HP Shutting Down Default FTP, Telnet Access To Network Printers

Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.

SOP for a Company that Requires Registration

[BrendaEM]

Fuck your liberty. We will track you!

Re:SOP for a Company that Requires Registration

Just registration? Usually they even require a *support contract* to be able to access firmware fixes for their broken crap. Fuck you, HP...

Lock it down!

Coming soon, you'll only be able to print through HP PrintCloud(TM). Send your documents insecurely halfway around the world and then back to your printer, all for the low price of $7/user/month!

Re:Lock it down!

Which will use an FTP back end. Recursion, it's delicious.

Good for them

Could have been done earlier, but well done anyway. Shows leadership and "real courage" ;-)

Re:Good for them

[dgatwood]

No, no, courage is ripping out a feature that half your users use. Ripping out a feature that .0001% of your users use and is probably being actively exploited in the rare situations where it is used takes epic courage!

Re:Good for them

[arglebargle_xiv]

HP innovation: Bringing you 1995, tomorrow!

Firmware

Oh no HP, after you disabled my compatible cartridges, I am not getting your dirty firmware ever again in my printer.

Experts?

[110010001000]

You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.

Re:Experts?

[jellomizer]

But it is a big company changing something that we took for granted in the 1990's. There has to be a motive behind it that is meant to screw with us.

Granted I remember back in the good old days of the 1990's where printers were setup with a static outside address. And when there was that LPR buffer overflow hack there were hundreds of wasted pages from people trying to hack the printer in hope it was an old unix server with the LPR flaw in it.

Re:Experts?

[EndlessNameless]

There has to be a motive behind it that is meant to screw with us.

Not really. We started kicking printers off the network if they couldn't be secured. HP was the biggest offender by far.

If departments have to choose between having a dedicated "printer PC" vs having a decent network printer, they usually want the convenience of a network printer. And when HPs aren't eligible, HP loses sales.

A lot of businesses still don't care about security, but enterprise vendors are increasingly being pressured by those who do.

Re:Experts?

Some of the HP printers 1,5GB (!!) driver package installation, which is most likely containing much more of attack surface than the FTP or telnet. But sure, telnet sounds bad so disabling it makes everything safe.

Re: Experts?

[Zero__Kelvin]

That is a ridiculous stance to take. Closing a vulnerability is exactly that ... You do it regardless of the fact that there are sure to be others in the system. If you don't start somewhere, how can you ever finish?

Re:Experts?

[Dutch+Gun]

There has to be a motive behind it that is meant to screw with us.

Shit security and the recent flood of botnets and DDoS attacks isn't enough reason?

Re:Experts?

[TWX]

You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.

Actually you do. Non-experts don't even know what FTP and telnet are in the vast majority of cases. Hell, your average person doesn't even know why a web address starts out with "http://" or "https://", especially since browsers have largely done away with the need to type that stuff. Hell, most users don't even know why there's a tertiary level domain or even that domains are heirarchical in the first place.

Don't confuse your professional or hobbyist knowledge with that which the average person would have. After all, if they had this knowledge they wouldn't need to pay you to take care of their computers for them.

Re: Experts?

Telnet is not a vulnerability.

Re: Experts?

[Zero__Kelvin]

If course it is you incompetent fool.

Re: Experts?

[tepples]

Authentication over Telnet or FTP sends a pre-shared key called a "password" over the wire in cleartext. This means of authentication is subject to a replay attack. SSH and SFTP lack this vulnerability, so long as the server can be identified out of band.

Re: Experts?

[cfalcon]

I can't wait for all the "how to I update my authorized_hosts on my printer" posts on stack.

Re: Experts?

Kerberos can keep the authentication secure for telnet, however that doesn't stop TCP hijacking attacks. SSH can thwart TCP hijacks pretty easily as well.

Re:Experts?

[jonnythan]

The motive is that enterprise IT departments are choosing HP alternatives like Epson and Brother because of issues like this.

Re:Experts?

Printers have been pretty bad for a while. They're network connected, embedded systems that are infrequently or never updated.

Best practice is to put them on an isolated print management (v)lan and firewall them off so they can only talk to the servers they need to, via the ports they need to. (Presumably print, dns, snmp, probably DHCP because fucking with UIs on front panels is for fucking chumps)

Users print to the server, server sends the job to the printer.

It's a multi function device with other services? Same rules apply. Email can go through a relay. Scan jobs can get dumped on a share. You don't let those disasters get free access on any network.

Re:Experts?

[fbobraga]

This. A million times this. (GP is BSing!)

Re:Experts?

[mlts]

Printers have been a good harbinger of what is to come in the IoT world, especially ones made in the past decade. Basically they are vulnerable devices that will never see an update. I won't be surprised to see other planned obsolescence things like I encountered on one printer -- a sensor that watched a paper path gear, and when the gear wore out past a certain threshold, would stop the printer from printing completely, with the solution being to replace the entire printer. My fix was to 3D print another gear.

what about not giving a printer an public IP

[Joe_Dragon]

what about not giving a printer an public IP so that any one can print to them.

