User: Password:
|
|
Subscribe / Log in / New account

Printer vulnerabilities via firmware update

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 9:45 UTC (Thu) by james (subscriber, #1325)
Parent article: Printer vulnerabilities via firmware update

...manufacturers could just require some manual, user-present action (e.g. press the OK button) to do a firmware upgrade. Doing it that way may be painful for corporate IT departments that need to upgrade hundreds of printers at once,
but not nearly as painful as the results when malicious firmware is sent to the printer and the user who just wants a print job presses "OK" without reading the printer's display (assuming it has one), which will happen more often than not.

I'd suggest doing it through a password-protected web interface instead -- nearly all the network-enabled printers I've seen have one of these anyway.


(Log in to post comments)

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 10:59 UTC (Thu) by intgr (subscriber, #39733) [Link]

> I'd suggest doing it through a password-protected web interface instead
99% of which still have the default password set.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 17:22 UTC (Thu) by cesarb (subscriber, #6266) [Link]

> 99% of which still have the default password set.

Or the password is set but does not make much effect. On a printer we have here at work, I set the administrator password to prevent people from accidentally changing the settings. Imagine my surprise when I found out the settings had changed anyway.

It seems that, when installing the Windows driver for that printer, it has a wizard to set up the printer (configuring the fax settings and a few other things). That wizard seemed to completely ignore the administrator password I had set on the web interface.

Printer vulnerabilities via firmware update

Posted Dec 1, 2011 11:25 UTC (Thu) by epa (subscriber, #39769) [Link]

Yes, pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.

Printer vulnerabilities via firmware update

Posted Dec 2, 2011 18:50 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

pressing 'OK' is not going to cut it. It would need to be an entry buried in the printer menu, 'apply downloaded firmware update'.

Of course, that additional hassle would reduce the likelihood the firmware would get applied, and the great majority of users, who want HP to own their printer problems, would be disserved.

Maybe a hybrid makes sense: the printer will take HP-signed updates automatically, but a difficult menu option lets you apply an unsigned update. Or change the signing key.

Printer vulnerabilities via firmware update

Posted Dec 3, 2011 0:33 UTC (Sat) by Fowl (subscriber, #65667) [Link]

Unfortunately, that menu option would never be tested, and break. Almost immediately.

Printer vulnerabilities via firmware update

Posted Dec 7, 2011 4:30 UTC (Wed) by k8to (subscriber, #15413) [Link]

There's an "enterprise" solution to this sort of thing.

Allow the users to load corp-specific keys onto their printers, and require a matching signature to upgrade the firmware or do other administrative tasks. Then allow upgrades to occur without "press OK to continue" when the signatures are present.

This isn't really that hard to do.

Printer vulnerabilities via firmware update

Posted Dec 8, 2011 6:07 UTC (Thu) by jamesh (guest, #1159) [Link]

One of the tools HP provides is a utility to scan for HP printers connected to the local network, determine which ones need a firmware update and flash them all at once.

Requiring the administrator to go out and hit a button on each of those printers would severely reduce the utility of that tool. I'd guess most administrators would prefer an update that let them continue to manage printers the way they always have.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds