Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardcoded Administrator Account Opens Backdoor Access To Samsung Printers

Posted by Soulskill on from the apple-probably-suing-for-patent-infringement dept.

hypnosec writes "A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."

103 comments

  1. Forget about the printers... by RocketRabbit · · Score: 2, Interesting

    What about the Samsung backdoor into your phones?

    1. Re:Forget about the printers... by Anonymous Coward · · Score: 3, Funny

      They're copying Apple's?

    2. Re:Forget about the printers... by iamhassi · · Score: 1, Insightful

      What about the Samsung backdoor into your phones?

      That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?

      --
      my karma will be here long after I'm gone
    3. Re:Forget about the printers... by Anonymous Coward · · Score: 0

      sounds like a ... revolving back door!

      Samsung printers - every SCADA facility should have one.

      FTA:
      "Samsung has stated that models released after October 31, 2012 are not affected by this vulnerability."

      How many is that exactly. Let me guess, NONE .. Maybe they were due to pump the next batch in on Nov 31

      "Samsung has also indicated that they will be releasing a patch tool later this year to address vulnerable devices."

      It's hardcoded, so what is this tool? Let me guess.. a SOLDERING IRON..

    4. Re:Forget about the printers... by Anonymous Coward · · Score: 0

      "Hard coded" isn't what it use to be. No soldering iron needed.
      They'll just update the firmware.

    5. Re:Forget about the printers... by VortexCortex · · Score: 3, Funny

      That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?

      Hmm... Good question. If I had one myself, I could tell you just by looking... Does the S3 come with a paper feeder? If so, it certainly has a back door of some kind.
      I mean, how else do you clear paper jams?

    6. Re:Forget about the printers... by slashmydots · · Score: 1

      What about the Samsung backdoor into your phones?

      I am more concerned about that, as all of our Samsung printers have broken at my work. If you've never seen a laser printer's fuser blow out after 50 prints, buy a Samsung, and get some damn popcorn lol.

    7. Re:Forget about the printers... by Anonymous Coward · · Score: 0

      Good luck with that if your device is not sold anymore. I have Samsung laser printer and TV, and neither of them have received any updates since the new models arrived into stores.

  2. Don't let Ben Bernanke find out about this... by hawks5999 · · Score: 2

    He'll have a printer botnet running in no time!

    1. Re:Don't let Ben Bernanke find out about this... by Anonymous Coward · · Score: 0

      i would pay to see a printer botnet

    2. Re:Don't let Ben Bernanke find out about this... by hawks5999 · · Score: 2

      You have no idea how true that is.

    3. Re:Don't let Ben Bernanke find out about this... by detritus. · · Score: 1

      Today printers, tomorrow makerbots making fake gold bars.

    4. Re:Don't let Ben Bernanke find out about this... by Anonymous Coward · · Score: 0

      Mods! Why is this post not moderated +5 funny?

    5. Re:Don't let Ben Bernanke find out about this... by jones_supa · · Score: 1

      We don't know who Ben Bernanke is.

    6. Re:Don't let Ben Bernanke find out about this... by Anonymous Coward · · Score: 0

      joke of the day!

  3. Silver Lining? by CanHasDIY · · Score: 1, Interesting

    Because of full read-write access, the data that passes through the printer is at risk of being disclosed.

    Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
    1. Re:Silver Lining? by Anonymous Coward · · Score: 3, Informative

      Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      No need. Following a link from the page you posted shows Samsung doesn't have tracking dots.

    2. Re:Silver Lining? by Trepidity · · Score: 1, Informative

      This just gives you the equivalent of local administrator access, and local admins can't turn off those tracking dots, so you almost certainly can't with this SNMP admin password either. The tracking-dot stuff is hardcoded somewhere that's not supposed to be user-visible, not even admin-visible.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    3. Re:Silver Lining? by CanHasDIY · · Score: 1, Interesting

      Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      No need. Following a link from the page you posted shows Samsung doesn't have tracking dots.