Re:what about not giving a printer an public IP

Nobody does that. The problem is that you cannot consider your internal corporate network secure. Anyone still doing that is in for a rude awakening. Devices on the corporate network need to run host firewalls and generally protect themselves just like they were on the internet.

Re:what about not giving a printer an public IP

This here is the fucking answer. The protocol isn't the problem. FTP or telnet are no worse than HTTP. The problem is idiots who configure these things to be accessible to anyone in the world. There are a stupid number of network printers out there reachable over the public internet, colleges seem to love doing this for some reason. If you Google for phrases from the web interfaces of various printers, you can find printers set up to accept jobs from anyone through a web browser.

Here's one example. I guarantee at least a dozen of those can be printed to, and probably administered, by the public at large. I know I've sent my share of dick pics to random printers over the years...

Re:what about not giving a printer an public IP

[freeze128]

EVERYBODY should do that! Unless you want all your paper and ink/toner used up by random people printing penises on your printer, for God's sake, DON'T let the internet have access to it!

Re:what about not giving a printer an public IP

[wkk2]

Feed the printer from a print server and put the printer on its own VLAN.

Re:what about not giving a printer an public IP

I know I've sent my share of dick pics to random printers over the years...

If that's the way you get your kicks, you should consider therapy.

Re:what about not giving a printer an public IP

That is my therapy, you insensitive clod!

Re: what about not giving a printer an public IP

[Zero__Kelvin]

FTP and TELNET are worse than HTTP because the latter is a transport layer only. All auth is accomplished through HTTPS. This is the equivalent of the industry standard of using SFTP and SSH. Nobody with a clue claims that there aren't open vulnerabilities in the protocols. Cleartext password exchange not a problem? Are you fscking kidding me?

Re:what about not giving a printer an public IP

[keith_nt4]

Is there literally any chance any of those listed could be honey pots?

Re: what about not giving a printer an public IP

[Junta]

worse than HTTP because the latter is a transport layer only. All auth is accomplished through HTTPS.

Strictly speaking, he did say HTTP, which without TLS isn't any better. Of course there's nothing suggesting that HTTP without TLS would be open so it's a bit of a weird leap to make.

I will say in practice HTTPS on embedded IT equipment is only a little useful in most cases, since they have unverified certificates to kick things off. There are rare areas that bother to do proper certificates and/or rare software that gives self signed certs the appropriate treatment, but overwhelmingly people click on https and click through the warning which reduces https to http level security (anyone who can sniff is almost always in a position to inject themselves).

Re: what about not giving a printer an public IP

[Zero__Kelvin]

The point, as you seem to agree, is that mentioning HTTP at all in the conversation is a Red Herring.

Re: what about not giving a printer an public IP

We're talking about printers with public IP addresses and NO authentication whatsoever. In which case it doesn't matter whether they speak FTP, telnet, HTTP(S), or what. No protocol is any better than another, when the printer is connected to the internet and left wide open.

Re: what about not giving a printer an public IP

[Zero__Kelvin]

While there is anonymous FTP there is no anonymous TELNET, so epic fail on your part.

Re:what about not giving a printer an public IP

[jbmartin6]

I tried this once using cups-pdf. After about 8 months I shut it off, I didn't get any print jobs submitted to it. Very disappointing, I was really interested in what sort of things I might get. I guess no one is scanning the Internet for printers to print to them anymore.

Re:what about not giving a printer an public IP

And mine is looking at them!

Re:what about not giving a printer an public IP

[MareLooke]

This article convinced me that FTP is, in fact, worse than HTTP.

Xerox MFPs never did this!

I used for Xerox until a few months ago and they never allowed telnet or FTP access on MFPs that went out the door. The engineers there were smart enough to block that from day one. I'm amazed that HP had this kind of access available.

Telnet and FTP printing?

[aglider]

Interesting! Modders, please mod up HP for a very interesting application!

Re:Telnet and FTP printing?

[mridoni]

Like this?

https://www.youtube.com/watch?v=NPWi5yJK3zo

Re:Telnet and FTP printing?

Interesting! Modders, please mod up HP for a very interesting application!

I wonder how hard it would be to get an HP printer to act as an anon FTP server for embedded systems. It might be easier than getting an approved free FTP server at work.

huh

ya think?

Exploited for YEARS already!

What prompted this, did they suddenly realize that every single printer at HP was a file server and network access point? Been asleep for 15 years?

https://en.wikipedia.org/wiki/Code_Red_(computer_worm)

Wow, so soon?

[JustAnotherOldGuy]

Yeah, thanks HP....you're only about 20 years too late to the party.

