Forgot your password?
typodupeerror
Printer Security Hardware

Hardcoded Administrator Account Opens Backdoor Access To Samsung Printers 103

Posted by Soulskill
from the apple-probably-suing-for-patent-infringement dept.
hypnosec writes "A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."
This discussion has been archived. No new comments can be posted.

Hardcoded Administrator Account Opens Backdoor Access To Samsung Printers

Comments Filter:
  • What about the Samsung backdoor into your phones?

    • Re: (Score:3, Funny)

      by Anonymous Coward

      They're copying Apple's?

    • Re: (Score:2, Insightful)

      by iamhassi (659463)

      What about the Samsung backdoor into your phones?

      That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?

    • What about the Samsung backdoor into your phones?

      I am more concerned about that, as all of our Samsung printers have broken at my work. If you've never seen a laser printer's fuser blow out after 50 prints, buy a Samsung, and get some damn popcorn lol.

  • by hawks5999 (588198) on Tuesday November 27, 2012 @05:31PM (#42110293)
    He'll have a printer botnet running in no time!
  • Silver Lining? (Score:2, Interesting)

    by CanHasDIY (1672858)

    Because of full read-write access, the data that passes through the printer is at risk of being disclosed.

    Question: Does anyone know if this exploit could be used to alter/remove the tracking dots [seeingyellow.com] every color laser printer marks its documents with?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      No need. Following a link from the page you posted shows Samsung doesn't have tracking dots [eff.org].

      • Re: (Score:2, Interesting)

        by CanHasDIY (1672858)

        Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

        No need. Following a link from the page you posted shows Samsung doesn't have tracking dots [eff.org].

        Have to take your word for it, as the firewall here blocks the EFF's website...

        • by Anonymous Coward

          Incorrect, my Samsung 610ND produces the dots. Most Samsung lasers do. Snmp has nothing to do with that, I was told that the dots are generated in hardware on the laser assembly. You cannot disable them, ever.

          • by Anonymous Coward

            > You cannot disable them, ever.

            Oh? My 3lb hammer thinks otherwise.

            • No, you fool! If you do that you'll unleash the Spirit of Yellow Dots, and they'll haunt you for the rest of time! You'll have little discoloured spots on your vision for the rest of your life, and your children's lives, and so on for all eternity. Only an innocent, blind to the ways of the yellow dot, can safely destroy such a printer.
      • by mlk (18543)

        Could you use this to add tracker dots?

    • Re: (Score:2, Informative)

      by Trepidity (597)

      This just gives you the equivalent of local administrator access, and local admins can't turn off those tracking dots, so you almost certainly can't with this SNMP admin password either. The tracking-dot stuff is hardcoded somewhere that's not supposed to be user-visible, not even admin-visible.

    • by evilviper (135110)

      Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.

      If anything, this is REVERSE karma.

      • Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

        Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.

        Well, then, I guess I know which brand of laser printer I'm going for next time I'm in the market.

        If anything, this is REVERSE karma.

        Amrak?

        • by evilviper (135110)

          Samsung also has the least-expensive laser printers (for home use at least, not sure about higher-end models). Though it's no longer produced, I'm very happy with my $150 CLP-325W color-laser printer with ethernet and WiFi (g), though I hear early-adopters had to live with some firmware bugs. 4W idle, and 0.5W switched-off. Also, the "w" was their only CLP model that included PCL compatibility.

          Their earlier entries into the market weren't so stellar... Lots of paper jams with the CLP-300, not the best lo

  • Nothing like security through obscurity.
  • Trying to remember where I heard this, but there was something similar with the old HP laserjet printers.

    I think there was a time when it was considered good practice to put backdoors like this into internet connected devices. I think the reasoning was that every device needed to have a universal password.

    But yeah, this is a pretty crazy issue to have.

    • A physical reset button that restores the factory settings is OK. While there is some abuse potential, an attacker has to get to the printer first which rules out purely remote hacks.

      But a hardcoded admin account that cannot be switched off? Baaad idea.

