Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardcoded Administrator Account Opens Backdoor Access To Samsung Printers

Posted by Soulskill on from the apple-probably-suing-for-patent-infringement dept.

hypnosec writes "A new flaw has been discovered in printers manufactured by Samsung whereby a backdoor in the form of an administrator account would enable attackers to not only take control of the flawed device, but will also allow them to attack other systems in the network. According to a warning on US-CERT the administrator account is hard-coded in the device in the form of an SNMP community string with full read-write access. The backdoor is not only present in Samsung printers but also in Dell printers that have been manufactured by Samsung. The administrator account remains active even if SNMP is disabled from the printer's administration interface."

70 of 103 comments (clear)

  1. Forget about the printers... by RocketRabbit · · Score: 2, Interesting

    What about the Samsung backdoor into your phones?

    1. Re:Forget about the printers... by Anonymous Coward · · Score: 3, Funny

      They're copying Apple's?

    2. Re:Forget about the printers... by iamhassi · · Score: 1, Insightful

      What about the Samsung backdoor into your phones?

      That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?

      --
      my karma will be here long after I'm gone
    3. Re:Forget about the printers... by VortexCortex · · Score: 3, Funny

      That's the first thing I thought too, that if we just discovered this in Samsung printers is there a hardcoded backdoor in Samsung galaxy s3 phones too?

      Hmm... Good question. If I had one myself, I could tell you just by looking... Does the S3 come with a paper feeder? If so, it certainly has a back door of some kind.
      I mean, how else do you clear paper jams?

    4. Re:Forget about the printers... by slashmydots · · Score: 1

      What about the Samsung backdoor into your phones?

      I am more concerned about that, as all of our Samsung printers have broken at my work. If you've never seen a laser printer's fuser blow out after 50 prints, buy a Samsung, and get some damn popcorn lol.

  2. Don't let Ben Bernanke find out about this... by hawks5999 · · Score: 2

    He'll have a printer botnet running in no time!

    1. Re:Don't let Ben Bernanke find out about this... by hawks5999 · · Score: 2

      You have no idea how true that is.

    2. Re:Don't let Ben Bernanke find out about this... by detritus. · · Score: 1

      Today printers, tomorrow makerbots making fake gold bars.

    3. Re:Don't let Ben Bernanke find out about this... by jones_supa · · Score: 1

      We don't know who Ben Bernanke is.

  3. Silver Lining? by CanHasDIY · · Score: 1, Interesting

    Because of full read-write access, the data that passes through the printer is at risk of being disclosed.

    Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
    1. Re:Silver Lining? by Anonymous Coward · · Score: 3, Informative

      Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      No need. Following a link from the page you posted shows Samsung doesn't have tracking dots.

    2. Re:Silver Lining? by Trepidity · · Score: 1, Informative

      This just gives you the equivalent of local administrator access, and local admins can't turn off those tracking dots, so you almost certainly can't with this SNMP admin password either. The tracking-dot stuff is hardcoded somewhere that's not supposed to be user-visible, not even admin-visible.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    3. Re:Silver Lining? by CanHasDIY · · Score: 1, Interesting

      Question: Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      No need. Following a link from the page you posted shows Samsung doesn't have tracking dots.

      Have to take your word for it, as the firewall here blocks the EFF's website...

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    4. Re:Silver Lining? by Anonymous Coward · · Score: 1

      Incorrect, my Samsung 610ND produces the dots. Most Samsung lasers do. Snmp has nothing to do with that, I was told that the dots are generated in hardware on the laser assembly. You cannot disable them, ever.

    5. Re:Silver Lining? by nurb432 · · Score: 1

      Sure they dont.

      --
      ---- Booth was a patriot ----
    6. Re:Silver Lining? by evilviper · · Score: 1

      Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.

      If anything, this is REVERSE karma.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    7. Re:Silver Lining? by Anonymous Coward · · Score: 1

      > You cannot disable them, ever.

      Oh? My 3lb hammer thinks otherwise.