What's HP's next innovative security move? Not passing SQL queries in the URL?

SSH is irrelevant in a lot of case

[Viol8]

Plenty of printers with telnet access didn't even ask for a password by default, they just dropped you straight into the printers command shell as soon as you connected. Encrypting the network link won't make that sort of zero security any safer.

Re:SSH is irrelevant in a lot of case

[skids]

Also the built-in firewalling on them often only protects certain services, leaving, for example, SNMPv2 running, the initial negotiation packets of which, even if the password is set, can still be used as a force multiplier for DDoS. Or in some cases, actually putting rules in the firewalling slows things to a crawl. Or in other cases, there is no firewalling facility. And all this can vary among individual models from a single vendor.

Call me a cynic...

[Viol8]

... but telnet and ftp are generic protocols with clients available on most systems. Wheres the many in that? Whats a company to do? Hey, how about rolling its own proprietary protocols to lock-in users with client software that need to be paid for? Ker-ching!

Re:Call me a cynic...

You're a cynic.

Re:Call me a cynic...

[fbobraga]

telnet and ftp are generic protocols with clients available on most systems

by "most systems" you mean "windows servers", right? SSH is available in any other system: not existing by default on Windows systems is M$ fault...

Comment removed

[account_deleted]

Comment removed based on user account deletion

I guess Weev got their attention.

I guess sending swastika's to 29K open printers many of them in university "safe spaces" got HP's attention.

https://storify.com/weev/a-sma...

https://www.washingtonpost.com...

Use case?

[freeze128]

What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?

Re:Use case?

What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?

automated reports.

Re:Use case?

[rgmoore]

A possible use case would be an enterprise with a very specialized, expensive printer- like a super-high speed or large format printer- that's kept in a centralized location. Jobs would be submitted remotely and then the output would be shipped to the submitter. HP makes some very high-end printing products where that kind of workflow makes sense.

How about

[DivineKnight]

How about fixing your website(s), which use FTP, and possibly Telnet, before focusing on your printers? There are an awful lot of people who would love to be able to replace broken parts without spending 3 days trying to guess the right part number, as well as some of us working on more interesting equipment (like the Alphas) who just love it if you would fix some of those broken links to much needed firmware upgrades.

As for your printers, charge a lot for the printer, give it the ability to run some version of linux (which it probably does already) with lots of RAM and a HD/SSD, and low cost color laser printing. Oh, and network (wired) printing. And people will love you. High DPI printing, scanning (High DPI scanning), faxing (+ over the internet), etc. are just gravy.

Re: How about

Many newer LaserJets have a little Windows license sticker on the back. At least they don't seem to use Java extensively any more.

Feed me a cat

[jheath314]

Too bad... I remember using telnet to surreptitiously change the message displayed on the little LCD display on the office printer. "Error: out of white toner" "Insert coin to continue" "Help I'm stuck in a printer"... good times...

Re:Feed me a cat

You don't need telnet for that, the completely unauthenticated PCL protocol available on TCP 9100 will let you do that just fine. Students at a college I worked for thought they were really clever right up until my bosses got annoyed enough to task me with catching them.

Re:Feed me a cat

[PhunkySchtuff]

I remember this - I had a cron job running once every 5 minutes that would use curl to get the current weather report, parse that for the temperature and update the LCD on the printer. Good times indeed...

But...

[Kozar_The_Malignant]

I create my documents by telnetting into the printer and typing directly into printer memory with copy con. Whatever will I do now?

Re:But...

[tepples]

Instead, try SSHing into the printer and typing directly into printer memory with copy con.

Source: How do i SSHot printing?

I use it from time to time

[lorinc]

I still use it from time to time, probably once a year. Sometimes, the cups server is down, or the default configuration of the printing server is messed up and I'm in a hurry, well, then I resort to using ftp to print documents (usually last minute exams). It's quite handy. When this happens I'm usually the only one in the lab able to print something...

LOL Now they know?

[sentiblue]

The Telnet protocol was obsolete and insecure as of 20 years ago... They only now realize it? No wonder the company has beeing going in the wrong direction that investors want.

About time

[ErichTheRed]

I know a lot of people are thinking this is the first step to forcing people to pay HP by the page for their printers or something, but FTP and telnet have been on JetDirects forever, back when they were big chunky boxes you plugged into the parallel port of your LaserJet 4si. I doubt much of that JetDirect code has changed in decades, given what I see when I have to FTP to the odd printer to send it firmware or something.

I guarantee the main motivation is to make it so that HP doesn't have to keep patching security holes in a printer NIC OS that is probably 20+ years old at its core. A lot of people forget the following two caveats about network security when it comes to printers:
- Most organizations still think anything on their side of the firewall is 100% trusted.
- There are massive amounts of public-IP printers out there (think universities, large companies, government agencies, etc.) The big state university I live right next to has a Class B range just for its CS department.

