Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Shutting Down Default FTP, Telnet Access To Network Printers (pcworld.com)

Posted by msmash on from the business-as-usual dept.

Security experts consider the aging FTP and Telnet protocols unsafe, and HP has decided to clamp down on access to networked printers through the remote-access tools. From a report on PCWorld: Some of HP's new business printers will, by default, be closed to remote access via protocols like FTP and Telnet. However, customers can activate remote printing access through those protocols if needed. "HP has started the process of closing older, less-maintained interfaces including ports, protocols and cipher suites" identified by the U.S. National Institute of Standards and Technology as less than secure, the company said in a statement. In addition, HP also announced firmware updates to existing business printers with improved password and encryption settings, so hackers can't easily break into the devices.

56 of 83 comments (clear)

  1. SOP for a Company that Requires Registration by BrendaEM · · Score: 1

    Fuck your liberty. We will track you!

    --
    https://www.youtube.com/c/BrendaEM
  2. Firmware by Anonymous Coward · · Score: 2, Informative

    Oh no HP, after you disabled my compatible cartridges, I am not getting your dirty firmware ever again in my printer.

  3. Experts? by 110010001000 · · Score: 2

    You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.

    1. Re:Experts? by jellomizer · · Score: 2

      But it is a big company changing something that we took for granted in the 1990's. There has to be a motive behind it that is meant to screw with us.

      Granted I remember back in the good old days of the 1990's where printers were setup with a static outside address. And when there was that LPR buffer overflow hack there were hundreds of wasted pages from people trying to hack the printer in hope it was an old unix server with the LPR flaw in it.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Experts? by EndlessNameless · · Score: 4, Insightful

      There has to be a motive behind it that is meant to screw with us.

      Not really. We started kicking printers off the network if they couldn't be secured. HP was the biggest offender by far.

      If departments have to choose between having a dedicated "printer PC" vs having a decent network printer, they usually want the convenience of a network printer. And when HPs aren't eligible, HP loses sales.

      A lot of businesses still don't care about security, but enterprise vendors are increasingly being pressured by those who do.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    3. Re: Experts? by Zero__Kelvin · · Score: 2

      That is a ridiculous stance to take. Closing a vulnerability is exactly that ... You do it regardless of the fact that there are sure to be others in the system. If you don't start somewhere, how can you ever finish?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re:Experts? by Dutch+Gun · · Score: 1

      There has to be a motive behind it that is meant to screw with us.

      Shit security and the recent flood of botnets and DDoS attacks isn't enough reason?

      --
      Irony: Agile development has too much intertia to be abandoned now.
    5. Re:Experts? by TWX · · Score: 2

      You don't need to be an expert to know that FTP/TELNET is unsafe. So is SSH in some configurations.

      Actually you do. Non-experts don't even know what FTP and telnet are in the vast majority of cases. Hell, your average person doesn't even know why a web address starts out with "http://" or "https://", especially since browsers have largely done away with the need to type that stuff. Hell, most users don't even know why there's a tertiary level domain or even that domains are heirarchical in the first place.

      Don't confuse your professional or hobbyist knowledge with that which the average person would have. After all, if they had this knowledge they wouldn't need to pay you to take care of their computers for them.

      --
      Do not look into laser with remaining eye.
    6. Re: Experts? by tepples · · Score: 1

      Authentication over Telnet or FTP sends a pre-shared key called a "password" over the wire in cleartext. This means of authentication is subject to a replay attack. SSH and SFTP lack this vulnerability, so long as the server can be identified out of band.

    7. Re: Experts? by cfalcon · · Score: 1

      I can't wait for all the "how to I update my authorized_hosts on my printer" posts on stack.

    8. Re:Experts? by jonnythan · · Score: 1

      The motive is that enterprise IT departments are choosing HP alternatives like Epson and Brother because of issues like this.

    9. Re:Experts? by fbobraga · · Score: 1

      This. A million times this. (GP is BSing!)

