Full Disclosure mailing list archives
Re: HP Photosmart vulnerabilities
From: Joshua Levitsky <jlevitsk () joshie com>
Date: Fri, 28 Dec 2007 11:13:57 -0500
Dude SNMP can be used by their software to query the printer for toner levels or that it is online. You tell me what exactly you are getting from a printer like that via SNMP besides print job status and ink levels? And you are a stranger in my home on my network? I'd have the po-po beating you like Rodney King before you had to worry about what is on my printer. If I really have to explain to you why you don't need SSL to configure a home / home office printer that costs $200 and is intended for a personal private network then really there is no point in explaining it. Security is meant to reduce risk. When you explain to me what the risk is then you can state what the benefit of disabling SNMP and adding SSL would be to reduce that risk. There... I just wasted 10 seconds of my life explaining it. On Dec 28, 2007, at 11:01 AM, <uncleron () hushmail com> <uncleron () hushmail com
wrote:
A low price for the printer does not give the vendor a free pass for shipping insecure products. Since this type of printer is targeted for home/home office use, it would be valid to ask why SNMP is enabled in the first place. Please explain how this printer would be any less easy to use if HP had used non default community strings in the firmware? In a home/home office environment, the only thing that might have a valid need to communicate with the printer via SNMP would be HP's software, which could just as easily use a non default community string. On Fri, 28 Dec 2007 09:32:29 -0600 Joshua Levitsky <jlevitsk () joshie com> wrote:Do you mean to tell me someone can come to my house and after I let them on my network they can see how soon I need toner? Oh crap I better not let anyone over for New Year's!!! There is a reason it's a $200 home/home office printer. It's not meant to sit on the internet. It's not meant to be in a military facility. It is meant to be simple to use. I think next I shall contact Sears because I suspect someone can steal my water by simply placing a glass up to the front of the fridge without my knowledge, and I'm not positive but I think they can take my ice as well. On Dec 28, 2007, at 10:16 AM, <uncleron () hushmail com> wrote:HP Photosmart C6280 (and probably other) network printers shipwithinsecure default settings. The printer ships with SNMP enabled using the default community strings for both public and private. HP does not document the use of SNMP, or provide a way for userstochange the default community strings. The printer also includesaweb based admin tool which runs over http, without even anoptionfor ssl. Several attempts to contact HP have proven futile. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- HP Photosmart vulnerabilities uncleron (Dec 28)
- Re: HP Photosmart vulnerabilities Joshua Levitsky (Dec 28)
- Re: HP Photosmart vulnerabilities Mo.Ron Hubbard (Dec 28)
- <Possible follow-ups>
- Re: HP Photosmart vulnerabilities uncleron (Dec 28)
- Re: HP Photosmart vulnerabilities Joshua Levitsky (Dec 28)
- Re: HP Photosmart vulnerabilities 3APA3A (Dec 28)