      • by mlts (1038732) * on Tuesday November 27, 2012 @06:12PM (#42110701)

        Someone needs to invent a fairly simple device. It would have two Ethernet ports and a USB port. The USB port is used for programming it, perhaps then used for power. The Ethernet ports would be used for bridging/routing.

        You put the device between whatever device and the rest of the network, select what purpose the device does, (or manually specify ports), and call it done, with the thing automatically proxying/masquerading. Print job hits port 515 on the device, the device sends the packets to the printer.

        This way, even if there is some unknown port, it gets shut off.

        Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.

    • by xmundt (415364)

      There is NO time when it is good to have a hard-coded admin password on a networked device. that is just bad programming.

                pleasant dreams.

    • by qubezz (520511)

      HP has a backdoor-by-design, it's called ePrint, where the printer phones home to HP and maintains contact with "the cloud", so that email and web printing jobs can be sent to the printer from knowing a not-too-long URL.

      Then there is the HP flaw where a printer's firmware can be updated over the Internet by anyone or even through a specially crafted print job to do whatever they like: http://www.youtube.com/watch?v=njVv7J2azY8 [youtube.com] (long technical video). Of course HP semi-refuted this [hp.com] faster than a security res

  • At least for my work. I'm down to about 5 pages a month and could probably get by with none in a pinch.
  • Old news to Dell (Score:2, Interesting)

    by Anonymous Coward

    We have a few Dell 1720's and they have this issue. SNMP public is read/write on these printers even if you turn it off. We discovered this back in 2011 during an internal network security audit. The risk is pretty low for us because we have adaquate network controls but we asked Dell technical support about this and they told us that because the printers were so old there was no hope of a firmware fix; they actually first said it was a feature before I called their BS.

    Anyway, they didn't even have to re

    • Anyway, they didn't even have to research it. They had it right in their KB. If it was on for the old printers and they didn't fix it on newer printers then someone dropped the ball (or wanted to keep the "feature").

      Or were ambivalent enough about security that they didn't think it worthwhile spending one yellow-dotted cent on it. Bugger, time to firewall the printers.

  • by Quiet_Desperation (858215) on Tuesday November 27, 2012 @05:59PM (#42110595)

    but will also allow them to attack other systems in the network

    We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!

    • by mu51c10rd (187182)

      Watching Office Space were you...?

    • by drinkypoo (153816)

      We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!

      PC LOAD LETTER. YOU HAVE TEN SECONDS TO COMPLY.

  • by jtownatpunk.net (245670) on Tuesday November 27, 2012 @06:07PM (#42110653)

    That girl's standing over there listening and you're telling him about our back doors?

  • That is all.
  • It's about time the large corporations sent a memo to developers to remove hard coded administrator access from its devices.
  • (ob disc: I have been in the snmp field for over 25 years doing development on agents as well as nms)

    let me see if I understand this:

    snmp set (writes) ability using something other than snmpv3?

    uhm, you're kidding me. tell me you are joking.

    the vendor gets an F- in design. sheesh! snmpv3 has been out long enough so that no one should be doing ANY sets (writes) using unsecure v1/v2c.

    not to mention the GALL of using a hardcoded write-password.

    (you know, the snmp opportunities have nearly gone to zero and it

  • Apple patented this in 2008. C'mon, Samsung, at least change the password to something other than "jobsrules".
    • by tomofumi (831434)
      Nope, everyone knows it is root/alpine ;)
  • I think I have one of the printers in question. Does this allow me to do anything useful or interesting? Where can I find more information on playing with it?

  • They guy who designed the security for this printer quit and became the chief of security for Onity hotel swipe card key systems, it looks like.
  • How often you see a Samsung printer hanging around in office? And you need someone come to your office to exploit its snmp backdoor, I'd assume no one will assign their printer with a public internet IP. Maybe add a firewall / switch ACL to block it before the printer LAN port will do...
  • And in case anyone else wants to test, the password is: s!a@m#n$p%c

Algol-60 surely must be regarded as the most important programming language yet developed. -- T. Cheatham

Working...