    8. Re:Silver Lining? by YrWrstNtmr · · Score: 1

      I'm not sure if the Dell models listed (3000CN, 3100CN, 5100CN) are manufactured by Samsung.

      I have a 3100cn. Don't think it is Samsung under the hood. Other sources are saying Fuji/Xerox, and the NIC reports Fuj.

    9. Re:Silver Lining? by Samantha+Wright · · Score: 1

      No, you fool! If you do that you'll unleash the Spirit of Yellow Dots, and they'll haunt you for the rest of time! You'll have little discoloured spots on your vision for the rest of your life, and your children's lives, and so on for all eternity. Only an innocent, blind to the ways of the yellow dot, can safely destroy such a printer.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    10. Re:Silver Lining? by mlk · · Score: 1

      Could you use this to add tracker dots?

      --
      Wow, I should not post when knackered.
    11. Re:Silver Lining? by CanHasDIY · · Score: 1

      Does anyone know if this exploit could be used to alter/remove the tracking dots every color laser printer marks its documents with?

      Samsung is basically the only manufacturer that DOESN'T insert yellow tracking dots. Your own link DOESN'T include Samsung on the list of manufacturers to call, and the EFF link of affected models lists all tested Samsung units as free and clear.

      Well, then, I guess I know which brand of laser printer I'm going for next time I'm in the market.

      If anything, this is REVERSE karma.

      Amrak?

      --
      An enigma, wrapped in a riddle, shrouded in bacon and cheese
    12. Re:Silver Lining? by evilviper · · Score: 1

      Samsung also has the least-expensive laser printers (for home use at least, not sure about higher-end models). Though it's no longer produced, I'm very happy with my $150 CLP-325W color-laser printer with ethernet and WiFi (g), though I hear early-adopters had to live with some firmware bugs. 4W idle, and 0.5W switched-off. Also, the "w" was their only CLP model that included PCL compatibility.

      Their earlier entries into the market weren't so stellar... Lots of paper jams with the CLP-300, not the best longevity, and idle and powered-off power levels were terribly high. That said, toner for the CLP-300 is dirt cheap, while newer models aren't so competitive. For home use it makes no difference, but for workgroup use it might matter.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  4. Thumbs up! by DarthBling · · Score: 1

    Nothing like security through obscurity.

  5. This isn't the first time I have heard of this by techsoldaten · · Score: 1

    Trying to remember where I heard this, but there was something similar with the old HP laserjet printers.

    I think there was a time when it was considered good practice to put backdoors like this into internet connected devices. I think the reasoning was that every device needed to have a universal password.

    But yeah, this is a pretty crazy issue to have.

    1. Re:This isn't the first time I have heard of this by Lonewolf666 · · Score: 1

      A physical reset button that restores the factory settings is OK. While there is some abuse potential, an attacker has to get to the printer first which rules out purely remote hacks.

      But a hardcoded admin account that cannot be switched off? Baaad idea.

      --
      C - the footgun of programming languages
    2. Re:This isn't the first time I have heard of this by mlts · · Score: 3, Insightful

      Someone needs to invent a fairly simple device. It would have two Ethernet ports and a USB port. The USB port is used for programming it, perhaps then used for power. The Ethernet ports would be used for bridging/routing.

      You put the device between whatever device and the rest of the network, select what purpose the device does, (or manually specify ports), and call it done, with the thing automatically proxying/masquerading. Print job hits port 515 on the device, the device sends the packets to the printer.

      This way, even if there is some unknown port, it gets shut off.

      Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.

    3. Re:This isn't the first time I have heard of this by xmundt · · Score: 2

      There is NO time when it is good to have a hard-coded admin password on a networked device. that is just bad programming.

                pleasant dreams.

      --
      YAB - http://blog.beemandave.com/
    4. Re:This isn't the first time I have heard of this by mattr · · Score: 1

      I was interested in looking around.. how about these?

