Hardcoded Administrator Account Opens Backdoor Access To Samsung Printers 103
hypnosec writes "A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."
Forget about the printers... (Score:2, Interesting)
What about the Samsung backdoor into your phones?
Re: (Score:3, Funny)
They're copying Apple's?
Re: (Score:2, Insightful)
What about the Samsung backdoor into your phones?
That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?
Re:Forget about the printers... (Score:4, Funny)
That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?
Hmm... Good question. If I had one myself, I could tell you just by looking... Does the S3 come with a paper feeder? If so, it certainly has a back door of some kind.
I mean, how else do you clear paper jams?
Re: (Score:2)
What about the Samsung backdoor into your phones?
I am more concerned about that, as all of our Samsung printers have broken at my work. If you've never seen a laser printer's fuser blow out after 50 prints, buy a Samsung, and get some damn popcorn lol.
Don't let Ben Bernanke find out about this... (Score:3)
Re: (Score:3)
Re: (Score:1)
Today printers, tomorrow makerbots making fake gold bars.
Re: (Score:2)
Silver Lining? (Score:2, Interesting)
Question: Does anyone know if this exploit could be used to alter/remove the tracking dots [seeingyellow.com] every color laser printer marks its documents with?
Re: (Score:3, Informative)
Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?
No need. Following a link from the page you posted shows Samsung doesn't have tracking dots [eff.org].
Re: (Score:2, Interesting)
Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?
No need. Following a link from the page you posted shows Samsung doesn't have tracking dots [eff.org].
Have to take your word for it, as the firewall here blocks the EFF's website...
Re: (Score:1)
Incorrect, my Samsung 610ND produces the dots. Most Samsung lasers do. Snmp has nothing to do with that, I was told that the dots are generated in hardware on the laser assembly. You cannot disable them, ever.
Re: (Score:1)
> You cannot disable them, ever.
Oh? My 3lb hammer thinks otherwise.
Re: (Score:2)
Re: (Score:1)
Could you use this to add tracker dots?
Re: (Score:2, Informative)
This just gives you the equivalent of local administrator access, and local admins can't turn off those tracking dots, so you almost certainly can't with this SNMP admin password either. The tracking-dot stuff is hardcoded somewhere that's not supposed to be user-visible, not even admin-visible.
Re: (Score:2)
Sure they dont.
Re: (Score:2)
I have a 3100cn. Don't think it is Samsung under the hood. Other sources are saying Fuji/Xerox, and the NIC reports Fuj.
Re: (Score:2)
Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.
If anything, this is REVERSE karma.
Re: (Score:2)
Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.
Well, then, I guess I know which brand of laser printer I'm going for next time I'm in the market.
If anything, this is REVERSE karma.
Amrak?
Re: (Score:2)
Samsung also has the least-expensive laser printers (for home use at least, not sure about higher-end models). Though it's no longer produced, I'm very happy with my $150 CLP-325W color-laser printer with ethernet and WiFi (g), though I hear early-adopters had to live with some firmware bugs. 4W idle, and 0.5W switched-off. Also, the "w" was their only CLP model that included PCL compatibility.
Their earlier entries into the market weren't so stellar... Lots of paper jams with the CLP-300, not the best lo
Thumbs up! (Score:2)
This isn't the first time I have heard of this (Score:2)
Trying to remember where I heard this, but there was something similar with the old HP laserjet printers.
I think there was a time when it was considered good practice to put backdoors like this into internet connected devices. I think the reasoning was that every device needed to have a universal password.
But yeah, this is a pretty crazy issue to have.
Re: (Score:1)
A physical reset button that restores the factory settings is OK. While there is some abuse potential, an attacker has to get to the printer first which rules out purely remote hacks.
But a hardcoded admin account that cannot be switched off? Baaad idea.
Re:This isn't the first time I have heard of this (Score:4, Insightful)
Someone needs to invent a fairly simple device. It would have two Ethernet ports and a USB port. The USB port is used for programming it, perhaps then used for power. The Ethernet ports would be used for bridging/routing.
You put the device between whatever device and the rest of the network, select what purpose the device does, (or manually specify ports), and call it done, with the thing automatically proxying/masquerading. Print job hits port 515 on the device, the device sends the packets to the printer.