      Have to take your word for it, as the firewall here blocks the EFF's website...

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    4. Re:Silver Lining? by Anonymous Coward · · Score: 0

      According to seeingyellow.com and its EFF sources, Samsung doesn't produce yellow-dot printing printers.

      I'm not sure if the Dell models listed (3000CN, 3100CN, 5100CN) are manufactured by Samsung.

    5. Re:Silver Lining? by Anonymous Coward · · Score: 1

      Incorrect, my Samsung 610ND produces the dots. Most Samsung lasers do. Snmp has nothing to do with that, I was told that the dots are generated in hardware on the laser assembly. You cannot disable them, ever.

    6. Re:Silver Lining? by nurb432 · · Score: 1

      Sure they dont.

      --
      ---- Booth was a patriot ----
    7. Re:Silver Lining? by evilviper · · Score: 1

      Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.

      If anything, this is REVERSE karma.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    8. Re:Silver Lining? by Anonymous Coward · · Score: 1

      > You cannot disable them, ever.

      Oh? My 3lb hammer thinks otherwise.

    9. Re:Silver Lining? by YrWrstNtmr · · Score: 1

      I'm not sure if the Dell models listed (3000CN, 3100CN, 5100CN) are manufactured by Samsung.

      I have a 3100cn. Don't think it is Samsung under the hood. Other sources are saying Fuji/Xerox, and the NIC reports Fuj.

    10. Re:Silver Lining? by Samantha+Wright · · Score: 1

      No, you fool! If you do that you'll unleash the Spirit of Yellow Dots, and they'll haunt you for the rest of time! You'll have little discoloured spots on your vision for the rest of your life, and your children's lives, and so on for all eternity. Only an innocent, blind to the ways of the yellow dot, can safely destroy such a printer.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    11. Re:Silver Lining? by mlk · · Score: 1

      Could you use this to add tracker dots?

      --
      Wow, I should not post when knackered.
    12. Re:Silver Lining? by CanHasDIY · · Score: 1

      Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.

      Well, then, I guess I know which brand of laser printer I'm going for next time I'm in the market.

      If anything, this is REVERSE karma.

      Amrak?

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    13. Re:Silver Lining? by evilviper · · Score: 1

      Samsung also has the least-expensive laser printers (for home use at least, not sure about higher-end models). Though it's no longer produced, I'm very happy with my $150 CLP-325W color-laser printer with ethernet and WiFi (g), though I hear early-adopters had to live with some firmware bugs. 4W idle, and 0.5W switched-off. Also, the "w" was their only CLP model that included PCL compatibility.

      Their earlier entries into the market weren't so stellar... Lots of paper jams with the CLP-300, not the best longevity, and idle and powered-off power levels were terribly high. That said, toner for the CLP-300 is dirt cheap, while newer models aren't so competitive. For home use it makes no difference, but for workgroup use it might matter.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  4. Thumbs up! by DarthBling · · Score: 1

    Nothing like security through obscurity.

    1. Re:Thumbs up! by Anonymous Coward · · Score: 0

      Nothing like sheer stupidity.

      Fixed. You'd think people would know by now that hard-coded administrator accounts are a bad idea. Stuxnet, anyone?

  5. This isn't the first time I have heard of this by techsoldaten · · Score: 1

    Trying to remember where I heard this, but there was something similar with the old HP laserjet printers.

    I think there was a time when it was considered good practice to put backdoors like this into internet connected devices. I think the reasoning was that every device needed to have a universal password.

    But yeah, this is a pretty crazy issue to have.

    1. Re:This isn't the first time I have heard of this by Lonewolf666 · · Score: 1

      A physical reset button that restores the factory settings is OK. While there is some abuse potential, an attacker has to get to the printer first which rules out purely remote hacks.

      But a hardcoded admin account that cannot be switched off? Baaad idea.