      PC Engines ALIX 1D is $110
      http://www.wezm.net/technical/2011/12/openwrt-on-alix/
      http://www.pcengines.ch/order1.php?c=4

      LyconSys MRT150N mini-vpn-router is 99 EUR on Amazon Germany
      http://www.lyconsys.com/index.php/en/products/minivpnrouters
      http://www.amazon.de/Mini-VPN-Router-MRT150N-WLAN-150-MBit/dp/B0040G9F8I/ref=cm_pdp_imgs_itm_title_1/279-9174569-5637012

    5. Re:This isn't the first time I have heard of this by mlts · · Score: 1

      In the past, there was a dongle about the size of 1-2 chewing gum sticks stacked together which had two Ethernet ports on it. On the internal side, it had a very simple, configurable web page, and it did decent firewalling and NAT. Since this was sold before the days where Wi-Fi became common, it was very useful for laptops when plugging into Ethernet.

      I don't remember the company that made them, but it would be nice to see that be sold again, but to protect devices.

    6. Re:This isn't the first time I have heard of this by qubezz · · Score: 1

      HP has a backdoor-by-design, it's called ePrint, where the printer phones home to HP and maintains contact with "the cloud", so that email and web printing jobs can be sent to the printer from knowing a not-too-long URL.

      Then there is the HP flaw where a printer's firmware can be updated over the Internet by anyone or even through a specially crafted print job to do whatever they like: http://www.youtube.com/watch?v=njVv7J2azY8 (long technical video). Of course HP semi-refuted this faster than a security researcher there would have been able to investigate.

    7. Re:This isn't the first time I have heard of this by DarwinSurvivor · · Score: 1

      This simple enough for you?

    8. Re:This isn't the first time I have heard of this by drinkypoo · · Score: 1

      Someone needs to invent a fairly simple device

      It's called a firewall and it exists.

      Of course, the next step for backdoors would be backdoors in protocols (such as unique packets that normally would get ignored), but that can be found by DPI.

      Yes, this is the hard part. You now need to know everything about every protocol anyone is using. Good luck!

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    9. Re:This isn't the first time I have heard of this by mlts · · Score: 1

      Correct. What is so special about the firewall/NAT box I'm mentioning is the form factor -- something of a small size that can be made relatively cheaply that can be easily plugged in between the switch and the device, and be powered off the Ethernet cable.

      Of course, the same result could be achieved by putting devices on their own VLAN, but this is a relatively quick and dirty way to accomplish the same thing.

    10. Re:This isn't the first time I have heard of this by pnutjam · · Score: 1

      Email me, I can build these all day out of Alix boxes and pfsense. They would be in the $150 range.

      --
      Cheap storage VM.
  6. Printers are becoming obsolete. by Andy+Prough · · Score: 1

    At least for my work. I'm down to about 5 pages a month and could probably get by with none in a pinch.

  7. Re:Bloated Hardware by Tanktalus · · Score: 5, Insightful

    Yes. Because we don't want any way to prevent student A from cancelling student B's jobs. Or any way for a trusted user, such as the sysadmin, from cancelling all jobs.

    And we definitely want all nimwits on the network to have complete and arbitrary control over how many pages they can use, or how much ink. Maximum quality print jobs in a comp sci department printer? No problem! (I remember watching a dot-matrix printer spit out a core file, that was entertaining.)

    Definitely, no good whatsoever could come from a printer with any authentication control.

    Obviously, Samsung agrees, because all their printers apparently have the same unchangeable admin account and password.

  8. not if you need singed paper work by Joe_Dragon · · Score: 1

    not if you need singed paper work

    1. Re:not if you need singed paper work by Anonymous Coward · · Score: 1

      not if you need singed paper work

      Exactly. I work for a Big Pharma company, and anything that needs doing requires at least one form signed by at least three levels of management. I alone fill up a large recycle bin once a week.

    2. Re:not if you need singed paper work by idontgno · · Score: 5, Funny

      not if you need singed paper work

      Good point. No matter how much heat you apply, you can't get a good char on a softcopy. Not even a little browning. You just burn your monitor.