This way, even if there is some unknown port, it gets shut off.
Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.
Re: (Score:2)
I was interested in looking around.. how about these?
PC Engines ALIX 1D is $110
http://www.wezm.net/technical/2011/12/openwrt-on-alix/ [wezm.net]
http://www.pcengines.ch/order1.php?c=4 [pcengines.ch]
LyconSys MRT150N mini-vpn-router is 99 EUR on Amazon Germany
http://www.lyconsys.com/index.php/en/products/minivpnrouters [lyconsys.com]
http://www.amazon.de/Mini-VPN-Router-MRT150N-WLAN-150-MBit/dp/B0040G9F8I/ref=cm_pdp_imgs_itm_title_1/279-9174569-5637012 [amazon.de]
Re: (Score:2)
In the past, there was a dongle about the size of 1-2 chewing gum sticks stacked together which had two Ethernet ports on it. On the internal side, it had a very simple, configurable web page, and it did decent firewalling and NAT. Since this was sold before the days where Wi-Fi became common, it was very useful for laptops when plugging into Ethernet.
I don't remember the company that made them, but it would be nice to see that be sold again, but to protect devices.
Re: (Score:2)
Re: (Score:2)
Correct. What is so special about the firewall/NAT box I'm mentioning is the form factor -- something of a small size that can be made relatively cheaply that can be easily plugged in between the switch and the device, and be powered off the Ethernet cable.
Of course, the same result could be achieved by putting devices on their own VLAN, but this is a relatively quick and dirty way to accomplish the same thing.
Re: (Score:2)
Re: (Score:2)
Someone needs to invent a fairly simple device
It's called a firewall and it exists.
Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.
Yes, this is the hard part. You now need to know everything about every protocol anyone is using. Good luck!
Re: (Score:3)
There is NO time when it is good to have a hard-coded admin password on a networked device. that is just bad programming.
pleasant dreams.
Re: (Score:2)
HP has a backdoor-by-design, it's called ePrint, where the printer phones home to HP and maintains contact with "the cloud", so that email and web printing jobs can be sent to the printer from knowing a not-too-long URL.
Then there is the HP flaw where a printer's firmware can be updated over the Internet by anyone or even through a specially crafted print job to do whatever they like: http://www.youtube.com/watch?v=njVv7J2azY8 [youtube.com] (long technical video). Of course HP semi-refuted this [hp.com] faster than a security res
Re:Bloated Hardware (Score:5, Insightful)
Yes. Because we don't want any way to prevent student A from cancelling student B's jobs. Or any way for a trusted user, such as the sysadmin, from cancelling all jobs.
And we definitely want all nimwits on the network to have complete and arbitrary control over how many pages they can use, or how much ink. Maximum quality print jobs in a comp sci department printer? No problem! (I remember watching a dot-matrix printer spit out a core file, that was entertaining.)
Definitely, no good whatsoever could come from a printer with any authentication control.
Obviously, Samsung agrees, because all their printers apparently have the same unchangeable admin account and password.
Re: (Score:2)
Printers have a lot of features I don't use, so I can't understand why anyone else should be able to have those features.
I "fix" the printers in my office several times every week.
FTFY. I haven't had to fix the printers in my office for months, possibly because I did it properly last time. Let the anecdote wars begin!
Re: (Score:1)
FTFY. I haven't had to fix the printers in my office for months, possibly because I did it properly last time. Let the anecdote wars begin!
Actually, your printer's been going down every few days. Good thing I'm rebooting it for you from Siberia!
Re:Bloated Hardware (Score:5, Insightful)
Oh good, because we wouldn't want to have any assurances that our 100MB print jobs were transferred to the printer successfully... Or know when they're running low on toner... or that there's a paper jam and the printer has caught fire... or be able to tell it to use the media in tray number 5... or be able to connect a printer to your WiFi network.
Re: (Score:2)
A printer still needs to report feedback, such as toner levels, problems like paper jams, success/failure of a job etc.
Re: (Score:2)
Why does a printer have "accounts"? It's job is to print a file we throw at it. It should be nothing but a recipient of information, a dropbox. In fact it should be an email, to which you send an attached file, and the printer fetches it and prints it. Or at least that should be the interface.