      --
      C - the footgun of programming languages
    2. Re:This isn't the first time I have heard of this by mlts · · Score: 3, Insightful

      Someone needs to invent a fairly simple device. It would have two Ethernet ports and a USB port. The USB port is used for programming it, perhaps then used for power. The Ethernet ports would be used for bridging/routing.

      You put the device between whatever device and the rest of the network, select what purpose the device does, (or manually specify ports), and call it done, with the thing automatically proxying/masquerading. Print job hits port 515 on the device, the device sends the packets to the printer.

      This way, even if there is some unknown port, it gets shut off.

      Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.

    3. Re:This isn't the first time I have heard of this by xmundt · · Score: 2

      There is NO time when it is good to have a hard-coded admin password on a networked device. that is just bad programming.

                pleasant dreams.

      --
      YAB - http://blog.beemandave.com/
    4. Re:This isn't the first time I have heard of this by mattr · · Score: 1

      I was interested in looking around.. how about these?

      PC Engines ALIX 1D is $110
      http://www.wezm.net/technical/2011/12/openwrt-on-alix/
      http://www.pcengines.ch/order1.php?c=4

      LyconSys MRT150N mini-vpn-router is 99 EUR on Amazon Germany
      http://www.lyconsys.com/index.php/en/products/minivpnrouters
      http://www.amazon.de/Mini-VPN-Router-MRT150N-WLAN-150-MBit/dp/B0040G9F8I/ref=cm_pdp_imgs_itm_title_1/279-9174569-5637012

    5. Re:This isn't the first time I have heard of this by mlts · · Score: 1

      In the past, there was a dongle about the size of 1-2 chewing gum sticks stacked together which had two Ethernet ports on it. On the internal side, it had a very simple, configurable web page, and it did decent firewalling and NAT. Since this was sold before the days where Wi-Fi became common, it was very useful for laptops when plugging into Ethernet.

      I don't remember the company that made them, but it would be nice to see that be sold again, but to protect devices.

    6. Re:This isn't the first time I have heard of this by Anonymous Coward · · Score: 0

      I can't tell if you're being sarcastic, but if not you're describing a hardware firewall with out of band management. They are widely available.

    7. Re:This isn't the first time I have heard of this by qubezz · · Score: 1

      HP has a backdoor-by-design, it's called ePrint, where the printer phones home to HP and maintains contact with "the cloud", so that email and web printing jobs can be sent to the printer from knowing a not-too-long URL.

      Then there is the HP flaw where a printer's firmware can be updated over the Internet by anyone or even through a specially crafted print job to do whatever they like: http://www.youtube.com/watch?v=njVv7J2azY8 (long technical video). Of course HP semi-refuted this faster than a security researcher there would have been able to investigate.

    8. Re:This isn't the first time I have heard of this by DarwinSurvivor · · Score: 1

      This simple enough for you?

    9. Re:This isn't the first time I have heard of this by Anonymous Coward · · Score: 0

      Such devices are called "network bridges". They are used to connect two local or remote LAN's together. You program them using a local terminal, remote administration software or set them up to automatically identify where devices are on the network. They do some smart filtering to block/allow packets based on protocol, addresses, ports and masks. Typically, they would block outgoing multicasts, server broadcasts and incoming print requests. Auto-detection of addresses would mean that it would block spoof addresses from outside the bridge. Port redirection is also possible.

      Modern wi-fi firewall routers do that, but even they have a built-in firewall that is enabled by default, but tunnelling VPN has to be blocked separately.

    10. Re:This isn't the first time I have heard of this by drinkypoo · · Score: 1

      Someone needs to invent a fairly simple device

      It's called a firewall and it exists.

      Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.

      Yes, this is the hard part. You now need to know everything about every protocol anyone is using. Good luck!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    11. Re:This isn't the first time I have heard of this by mlts · · Score: 1

      Correct. What is so special about the firewall/NAT box I'm mentioning is the form factor -- something of a small size that can be made relatively cheaply that can be easily plugged in between the switch and the device, and be powered off the Ethernet cable.

