Discussion on:

HP Officejet All-in-One: An unlikely spy tool

I had noticed years ago that some of HP's installed applications for reporting problems with the HP printers, Laptops and Workstations show up as malware. Usually labeled as one form of backdoor or another.

If it is possible I will not install HP software that come with these devices, but sometimes we don't have the choice. I for one really get riled when I have to install a printer driver that starts installing 20 minutes of 'enhancements' on a work PC.

I have come across that myself. This exploit doe not require loading any client software.

from HP crapware and drivers! However, they might as well be true malware, with the way they act, and no more than I trust printer manufactures lately!

ran the find a printer bit, just after we'd joined up to the main network.
It took out 22 PLCs and stopped five manufacturing plants....

We spent a good deal of time looking for malware, before we realised it was him.

To th PLC's the probe reqest apperaded to be a maliciously crafted packet.

Not really surprised with HP. With all the "garbage" that loads up when you install one of their MFP or just a regular printer, I am not surprised that there is an issue with them.

HP Printers such so badly these days that they're not worth looking at anyway. I have had several of them go belly up, and in particular, an HP 7410 that I paid $499 for really ticked me off. It died after approximately 7 months. A small plastic tab used to hold a spring that sensed the new ink cartridge (talk about poor design) broke. HP sent me a "refurb" unit. This refurb unit died after 5.5 months - that's right about 2 weeks after the 1 year warranty was up.

After numerous calls talking to people in India and the Phillipines I tried calling HP in the US - I could not connect to anyone. I even sent an email to Mark Hurd telling him that I would vow to cost HP a minimum of 100 Million in sales if this was not corrected.

I continue to tell my tale of how badly HP treats customers with their poorly designed products (and this 7410 was not the 1st or last HP product that died an untimely death that I have)...

Roll back to the late 90's - HP Laserjet 4000 - I still have it and it is GREAT. I just put in a new toner cartridge. The 90's were the last gasp of what I call the "old" HP. Today's HP creates JUNK, JUNK, and more JUNK.

Stay away from HP if you want your product to last. BTW, to replace that $499 7410 I bought a Canon all in one for $159. That's right, it does the SAME THINGS. That single printer has lasted 2.5 years so far and is still going strong. Even IF it died today, I would be about 7.5 times better off (only 1/3 the price and it lasted 2.5x longer). Canon is now my main source of printers. I suggest everyone else do the same.

Has several 4 Plus printers that are working just fine. It is amazing.

Have one back in the warehouse that is still churning out receivers. Awesome piece of hardware.

that if you order straight from HP and buy the warranted protection, they bend over backwards to get you a better product and service.

However, with my recent experiences, I got to admit, they must be junk anyway. Problem is, Canon doesn't have one of the most important features I need in the US. I really like Canon printers, but they don't do color DVD printing in the US.[yet]

They constantly run out of ink, need maintance, and are a waste of paper. Everything just needs to stay digital.

Now in terms of HP, I personally like their Laptops and Desktops. I have a HP 200LX still running great, along with a HP dv2000MT Minitower PC as my main desktop at home and it runs like a dream. We even have a Deskjet All-in-one Printer from HP (The model's number esacapes me) and it's been running great since 2005. It also doesn't need any drivers, we plug it into multiple laptops and it prints and scans no problem.

If you're running Windows XP or newer, I haven't found a need for installing the drivers.

I found that with my Epsons as well. Win 7 has the correct drivers built in.

It still amazes me how indifferent companies, like HP, are to word of mouth advertising, positive and negative. A single review, like BobP64, can have significant negative impact but HP just bulls on. I think they must be adherents of PT Barnum's philosophy and truly believe there is a sucker born every minute.

They consider what I wrote about to be a problem. They actually call it a feature. I just wish they would be more emphatic about telling people to create an admin password.

Edit: Spelling

Perhaps I am being overly paranoid/cynical, but I have doubts as to whether HP invested any serious effort to hardening the web server on those devices. I'd argue in favor of just keeping the thing off the internet, behind a firewall.

If you look at some of the search results the IP addresses of the Officejets are private ones. I suspect that the firewall is allowing outgoing port 80 traffic.

to do a GRC Shields UP! scan every time I add ANY software of hardware to any of my PCs. You never know when a driver is going to open up a port on the perimeter gateway device!

Using Comodo as an interior software firewall has prevented this, but I still check anyway!

I've been checking in with that place forever.

Never thought to do what you just said.

Thanks, JC.

Maybe it will tell me what I don't want to know.

to click on the common ports and all services ports. Doing both helps get a clearer picture of what is going on.

Some ISPs issue firewall enabled modems though, so you may see a crappy firewall result, when your hardware firewall is working fine. I really hate ISPs that do this. But at least if you have a services gateway, you can tell who is knocking on the leaky front door in the monthly service reports.