    10. Re:Experts? by mlts · · Score: 1

      Printers have been a good harbinger of what is to come in the IoT world, especially ones made in the past decade. Basically they are vulnerable devices that will never see an update. I won't be surprised to see other planned obsolescence things like I encountered on one printer -- a sensor that watched a paper path gear, and when the gear wore out past a certain threshold, would stop the printer from printing completely, with the solution being to replace the entire printer. My fix was to 3D print another gear.

  4. what about not giving a printer an public IP by Joe_Dragon · · Score: 1

    what about not giving a printer an public IP so that any one can print to them.

    1. Re:what about not giving a printer an public IP by Anonymous Coward · · Score: 1

      Nobody does that. The problem is that you cannot consider your internal corporate network secure. Anyone still doing that is in for a rude awakening. Devices on the corporate network need to run host firewalls and generally protect themselves just like they were on the internet.

    2. Re:what about not giving a printer an public IP by freeze128 · · Score: 1

      EVERYBODY should do that! Unless you want all your paper and ink/toner used up by random people printing penises on your printer, for God's sake, DON'T let the internet have access to it!

    3. Re:what about not giving a printer an public IP by wkk2 · · Score: 1

      Feed the printer from a print server and put the printer on its own VLAN.

    4. Re:what about not giving a printer an public IP by Anonymous Coward · · Score: 1

      That is my therapy, you insensitive clod!

    5. Re: what about not giving a printer an public IP by Zero__Kelvin · · Score: 1

      FTP and TELNET are worse than HTTP because the latter is a transport layer only. All auth is accomplished through HTTPS. This is the equivalent of the industry standard of using SFTP and SSH. Nobody with a clue claims that there aren't open vulnerabilities in the protocols. Cleartext password exchange not a problem? Are you fscking kidding me?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    6. Re:what about not giving a printer an public IP by keith_nt4 · · Score: 1

      Is there literally any chance any of those listed could be honey pots?

      --
      "UNIX is very simple, it just needs a genius to understand its simplicity." -Dennis Ritchie
    7. Re: what about not giving a printer an public IP by Junta · · Score: 2

      worse than HTTP because the latter is a transport layer only. All auth is accomplished through HTTPS.

      Strictly speaking, he did say HTTP, which without TLS isn't any better. Of course there's nothing suggesting that HTTP without TLS would be open so it's a bit of a weird leap to make.

      I will say in practice HTTPS on embedded IT equipment is only a little useful in most cases, since they have unverified certificates to kick things off. There are rare areas that bother to do proper certificates and/or rare software that gives self signed certs the appropriate treatment, but overwhelmingly people click on https and click through the warning which reduces https to http level security (anyone who can sniff is almost always in a position to inject themselves).

      --
      XML is like violence. If it doesn't solve the problem, use more.
    8. Re: what about not giving a printer an public IP by Zero__Kelvin · · Score: 1

      The point, as you seem to agree, is that mentioning HTTP at all in the conversation is a Red Herring.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    9. Re: what about not giving a printer an public IP by Zero__Kelvin · · Score: 1

      While there is anonymous FTP there is no anonymous TELNET, so epic fail on your part.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    10. Re:what about not giving a printer an public IP by jbmartin6 · · Score: 1

      I tried this once using cups-pdf. After about 8 months I shut it off, I didn't get any print jobs submitted to it. Very disappointing, I was really interested in what sort of things I might get. I guess no one is scanning the Internet for printers to print to them anymore.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    11. Re:what about not giving a printer an public IP by MareLooke · · Score: 1

      This article convinced me that FTP is, in fact, worse than HTTP.

  5. Xerox MFPs never did this! by Anonymous Coward · · Score: 1

    I used for Xerox until a few months ago and they never allowed telnet or FTP access on MFPs that went out the door. The engineers there were smart enough to block that from day one. I'm amazed that HP had this kind of access available.

  6. Telnet and FTP printing? by aglider · · Score: 2

    Interesting! Modders, please mod up HP for a very interesting application!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Telnet and FTP printing? by mridoni · · Score: 1

      Like this?

      https://www.youtube.com/watch?v=NPWi5yJK3zo

  7. Wow, so soon? by JustAnotherOldGuy · · Score: 1

    Yeah, thanks HP....you're only about 20 years too late to the party.