      Nothing burns, shreds, or pulps like paper.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    3. Re:not if you need singed paper work by Quiet_Desperation · · Score: 1

      Pack of matches has that covered.

    4. Re:not if you need singed paper work by FaxeTheCat · · Score: 1

      Just out of curiosity: You need 3 levels of management to sign, and then you recycle it?

    5. Re:not if you need singed paper work by jtownatpunk.net · · Score: 2

      I think your fuser's too hot.

    6. Re:not if you need singed paper work by sublayer · · Score: 1

      not if you need singed paper work

      Good point. No matter how much heat you apply, you can't get a good char on a softcopy. ...

      I can get plenty of chars on my softcopies.

    7. Re:not if you need singed paper work by The+Archon+V2.0 · · Score: 1
      I guess he works for the Bank of America's paperwork department.

      http://consumerist.com/2012/11/26/bank-of-america-is-really-good-at-losing-documents-really-bad-at-believing-my-mother-is-dead/

    8. Re:not if you need singed paper work by ColdWetDog · · Score: 1

      Hopefully, he's filling the recycle bin with managers.

      Not likely, but one can dream.

      --
      Faster! Faster! Faster would be better!
    9. Re:not if you need singed paper work by Anonymous Coward · · Score: 1

      "not if you need singed paper work"

      No, no, you're thinking of some of the original laser printers - the new ones have MUCH better temperature control, and almost never set the paper on fire.

    10. Re:not if you need singed paper work by PixetaledPikachu · · Score: 1

      not if you need singed paper work

      yes, additionally you'll also need a match or torch

  9. Old news to Dell by Anonymous Coward · · Score: 2, Interesting

    We have a few Dell 1720's and they have this issue. SNMP public is read/write on these printers even if you turn it off. We discovered this back in 2011 during an internal network security audit. The risk is pretty low for us because we have adaquate network controls but we asked Dell technical support about this and they told us that because the printers were so old there was no hope of a firmware fix; they actually first said it was a feature before I called their BS.

    Anyway, they didn't even have to research it. They had it right in their KB. If it was on for the old printers and they didn't fix it on newer printers then someone dropped the ball (or wanted to keep the "feature").

    1. Re:Old news to Dell by bill_mcgonigle · · Score: 1

      Anyway, they didn't even have to research it. They had it right in their KB. If it was on for the old printers and they didn't fix it on newer printers then someone dropped the ball (or wanted to keep the "feature").

      Or were ambivalent enough about security that they didn't think it worthwhile spending one yellow-dotted cent on it. Bugger, time to firewall the printers.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. I can testify! by Quiet_Desperation · · Score: 5, Funny

    but will also allow them to attack other systems in the network

    We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!

    1. Re:I can testify! by mu51c10rd · · Score: 1

      Watching Office Space were you...?

    2. Re:I can testify! by drinkypoo · · Score: 2

      We had one go on a rampage last week! It tore up half the bay before a couple of us beat to death with a dictionary and one of those big staplers from the copy room. WHY WOULD THEY EVEN PUT HIDDEN ARMS AND LEGS ON A PRINTER?!

      PC LOAD LETTER. YOU HAVE TEN SECONDS TO COMPLY.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:I can testify! by Quiet_Desperation · · Score: 1

      Nope. Did they do that?

  11. Re:Bloated Hardware by wonkey_monkey · · Score: 1
    TL;DR

    Printers have a lot of features I don't use, so I can't understand why anyone else should be able to have those features.

    I "fix" the printers in my office several times every week.

    FTFY. I haven't had to fix the printers in my office for months, possibly because I did it properly last time. Let the anecdote wars begin!

    --
    systemd is Roko's Basilisk.
  12. I can't believe it, Jim! by jtownatpunk.net · · Score: 2

    That girl's standing over there listening and you're telling him about our back doors?

  13. It's a Feature! by Flipstylee · · Score: 1

    That is all.

  14. again? by genericmk · · Score: 2

    It's about time the large corporations sent a memo to developers to remove hard coded administrator access from its devices.