Kiwi Syslog has a really good utility that can watch firewall reports real time. I'm sure there are several free ones out there, but I've been around Kiwi so long, I feel comfortable with it.

I just don't have the bucks yet for the pro version, but I'm happy with this one for now. You simply set your firewall with the interior IP that you want the reports sent to, and it will capture them in a data base form that can be interpreted pretty easily by code reference. I don't remember where I got the code list from; I think they are pretty standard.

Attending to it now.

You want through the router or local firewall, you have to ask. No UPnP. No auto-trust.

I saw a "Hacker Techniques" presentation where they went over this type of thing. Google has a lot of information that can be used in many different ways. By accessing an internal device from outside you can find ip address/subnet information, naming conventions, etc. Someone can now use this for social engineering, I'm calling about the HP xxxx printer that is low on toner, etc. It can get quite scary.

Interesting comment, Craig.

Thank you and Michael Sutton for alerting me!

I immediately set admin pwds on my 3 networked HP's (2 OJ's + 1 DJ). This blocked access to SETTING network/bluetooth/wifi parameters.

It is of interest to note that the password does not block DISPLAY of just about all parameters, however.

What I don't get is why the printer doesn't have a private IP address, such as 192.168.x.x or 10.x.x.x? How is it possible for a LAN resident device to be seen on the Internet without port forwarding or a DMZ configured in the router?

If you noticed, the IP address of the device in my slides was using an internal IP address. But, I was able to get to it via the Internet. There were many similar examples in my searches.

Michael, thank you for bringing this to our attention.

It strikes me like one of those stories ... "Just when I thought I was safe..."

Ed DeRosier

You are safe, just from your comments. Also thank you for commenting. I appreciate all and any input. Kudos to you

I think the real problem here isn't so much with the scanner as it is with the edge router natting through port 80 to it; surely correcting this would minmise exposure; yes you can still have malicious employees on the internal network setup a script to scan or change the admin password but I'm picking if you were that worried about it you would have set the passwords already.

There used to be a site that had links to dozens of google search phrases to find such devices on the internet, not just printers but IP cameras etc; I think the term is google hacking or something like that, I have looked but I can't seem to find it at the moment.

http://code.google.com/p/googlehacks/

I.e., blocking accesses between printer and the public side. Works like a champ.

A necessity, BTW, if you're using a WiFi printserver, especially in a WiFi-rich MDU or office park environment.

I wrote an article about how Google search is a huge weapon. You reaffirmed that. Oddly enough, simple mining gives the bad guys a huge amount of information.

should stop any inbound traffic that is not destined for an active connection on the destination port, such as HTTP on port 80 (but please keep reading).

It is possible that installing the HP hardware opens a port through any firewall, too, perhaps one on the gateway router to the Internet. I am not an expert, but that seems tantamount to establishing a static connection, and an SPI firewall will pass any traffic destined to it. If a printer is running a "web server", then it might open a port in a gateway router's firewall as well as in the firewall, if any, that is on its own server. (It seems unlikely that the printer's server has a firewall.)

The open port permits Google web crawlers to collect (and index) the content from the HTML pages in the printer, which is, as you have reported, running a "web server".

So it seems that the password probably just prevents someone from tinkering with the printer's configuration (unless and until they break the password, and I would guess that their little ol' utility to do that has an unlimited number of attempts). As another contributor reported previously, he can still read data from the printer's configuration after changing the default password.

I smell a class action suit coming.
This Class Action suit, like all the others, will end the same way. The poor victimized "class" will get a coupon for a few dollars off the services the evil plaintiff HP provides. The lawyers will walk off with $20,000,000 and the "class" victims will find that HP has just raised prices to pay off the lawyers. Don't these anti-business consumer "protection" types ever learn?

My Brother laser printer came with malware in the install disk!! After spending a LOT of money trying to find out WHO was probing the interior of my LAN, I finally downloaded the web driver for the printer from the Brother update site, and that fixed the issue.

Needless to say, Brother is denying they issued any such disk; but how else to you explain it? Perhaps just a corrupted driver? Why then was server code injected where their was not supposed to be any? This was not a network printer!

Glad you figured it out. I never use the install disks. Nine times out of ten, they are out-of-date.

Understatement of the century.

OK, I don't even have to consider this from an efficiency, best practices, or security standpoint - there seem to be loads of business and home networks that aren't even set up so that the network owner gets what he wants.

This constantly amazes me.

Edited for title field converting the copied/quoted ' to ?.

In all of recorded history has this not been so?

That remote scan feature will net the bad guys lots of hits right around tax time when everyone is making copies of their tax forms. I have an HP wireless printer, but I only turn it on briefly when I need to print something. The rest of the time it is off. But now that I know it can be a problem, I plan on adding a password and if I can figure it out, I will change the firewall settings on my wireless router to stop any external queries to the printer.