    What's HP's next innovative security move? Not passing SQL queries in the URL?

    --
    Just cruising through this digital world at 33 1/3 rpm...
  8. SSH is irrelevant in a lot of case by Viol8 · · Score: 1

    Plenty of printers with telnet access didn't even ask for a password by default, they just dropped you straight into the printers command shell as soon as you connected. Encrypting the network link won't make that sort of zero security any safer.

    1. Re:SSH is irrelevant in a lot of case by skids · · Score: 1

      Also the built-in firewalling on them often only protects certain services, leaving, for example, SNMPv2 running, the initial negotiation packets of which, even if the password is set, can still be used as a force multiplier for DDoS. Or in some cases, actually putting rules in the firewalling slows things to a crawl. Or in other cases, there is no firewalling facility. And all this can vary among individual models from a single vendor.

      --
      Someone had to do it.
  9. Call me a cynic... by Viol8 · · Score: 1

    ... but telnet and ftp are generic protocols with clients available on most systems. Wheres the many in that? Whats a company to do? Hey, how about rolling its own proprietary protocols to lock-in users with client software that need to be paid for? Ker-ching!

    1. Re:Call me a cynic... by fbobraga · · Score: 1

      telnet and ftp are generic protocols with clients available on most systems

      by "most systems" you mean "windows servers", right? SSH is available in any other system: not existing by default on Windows systems is M$ fault...

  10. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  11. I guess Weev got their attention. by Anonymous Coward · · Score: 1

    I guess sending swastika's to 29K open printers many of them in university "safe spaces" got HP's attention.

    https://storify.com/weev/a-sma...

    https://www.washingtonpost.com...

  12. Use case? by freeze128 · · Score: 1

    What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?

    1. Re:Use case? by rgmoore · · Score: 2

      A possible use case would be an enterprise with a very specialized, expensive printer- like a super-high speed or large format printer- that's kept in a centralized location. Jobs would be submitted remotely and then the output would be shipped to the submitter. HP makes some very high-end printing products where that kind of workflow makes sense.

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

  13. How about by DivineKnight · · Score: 1

    How about fixing your website(s), which use FTP, and possibly Telnet, before focusing on your printers? There are an awful lot of people who would love to be able to replace broken parts without spending 3 days trying to guess the right part number, as well as some of us working on more interesting equipment (like the Alphas) who just love it if you would fix some of those broken links to much needed firmware upgrades.

    As for your printers, charge a lot for the printer, give it the ability to run some version of linux (which it probably does already) with lots of RAM and a HD/SSD, and low cost color laser printing. Oh, and network (wired) printing. And people will love you. High DPI printing, scanning (High DPI scanning), faxing (+ over the internet), etc. are just gravy.

  14. Feed me a cat by jheath314 · · Score: 1

    Too bad... I remember using telnet to surreptitiously change the message displayed on the little LCD display on the office printer. "Error: out of white toner" "Insert coin to continue" "Help I'm stuck in a printer"... good times...

    --
    Procrastination Man strikes again!
    1. Re:Feed me a cat by PhunkySchtuff · · Score: 1

      I remember this - I had a cron job running once every 5 minutes that would use curl to get the current weather report, parse that for the temperature and update the LCD on the printer. Good times indeed...

      --
      Specialist Mac support for creative pros, Melbourne
  15. But... by Kozar_The_Malignant · · Score: 1

    I create my documents by telnetting into the printer and typing directly into printer memory with copy con. Whatever will I do now?

    --
    Some mornings it's hardly worth chewing through the restraints to get out of bed.
    1. Re:But... by tepples · · Score: 1

      Instead, try SSHing into the printer and typing directly into printer memory with copy con.

      Source: How do i SSHot printing?