      Of course, the same result could be achieved by putting devices on their own VLAN, but this is a relatively quick and dirty way to accomplish the same thing.

    12. Re:This isn't the first time I have heard of this by pnutjam · · Score: 1

      Email me, I can build these all day out of Alix boxes and pfsense. They would be in the $150 range.

      --
      Cheap storage VM.
    13. Re:This isn't the first time I have heard of this by Anonymous Coward · · Score: 0

      Some devices, ie LaserJets (such as 4250N), use the same protocol for printing and software upgrades and configuration.

  6. Dingle berry stew by Anonymous Coward · · Score: 0

    Crap! Now I have to move my printers out of the DMZ.

  7. Bloated Hardware by Anonymous Coward · · Score: 0

    It's hard to understand how we've got to the point where the simplest items to explain are so complex in reality.

    Why does a printer have "accounts"? It's job is to print a file we throw at it. It should be nothing but a recipient of information, a dropbox. In fact it should be an email, to which you send an attached file, and the printer fetches it and prints it. Or at least that should be the interface.

    But what we have now is just a horrible mess. I fix the printers in my office several times every week. They're very unreliable, over-engineered pieces of hardware.

    It's not "back-to-basics" that we need, it's just common sense.

    A printer should be a computer that only receives files and prints them. They should not be "connected" to a network any more than a UDP package is connected to its recipient.

    1. Re:Bloated Hardware by Tanktalus · · Score: 5, Insightful

      Yes. Because we don't want any way to prevent student A from cancelling student B's jobs. Or any way for a trusted user, such as the sysadmin, from cancelling all jobs.

      And we definitely want all nimwits on the network to have complete and arbitrary control over how many pages they can use, or how much ink. Maximum quality print jobs in a comp sci department printer? No problem! (I remember watching a dot-matrix printer spit out a core file, that was entertaining.)

      Definitely, no good whatsoever could come from a printer with any authentication control.

      Obviously, Samsung agrees, because all their printers apparently have the same unchangeable admin account and password.

    2. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      No need for a computer connection or a network. Install a floppy drive on the printer. Even better, hook-up a keyboard to the printer so users can submit jobs directly to the printer.

    3. Re:Bloated Hardware by wonkey_monkey · · Score: 1
      TL;DR

      Printers have a lot of features I don't use, so I can't understand why anyone else should be able to have those features.

      I "fix" the printers in my office several times every week.

      FTFY. I haven't had to fix the printers in my office for months, possibly because I did it properly last time. Let the anecdote wars begin!

      --
      systemd is Roko's Basilisk.
    4. Re:Bloated Hardware by evilviper · · Score: 4, Insightful

      A printer should be a computer that only receives files and prints them. They should not be "connected" to a network any more than a UDP package is connected to its recipient.

      Oh good, because we wouldn't want to have any assurances that our 100MB print jobs were transferred to the printer successfully... Or know when they're running low on toner... or that there's a paper jam and the printer has caught fire... or be able to tell it to use the media in tray number 5... or be able to connect a printer to your WiFi network.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    5. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      Those sound like jobs for a server, possibly managing the printer, but definitely not for a printer.
      Some people just want to print something and all this architecture you mentioned gets in the way.
      And because there's no decoupling between printing and all those tasks surrounding printing that you listed, it's impossible to override and simply print something right away and deal with other problems later (authentication problems, queue problems, etc).

    6. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      How is your server going to manage the printer if the printer isn't allowed to send replies back to it?

    7. Re:Bloated Hardware by Anonymous Coward · · Score: 1

      FTFY. I haven't had to fix the printers in my office for months, possibly because I did it properly last time. Let the anecdote wars begin!

      Actually, your printer's been going down every few days. Good thing I'm rebooting it for you from Siberia!