By the way, HP has exactly that as a feature (ePrint) in their current printers. They give an e-mail address for your printer from their cloud service, and then you can start sending documents there.
Printers are becoming obsolete. (Score:2)
not if you need singed paper work (Score:2)
not if you need singed paper work
Re: (Score:1)
not if you need singed paper work
Exactly. I work for a Big Pharma company, and anything that needs doing requires at least one form signed by at least three levels of management. I alone fill up a large recycle bin once a week.
Re: (Score:2)
Re: (Score:2)
http://consumerist.com/2012/11/26/bank-of-america-is-really-good-at-losing-documents-really-bad-at-believing-my-mother-is-dead/ [consumerist.com]
Re: (Score:2)
Hopefully, he's filling the recycle bin with managers.
Not likely, but one can dream.
Re:not if you need singed paper work (Score:5, Funny)
not if you need singed paper work
Good point. No matter how much heat you apply, you can't get a good char on a softcopy. Not even a little browning. You just burn your monitor.
Nothing burns, shreds, or pulps like paper.
Re: (Score:1)
not if you need singed paper work
Good point. No matter how much heat you apply, you can't get a good char on a softcopy. ...
I can get plenty of chars [wikipedia.org] on my softcopies.
Re: (Score:2)
Pack of matches has that covered.
Re: (Score:3)
I think your fuser's too hot.
Re: (Score:1)
"not if you need singed paper work"
No, no, you're thinking of some of the original laser printers - the new ones have MUCH better temperature control, and almost never set the paper on fire.
Re: (Score:2)
not if you need singed paper work
yes, additionally you'll also need a match or torch
Old news to Dell (Score:2, Interesting)
We have a few Dell 1720's and they have this issue. SNMP public is read/write on these printers even if you turn it off. We discovered this back in 2011 during an internal network security audit. The risk is pretty low for us because we have adaquate network controls but we asked Dell technical support about this and they told us that because the printers were so old there was no hope of a firmware fix; they actually first said it was a feature before I called their BS.
Anyway, they didn't even have to re
Re: (Score:2)
Anyway, they didn't even have to research it. They had it right in their KB. If it was on for the old printers and they didn't fix it on newer printers then someone dropped the ball (or wanted to keep the "feature").
Or were ambivalent enough about security that they didn't think it worthwhile spending one yellow-dotted cent on it. Bugger, time to firewall the printers.
I can testify! (Score:5, Funny)
but will also allow them to attack other systems in the network
We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!
Re: (Score:2)
Watching Office Space were you...?
Re: (Score:2)
Nope. Did they do that?
Re: (Score:3)
We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!
PC LOAD LETTER. YOU HAVE TEN SECONDS TO COMPLY.
I can't believe it, Jim! (Score:3)
That girl's standing over there listening and you're telling him about our back doors?
It's a Feature! (Score:1)
again? (Score:2)
Re: (Score:2)
He's PC World's cousin. http://www.channelregister.co.uk/2012/11/19/police_constable_world_error/ [channelregister.co.uk]
SNMP writes and not using snmp-v3? (Score:1)
(ob disc: I have been in the snmp field for over 25 years doing development on agents as well as nms)
let me see if I understand this:
snmp set (writes) ability using something other than snmpv3?
uhm, you're kidding me. tell me you are joking.
the vendor gets an F- in design. sheesh! snmpv3 has been out long enough so that no one should be doing ANY sets (writes) using unsecure v1/v2c.
not to mention the GALL of using a hardcoded write-password.
(you know, the snmp opportunities have nearly gone to zero and it
What were they thinking?! (Score:2)
Re: (Score:2)
Hm. That seems reasonable. Let's try that and see how it goes [metal-archives.com]...
"Lay down your gun and surrender quietly, or there's gonna be A CAJUN RIOTLY!"
No. That doesn't work at all.
Re: (Score:1)
Anything Useful? (Score:2)
I think I have one of the printers in question. Does this allow me to do anything useful or interesting? Where can I find more information on playing with it?
It was Onity! (Score:2)
Not a big deal (Score:1)
It worked on my printer (Score:2)
And in case anyone else wants to test, the password is: s!a@m#n$p%c