  16. I use it from time to time by lorinc · · Score: 1

    I still use it from time to time, probably once a year. Sometimes, the cups server is down, or the default configuration of the printing server is messed up and I'm in a hurry, well, then I resort to using ftp to print documents (usually last minute exams). It's quite handy. When this happens I'm usually the only one in the lab able to print something...

    --
    Video of some good progressive thrash music
  17. LOL Now they know? by sentiblue · · Score: 1

    The Telnet protocol was obsolete and insecure as of 20 years ago... They only now realize it? No wonder the company has beeing going in the wrong direction that investors want.

  18. About time by ErichTheRed · · Score: 1

    I know a lot of people are thinking this is the first step to forcing people to pay HP by the page for their printers or something, but FTP and telnet have been on JetDirects forever, back when they were big chunky boxes you plugged into the parallel port of your LaserJet 4si. I doubt much of that JetDirect code has changed in decades, given what I see when I have to FTP to the odd printer to send it firmware or something.

    I guarantee the main motivation is to make it so that HP doesn't have to keep patching security holes in a printer NIC OS that is probably 20+ years old at its core. A lot of people forget the following two caveats about network security when it comes to printers:
    - Most organizations still think anything on their side of the firewall is 100% trusted.
    - There are massive amounts of public-IP printers out there (think universities, large companies, government agencies, etc.) The big state university I live right next to has a Class B range just for its CS department.

    In either of these cases, having a reasonably capable OS fully accessible with no password in most cases provides a very useful jumping off point into the network. HP, like every other big tech company, is gutting all their technical personnel and offshoring most routine work, so I imagine the key driver is to make it less likely people will find security holes in a product that doesn't get any love anymore, but is deployed literally everywhere. For the few places that have some archaic system that manually FTP PUTs jobs to the printers, they can turn it back on, but hopefully those are few and far between!

  19. secured = can still print jobs to it and you can d by Joe_Dragon · · Score: 1

    secured = can still print jobs to it and you can do a lot of damage with just that. Even say if you don't pay me $1000 I will send endless pages of pure black to this printer.

    or this

    https://hardware.slashdot.org/...

  20. Next step: Premium Passwords by anon+mouse-cow-aard · · Score: 1

    For our security, one can go buy passwords from HP for 40$ each. They'll be encased in boxes about 6" x 6" x 10", and printed on plastic cards in case you ever need to log into your printer during a downpour. You'll be able to obtain HP-Certified passwords, produced using premium random string generation systems to be able to access your printers. They last six months, then they expire and you need to buy another in order to get your printer working again.

  21. Big printers / copiers have HDD's with lot's of da by Joe_Dragon · · Score: 1

    Big printers / copiers have HDD's with lot's of data on them and the places that resell them really don't wipe them.

  22. Wat? by RobbieCrash · · Score: 1

    Who the hell is printing over telnet or ftp?

    --
    Keep on knockin'
    https://robbiecrash.me
    1. Re:Wat? by Anonymous Coward · · Score: 1

      Telnet is the only way to print, from an IBM 3030.

  23. SSH by tepples · · Score: 1

    but telnet and ftp are generic protocols with clients available on most systems

    As are SSH and SFTP.

  24. Fax by tepples · · Score: 1

    What is a legitimate use case where you want to print something out, but are nowhere near the printer to collect the output?

    The same legitimate use cases as facsimile.

  25. It's bitztream by Anonymous Coward · · Score: 1

    ..the autism-hating, custom EpiPen-hating, Musk-hating Slashdot troll!

  26. Re:Good for them by dgatwood · · Score: 1

    No, no, courage is ripping out a feature that half your users use. Ripping out a feature that .0001% of your users use and is probably being actively exploited in the rare situations where it is used takes epic courage!

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  27. Watch out for unwanted firmware changes by ukoda · · Score: 1

    With HP adding 'regional protections' to new printers, effectively locking out after market consumables, you should investigate any security firmware upgrades carefully, they may come with unwanted 'features'.

  28. Re:Good for them by arglebargle_xiv · · Score: 1

    HP innovation: Bringing you 1995, tomorrow!