    8. Re:Bloated Hardware by Bert64 · · Score: 1

      A printer still needs to report feedback, such as toner levels, problems like paper jams, success/failure of a job etc.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    9. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      Student A would just switch the printer on and off again. Happened all the time in my university. Student B has just printed out their 150+ page thesis with HD resolution illustrations and the printer would lock up for an hour as the pages were Postscript rendered. Student A wants to print out a map for a pub crawl starting in 15 minutes. "Whoops! The printer just reset. Must have been a power failure or a software bug. Oh dear. Guess the printer lost that job. Never mind, it will continue on with the others."

    10. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      Those sound like jobs for a server, possibly managing the printer, but definitely not for a printer.

      I don't see how hooking a print server up to the network, and then connecting it to a 'dumb' printer, is logically any different than putting the print server inside the same shell that houses the printer.

      Some people just want to print something and all this architecture you mentioned gets in the way.

      And when "something" is the new intern's 2,000 page Art History textbook which he'd like to have on full-color, high-gloss paper, that's a good thing. Oh, and he'd like to make a copy for each of the 12 hot chicks in his art class he's hoping to bang.

      If you're just going to flat out hook the thing up to the network with nothing in the way of security, then nobody NEEDS to exploit jack shit because they've already got full access to the device. If you're not worried about such things and "just want to print" then fine, buy a more basic model or hook it directly to your computer with USB or serial cables.

    11. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      Student A wants to print out a map for a pub crawl starting in 15 minutes. "Whoops! The printer just reset. Must have been a power failure or a software bug. Oh dear. Guess the printer lost that job. Never mind, it will continue on with the others."

      Actually, the canon & ricoh printers in my office will reprint the job if it fails to print due to a hardware issue (which includes turning it off). You'll have to delete the job from the printer.

    12. Re:Bloated Hardware by jones_supa · · Score: 1

      Why does a printer have "accounts"? It's job is to print a file we throw at it. It should be nothing but a recipient of information, a dropbox. In fact it should be an email, to which you send an attached file, and the printer fetches it and prints it. Or at least that should be the interface.

      By the way, HP has exactly that as a feature (ePrint) in their current printers. They give an e-mail address for your printer from their cloud service, and then you can start sending documents there.

    13. Re:Bloated Hardware by Anonymous Coward · · Score: 0

      http://www.southparkstudios.com/full-episodes/s16e08-sarcastaball

  8. Printers are becoming obsolete. by Andy+Prough · · Score: 1

    At least for my work. I'm down to about 5 pages a month and could probably get by with none in a pinch.

  9. not if you need singed paper work by Joe_Dragon · · Score: 1

    not if you need singed paper work

    1. Re:not if you need singed paper work by Anonymous Coward · · Score: 1

      not if you need singed paper work

      Exactly. I work for a Big Pharma company, and anything that needs doing requires at least one form signed by at least three levels of management. I alone fill up a large recycle bin once a week.

    2. Re:not if you need singed paper work by idontgno · · Score: 5, Funny

      not if you need singed paper work

      Good point. No matter how much heat you apply, you can't get a good char on a softcopy. Not even a little browning. You just burn your monitor.

      Nothing burns, shreds, or pulps like paper.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    3. Re:not if you need singed paper work by Quiet_Desperation · · Score: 1

      Pack of matches has that covered.

    4. Re:not if you need singed paper work by FaxeTheCat · · Score: 1

      Just out of curiosity: You need 3 levels of management to sign, and then you recycle it?

    5. Re:not if you need singed paper work by jtownatpunk.net · · Score: 2

      I think your fuser's too hot.

    6. Re:not if you need singed paper work by sublayer · · Score: 1

      not if you need singed paper work

      Good point. No matter how much heat you apply, you can't get a good char on a softcopy. ...

      I can get plenty of chars on my softcopies.