  15. Re:Bloated Hardware by evilviper · · Score: 4, Insightful

    A printer should be a computer that only receives files and prints them. They should not be "connected" to a network any more than a UDP package is connected to its recipient.

    Oh good, because we wouldn't want to have any assurances that our 100MB print jobs were transferred to the printer successfully... Or know when they're running low on toner... or that there's a paper jam and the printer has caught fire... or be able to tell it to use the media in tray number 5... or be able to connect a printer to your WiFi network.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  16. SNMP writes and not using snmp-v3? by TheGratefulNet · · Score: 1

    (ob disc: I have been in the snmp field for over 25 years doing development on agents as well as nms)

    let me see if I understand this:

    snmp set (writes) ability using something other than snmpv3?

    uhm, you're kidding me. tell me you are joking.

    the vendor gets an F- in design. sheesh! snmpv3 has been out long enough so that no one should be doing ANY sets (writes) using unsecure v1/v2c.

    not to mention the GALL of using a hardcoded write-password.

    (you know, the snmp opportunities have nearly gone to zero and its now all outsourced (which puts me out of gainful employment, lately). and THIS is the crap 'designs' you get when you outsource it to clueless morons who get the job by being the lowest bidder. I wonder if the industry will learn its lesson that 'you get what you pay for' when it comes to actual design and architecture, not to mention implementation details.)

    --

    --
    "It is now safe to switch off your computer."
  17. What were they thinking?! by Cajun+Hell · · Score: 1

    Apple patented this in 2008. C'mon, Samsung, at least change the password to something other than "jobsrules".

    --
    "Believe me!" -- Donald Trump
    1. Re:What were they thinking?! by tomofumi · · Score: 1

      Nope, everyone knows it is root/alpine ;)

    2. Re:What were they thinking?! by Cajun+Hell · · Score: 1

      Lay down your gun and surrender quiet, or there's gonna be A CAJUN RIOT!!

      Ahem. I think that should be 'quietly'

      Hm. That seems reasonable. Let's try that and see how it goes...

      "Lay down your gun and surrender quietly, or there's gonna be A CAJUN RIOTLY!"

      No. That doesn't work at all.

      --
      "Believe me!" -- Donald Trump
  18. Anything Useful? by crow · · Score: 1

    I think I have one of the printers in question. Does this allow me to do anything useful or interesting? Where can I find more information on playing with it?

  19. It was Onity! by 140Mandak262Jamuna · · Score: 1

    They guy who designed the security for this printer quit and became the chief of security for Onity hotel swipe card key systems, it looks like.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  20. Re:Bloated Hardware by Anonymous Coward · · Score: 1

    FTFY. I haven't had to fix the printers in my office for months, possibly because I did it properly last time. Let the anecdote wars begin!

    Actually, your printer's been going down every few days. Good thing I'm rebooting it for you from Siberia!

  21. Re:Bloated Hardware by Bert64 · · Score: 1

    A printer still needs to report feedback, such as toner levels, problems like paper jams, success/failure of a job etc.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  22. Not a big deal by tomofumi · · Score: 1

    How often you see a Samsung printer hanging around in office? And you need someone come to your office to exploit its snmp backdoor, I'd assume no one will assign their printer with a public internet IP. Maybe add a firewall / switch ACL to block it before the printer LAN port will do...

  23. Re:Remote access is the least of our worries by Shimbo · · Score: 1

    He's PC World's cousin. http://www.channelregister.co.uk/2012/11/19/police_constable_world_error/

  24. It worked on my printer by dskoll · · Score: 1

    And in case anyone else wants to test, the password is: s!a@m#n$p%c

  25. Re:Bloated Hardware by jones_supa · · Score: 1

    Why does a printer have "accounts"? It's job is to print a file we throw at it. It should be nothing but a recipient of information, a dropbox. In fact it should be an email, to which you send an attached file, and the printer fetches it and prints it. Or at least that should be the interface.

    By the way, HP has exactly that as a feature (ePrint) in their current printers. They give an e-mail address for your printer from their cloud service, and then you can start sending documents there.