In either of these cases, having a reasonably capable OS fully accessible with no password in most cases provides a very useful jumping off point into the network. HP, like every other big tech company, is gutting all their technical personnel and offshoring most routine work, so I imagine the key driver is to make it less likely people will find security holes in a product that doesn't get any love anymore, but is deployed literally everywhere. For the few places that have some archaic system that manually FTP PUTs jobs to the printers, they can turn it back on, but hopefully those are few and far between!

Not surprising

HP (and HPE too) is now infested with MBA parasites who are busy firing anyone and everyone (especially engineers) doing real work.

It's a microcosm of the US on the whole.

Bill and Dave would have shrugged their fellow citizens to look to the future. Remember, America is more than a country. It's an idea, a beacon of light for the most fucked up species to ever walk this planet (that we know of).

secured = can still print jobs to it and you can d

[Joe_Dragon]

secured = can still print jobs to it and you can do a lot of damage with just that. Even say if you don't pay me $1000 I will send endless pages of pure black to this printer.

or this

https://hardware.slashdot.org/...

Next step: Premium Passwords

[anon+mouse-cow-aard]

For our security, one can go buy passwords from HP for 40$ each. They'll be encased in boxes about 6" x 6" x 10", and printed on plastic cards in case you ever need to log into your printer during a downpour. You'll be able to obtain HP-Certified passwords, produced using premium random string generation systems to be able to access your printers. They last six months, then they expire and you need to buy another in order to get your printer working again.

Big printers / copiers have HDD's with lot's of da

[Joe_Dragon]

Big printers / copiers have HDD's with lot's of data on them and the places that resell them really don't wipe them.

Wat?

[RobbieCrash]

Who the hell is printing over telnet or ftp?

Re:Wat?

Telnet is the only way to print, from an IBM 3030.

Re:Wat?

I have an app which ftps a postscript file to a printer without human intervention

Re:Big printers / copiers have HDD's with lot's of

Tell me about it, I had to change 20 year old password's because of it, Lucky most had were old accounts, so I just deleted them.

SSH

[tepples]

but telnet and ftp are generic protocols with clients available on most systems

As are SSH and SFTP.

Fax

[tepples]

What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?

The same legitimate use cases as facsimile.

HP TELNET IS REQUIRED

Just last week had to get into a printer via the TELNET. WEB software broke and could recover or even reload. The TELNET session allowed access to printer to force a reload under the covers. This was done 2000 miles from the physical printer on our private network.

Use of TELNET with HP printers to recover after:
Mangled NETMASK
Mangled GETEWAY
Broken HTTPS
Broken Firmware upload via HTTPS

If HP wants to secure, fix the out-of-box defaults!!! Yes, you can turn off TELNET as long as on the main page it informs of the shutdown and other insure options. Like Bonjour.

A HP LaserJet 600 - out of the box settings... What would you change?
====================
Authorization

Administrator Password : Not Set
Jetdirect Certificate: Installed
CA Certificate: Not Installed
Access Control: Disabled

Web Interface

Encrypt All Web Communication: Enabled
Encryption Strength: Low (DES-56-bit, RC4-128-bit or 3DES-168-bit)

SNMPv1/v2

Status: Enabled
Get Community Name: Not Set (Defaults to "public")
Set Community Name: Not Set (Defaults to "public")

SNMPv3

Status: Disabled

802.1X Authentication

Authentication Type: Open System (Disabled)
EAP User Name: NPxxxxxxx
EAP Password: Not Set
Server ID: Not Set

Other Protocols

9100 Printing: Enabled
LPD Printing: Enabled
Web Services Print: Enabled
IPP Printing: Enabled
AirPrint: Enabled
FTP Printing: Enabled
SLP Config: Enabled
Bonjour: Enabled
Multicast IPv4: Enabled
WS-Discovery: Enabled
Telnet: Enabled
IPsec/Firewall: Disabled
CCC Logging: Disabled
LLMNR Enabled
HP Jetdirect XML Services Enabled
Certificate Mgmt Service Enabled
Enable WINS Port: Enabled
WINS Registration: Enabled
TFTP Configuration File: Enabled
IPPS Printing: Enabled

It's bitztream

..the autism-hating, custom EpiPen-hating, Musk-hating Slashdot troll!

Watch out for unwanted firmware changes

[ukoda]

With HP adding 'regional protections' to new printers, effectively locking out after market consumables, you should investigate any security firmware upgrades carefully, they may come with unwanted 'features'.

Time for router manufacturers to follow suit

ftp and telnet daemons are running on all routers by default too. Those router and IoT manufactures should disable those open ports by default on their firmwares too.

Good!

I've always been concerned about the security of printer interfaces, even as I have been unable to clearly identify real-world examples of lax printer security harming me or my employers.