is awful. Do you then upload the zip file of the update to the printer or the bin file inside, or is it the bin file plus the md5 hash?
- PCL and PJL are languages that predate IP. Very insecure and so many things that have never been fixed.