    7. Re:not if you need singed paper work by The+Archon+V2.0 · · Score: 1
      I guess he works for the Bank of America's paperwork department.

      http://consumerist.com/2012/11/26/bank-of-america-is-really-good-at-losing-documents-really-bad-at-believing-my-mother-is-dead/

    8. Re:not if you need singed paper work by ColdWetDog · · Score: 1

      Hopefully, he's filling the recycle bin with managers.

      Not likely, but one can dream.

      --
      Faster! Faster! Faster would be better!
    9. Re:not if you need singed paper work by Anonymous Coward · · Score: 1

      "not if you need singed paper work"

      No, no, you're thinking of some of the original laser printers - the new ones have MUCH better temperature control, and almost never set the paper on fire.

    10. Re:not if you need singed paper work by Anonymous Coward · · Score: 0

      Well, aren't you just a char *

    11. Re:not if you need singed paper work by Anonymous Coward · · Score: 0

      What about an unsinged char?

    12. Re:not if you need singed paper work by PixetaledPikachu · · Score: 1

      not if you need singed paper work

      yes, additionally you'll also need a match or torch

  10. Old news to Dell by Anonymous Coward · · Score: 2, Interesting

    We have a few Dell 1720's and they have this issue. SNMP public is read/write on these printers even if you turn it off. We discovered this back in 2011 during an internal network security audit. The risk is pretty low for us because we have adaquate network controls but we asked Dell technical support about this and they told us that because the printers were so old there was no hope of a firmware fix; they actually first said it was a feature before I called their BS.

    Anyway, they didn't even have to research it. They had it right in their KB. If it was on for the old printers and they didn't fix it on newer printers then someone dropped the ball (or wanted to keep the "feature").

    1. Re:Old news to Dell by bill_mcgonigle · · Score: 1

      Anyway, they didn't even have to research it. They had it right in their KB. If it was on for the old printers and they didn't fix it on newer printers then someone dropped the ball (or wanted to keep the "feature").

      Or were ambivalent enough about security that they didn't think it worthwhile spending one yellow-dotted cent on it. Bugger, time to firewall the printers.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  11. I can testify! by Quiet_Desperation · · Score: 5, Funny

    but will also allow them to attack other systems in the network

    We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!

    1. Re:I can testify! by mu51c10rd · · Score: 1

      Watching Office Space were you...?

    2. Re:I can testify! by Anonymous Coward · · Score: 0

      Now that you mention it, I'm pretty sure I have seen video demonstrations of this attack before.

    3. Re:I can testify! by drinkypoo · · Score: 2

      We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!

      PC LOAD LETTER. YOU HAVE TEN SECONDS TO COMPLY.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:I can testify! by Quiet_Desperation · · Score: 1

      Nope. Did they do that?

  12. I can't believe it, Jim! by jtownatpunk.net · · Score: 2

    That girl's standing over there listening and you're telling him about our back doors?

  13. It's a Feature! by Flipstylee · · Score: 1

    That is all.

  14. again? by genericmk · · Score: 2

    It's about time the large corporations sent a memo to developers to remove hard coded administrator access from its devices.

    1. Re:again? by Anonymous Coward · · Score: 0

      It's about time the large corporations sent a memo to developers to remove hard coded administrator access from its devices.

      You need a hard-coded default access in order to perform initial configuration and for disaster recovery. But why they chose to make such access available in-band baffles me... it shouldn't be accessible via SNMP or via the ethernet port at all- it should be something which requires that you physically connect to a local console port. Preferably one which isn't used for any other purpose, and even then if the consumer wants to they should be able to simply shut that port down.

  15. So... by Anonymous Coward · · Score: 0

    Time to start attacking the company samsung directly!

    Backdoors are a-ok! Company approved!

    Lets get to cracking anonymous! at the very least it will be entertaining to sit and decide when all the printers in a company will spit out a goatse pic.

    captcha:jammed (lol)

  16. Remote access is the least of our worries by Anonymous Coward · · Score: 0

    'PC Load Letter'? What does that mean?

