Quickly configure and lock down an HP network printer

Quickly configure and lock down an HP network printer

Summary: Did you know that an HP printer is really a Linux web server that can be hacked and defaced if you don't lock it down and properly configure it? Here is a guide to quickly configure and lock down your HP network printer.

SHARE:
TOPICS: Printers
22

Did you know that an HP printer is really a [Updated 9/11/2006 Linux Chai web server] that can be hacked and defaced if you don't lock it down and properly configure it?  Here is a guide to quickly configure and lock down your HP network printer.

Topic: Printers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • Start with updated firmware

    Hacked HP 4200 firmware version : 20030213 04.007.3
    Latest firmware for HP 4200: 20050628 04.020.3

    George makes an important point, though disguised as the usual
    attack on Linux, updates aren't just for windows PCs - all
    software including devices contain software that must be
    managed.

    Printers are such a device, but for even greater impact watch
    those network switches/routers.
    Richard Flude
    • What attack?

      "though disguised as the usual attack on Linux"

      Are you losing it?
      georgeou
      • This attack

        [from blog]
        "Did you know that an HP printer is really a Linux web server
        that can be hacked and defaced if you don't lock it down and
        properly configure it?"
        [/blog]

        HP printers do NOT run Linux, they are NOT a Linux web server.
        Linux has nothing to do with the LaserJet vulnerabilities.

        LaserJets use the highly respected LynxOS RTOS.

        "Are you losing it?"

        Yes I am. Why this continuous stream of lies against non-MS
        products on ZDNet?
        Richard Flude
        • Re: This attack

          [i]Did you know that an HP printer is really a Linux web server that can be hacked and defaced if you don't lock it down and properly configure it?[/i]

          That's not an attack because everyone knows that an IIS or any other server could be (and are) defaced if it's not properly configured.

          But it [u]is[/u] a credibility problem because there's no such thing as a "Linux web server." Web servers may run on top of Linux, but Linux is the OS kernel.

          The most damning is, as you say, HP printers don't even run Linux. I have heard LynxOS referred to as Lynux. Maybe that confused George.


          :)
          none none
        • Cut George some slack

          He thinks three weeks is a few days.
          frgough
    • Attack

      Attack? Not Really Richard.

      Clearly routers which be prime targets, still, I believe George is providing a information service here.


      Cut a little slack. :)
      D T Schmitz
  • Addendum

    I see way too much use of telnet.

    In fact, don't ever use telnet.
    Use Secure Shell.

    Has benefits for secure access but the device must support it.

    My router at home, a linksys WRT54GL, has embedded Linux and is flashed with DD-WRT v23 'standard'.

    Turned off telnet and turned on ssh.

    ssh uses:

    o port fowarding email, www proxy (socks)
    o remote secure administration
    o remote secure vnc (port forwarding 5900)
    o remote secure 'anything' in character based
    o reverse tunnels

    All this time I didn't realize HP printers were using embedded Linux, and probably many other people don't either so George is providing good information here!!

    I don't take it as a slight--these are the basics for minimum security, Linux or not.

    Thanks George.
    D T Schmitz
    • Which JetDirect devices and printers even support SSH?

      Which JetDirect devices and printers even support SSH? I know the printers that I have don't. You're right that SSH should always be used, but some devices just don't support it.
      georgeou
  • Isn't that the long way

    I'm not seeing the advantage to your methods George. I just use the HP WebJet Administrator to find the new printer or I use Netscan from Softperfect to scan the range and find the new printer, since all the other printers are already have a host name and the new printer will stand out like a sore thumb. I can then either TCP into the printer to set it up or use the WebJet Admin. Less than five minutes and I'm done.
    k12IT
    • Five minutes! It takes less than a minute to do it via command line.

      I can type 1 command in the CLI faster than you can even open the WebJet Admin UI let alone finish the configuration.
      georgeou
      • I was being generous

        George, where is your hostility coming from? I liked the article, it's just something I wouldn't use and seems out of the way when I'm already in the Windows GUI.

        Some of us like one interface, some another. I was being generous with the 5 minutes. I've used both and think typing command line is a longer way. As I said, I can find the printer IP much easier using WebJet Admin or Netscan, so while I'm there I might as well use the WebJet Admin. At the same time I can manage my other printers and if you use it long enough you can do things quite fast in WebJet Admin.

        I stopped using a CLI many years ago, but will use it for some things that are very useful. This I don't see as useful in a Windows enviroment.
        k12IT
        • I wasn't being hostile

          I'm sorry if you took it that way. I didn't mean it to come across as hostile. My point is that a CLI for a simple command is the faster way to go.

          Furthermore, the WebJet admin tool or Netscan tool does not work across subnets. The method I'm trying to teach here does. I'm also trying to teach people the security dangers of not locking down a printer and I show people how to do it in CLI.

          Again, please don't take my comments to you as hostile.
          georgeou
          • I see the point now

            Thanks George....I now see your use with the across subnets issue. As we currently aren't going across subnets in one school I didn't think of it that way. I can see the benefit using it that way.

            Thanks again....Ray
            k12IT
          • I try to keep subnets to less than 100 nodes

            I try to keep subnets to less than 100 nodes (devices); this keeps the broadcast storms to an acceptable level. One can easily use something like a relatively cheap layer 3 capable switch to segment a network.
            georgeou
      • ?

        since i am not using a printer i am really curious. What is this 1 command line you type in?
        richvball44
        • It was in the article, but here it is again

          Once you know the DHCP IP of the printer, you just telnet to it and then type "ip: 10.0.0.100" for example. Ok the telnet command makes it two commands.
          georgeou
          • .

            cool. thanks
            richvball44
  • If you had ABSOLUTELY NOTHING better to do

    Really. It takes time and effort to break into a Linux box - why spend that time on a printer? Slow news day George?
    Roger Ramjet
    • First it's not that difficult

      Security is only a strong as your weakest component. If that component is a printer running Linux that is left wide open then you have a problem.

      Why lock down any computer if you aren't going to lock down one of them?
      voska
      • Bullsh1t

        Breaking into a *NIX server may allow the user to get access to the intranet - as sharing policies and disk mounts allow intruders to glean valuable information. This does not exist on a printer. You have access to a print queue - so I suppose you could intercept print jobs - but that's it. Unless and until someone prints something confidential - you stay very bored.
        Roger Ramjet