    1. Re:Remote access is the least of our worries by Shimbo · · Score: 1

      He's PC World's cousin. http://www.channelregister.co.uk/2012/11/19/police_constable_world_error/

  17. SNMP writes and not using snmp-v3? by TheGratefulNet · · Score: 1

    (ob disc: I have been in the snmp field for over 25 years doing development on agents as well as nms)

    let me see if I understand this:

    snmp set (writes) ability using something other than snmpv3?

    uhm, you're kidding me. tell me you are joking.

    the vendor gets an F- in design. sheesh! snmpv3 has been out long enough so that no one should be doing ANY sets (writes) using unsecure v1/v2c.

    not to mention the GALL of using a hardcoded write-password.

    (you know, the snmp opportunities have nearly gone to zero and its now all outsourced (which puts me out of gainful employment, lately). and THIS is the crap 'designs' you get when you outsource it to clueless morons who get the job by being the lowest bidder. I wonder if the industry will learn its lesson that 'you get what you pay for' when it comes to actual design and architecture, not to mention implementation details.)

    --

    --
    "It is now safe to switch off your computer."
  18. What were they thinking?! by Cajun+Hell · · Score: 1

    Apple patented this in 2008. C'mon, Samsung, at least change the password to something other than "jobsrules".

    --
    "Believe me!" -- Donald Trump
    1. Re:What were they thinking?! by Anonymous Coward · · Score: 0

      Lay down your gun and surrender quiet, or there's gonna be A CAJUN RIOT!!

      Ahem. I think that should be 'quietly'

    2. Re:What were they thinking?! by tomofumi · · Score: 1

      Nope, everyone knows it is root/alpine ;)

    3. Re:What were they thinking?! by Cajun+Hell · · Score: 1

      Lay down your gun and surrender quiet, or there's gonna be A CAJUN RIOT!!

      Ahem. I think that should be 'quietly'

      Hm. That seems reasonable. Let's try that and see how it goes...

      "Lay down your gun and surrender quietly, or there's gonna be A CAJUN RIOTLY!"

      No. That doesn't work at all.

      --
      "Believe me!" -- Donald Trump
  19. Anything Useful? by crow · · Score: 1

    I think I have one of the printers in question. Does this allow me to do anything useful or interesting? Where can I find more information on playing with it?

  20. Backdoor boys by Anonymous Coward · · Score: 0

    It's all because Samsung engineers are backdoor kind of guys.

  21. It was Onity! by 140Mandak262Jamuna · · Score: 1

    They guy who designed the security for this printer quit and became the chief of security for Onity hotel swipe card key systems, it looks like.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  22. Not a big deal by tomofumi · · Score: 1

    How often you see a Samsung printer hanging around in office? And you need someone come to your office to exploit its snmp backdoor, I'd assume no one will assign their printer with a public internet IP. Maybe add a firewall / switch ACL to block it before the printer LAN port will do...

  23. Makes you wonder about all the Huawei ones... by Anonymous Coward · · Score: 0

    Or more generally about all the backdoors hidden deep down in hardware that we never heard about and yet that are daily used by state agencies to spy on citizens / companies / agencies.

    Huawei certainly comes to mind...

    But then about stuff like the good old Crypto AG stuff where the key for mobile phone encryption would still be encrypted, but the rogue hardware chip would reduce the keyspace by using a certain number of known bits?

    I'm typing this on a MacBook Pro and between Apple, the Huawei 3G USB Internet connection and the Intel CPU, I'm wouldn't be surprised if there were three of four backdoors here (not mentionning my good old iPhone 3 sitting on my desk).

    Sad world.

  24. It worked on my printer by dskoll · · Score: 1

    And in case anyone else wants to test, the password is: s!a@m#n$p%c

  25. IPv6 by Anonymous Coward · · Score: 0

    It is issues like this that make the whole idea behind IPv6 (that everything needs an internet address) so silly.
    Nobody wants to put their printer on the internet. If only because they do not want it to be hacked by a scriptkiddy.