Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Make sure a printer is malware free


  • Please log in to reply
10 replies to this topic

#1 bvz

bvz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 14 January 2017 - 07:12 PM

Hello,

 

I just purchased a used HP Envy 5530 inkjet printer. I have no reason to think that it is compromised by malware, but at the same time I don't want to chance plugging it into my network or computer just to save a few bucks over a new printer.

 

My plan (and understand that I have no experience with security so this may all be stupid) is to download the latest firmware for the printer and try to install it directly from an SD card. If that isn't possible, I have access to an old netbook running windows XP that I may be able to use.

 

My question is whether you think that installing a new firmware would eliminate any potential malware that might be on the printer?

 

Any other considerations?

 

Thanks all!



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:09 PM

Posted 15 January 2017 - 09:06 AM

If you have no reason to believe that your printer is compromised by malware...then I do not understand the hesitation for not connecting it. Did you read an article somewhere which has given you pause?


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:03:09 PM

Posted 15 January 2017 - 09:08 AM

I think your are referring to poorly configured networked printers, cameras etc (IoT devices) being used in DDoS attacks.


How Can I Reduce My Risk to Malware?


#4 bvz

bvz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 January 2017 - 12:08 PM

I'm sorry, I should have been more clear. Shelf life is correct. I have been reading about IoT style devices (printers included) having terrible default security. HP printers were named specifically in one of the articles I came across (though to be fair, that was about printers that are much older than the one I bought and that their security has improved). Still, my limited understanding has made me believe that it is possible that this internet connected device could be compromised simply because it may, for example, have been connected to the internet and may have only ever had a default password (I'm still trying to figure that out by reading the manual). Or perhaps it had some other easily exploitable security flaw. For example, I have another web enabled HP printer that comes with a firewall baked in. But that firewall is turned off by default for reasons I cannot quite fathom. It might be the same with this device and the previous owner probably never turned it on. Also, the latest firmware notes include a fix for the heart bleed ssl bug, which indicates that the web server might be vulnerable to that as well.

Honestly, I'm just technical enough to be dangerous to myself here. Am I just being paranoid? Is it extremely unlikely that it is infected?

Also, do you think it is likely that a firmware install could wipe out any potential non-HP software in the remote chance that software did manage to get installed on there?

Edited by bvz, 15 January 2017 - 12:10 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,287 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:09 PM

Posted 15 January 2017 - 12:45 PM

We have an HP ENVY 7640 Wireless e-All-in-One Printer which connects to the Internet via our WiFi which uses a separate password. When the printer needs updating, HP automatically offers a Firmware Update.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 bvz

bvz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 January 2017 - 03:51 PM

It looks like this device may have that enabled as well.  I was able to connect to its built in web server by turning on direct wifi connection (i.e. it is not on my network) and then connecting to the printer using an old macbook running chrome OS (I can wipe it quickly and easily if I do desire later and lose nothing). I had to give it a password to connect, but that is just the wireless password it uses to keep your neighbors from connecting to your printer if it is in this mode.

 

Automatic updating seems to have been turned on, but I can also see that connecting to the web server itself requires NO password whatosever (I can turn that feature on, but it is off by default).  I am trying to see if the current firmware is the latest or not, but even if it is, the damn password was off so having the latest firmware means little to nothing as far as I can tell.  There is no place that I can see that will force it to re-download the firmware, and even if there was, I am not comfortable with plugging it into my network so that it gets an internet connection to do so.

 

I have no way of knowing if it is compromised or not, but to be perfectly frank the fact that it doesn't have a password on the web server and no firewall that I can see means that I have little faith in HP actually securing this device.  But again, I am not someone who knows a lot about these devices.  Am I being paranoid?



#7 bvz

bvz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 15 January 2017 - 04:32 PM

It looks like this device may have that enabled as well.  I was able to connect to its built in web server by turning on direct wifi connection (i.e. it is not on my network) and then connecting to the printer using an old macbook running chrome OS (I can wipe it quickly and easily if I do desire later and lose nothing). I had to give it a password to connect, but that is just the wireless password it uses to keep your neighbors from connecting to your printer if it is in this mode.

 

Automatic updating seems to have been turned on, but I can also see that connecting to the web server itself requires NO password whatosever (I can turn that feature on, but it is off by default).  I am trying to see if the current firmware is the latest or not, but even if it is, the damn password was off so having the latest firmware means little to nothing as far as I can tell.  There is no place that I can see that will force it to re-download the firmware, and even if there was, I am not comfortable with plugging it into my network so that it gets an internet connection to do so.

 

I have no way of knowing if it is compromised or not, but to be perfectly frank the fact that it doesn't have a password on the web server and no firewall that I can see means that I have little faith in HP actually securing this device.  But again, I am not someone who knows a lot about these devices.  Am I being paranoid?

One more bit of info...

 

I loaded a port scanner onto my chromebook and found that the following ports are open on the printer

 

 

80 (http)

443 (http over ssl)

8080 (http proxy)

 

 

If those ports are open, but the printer was (presumably) behind a firewall, does that mean that these ports would not have been easily accessible from the outside internet?



#8 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:07:09 AM

Posted 16 January 2017 - 12:53 AM

How boobytrapped printers have been able to infect Windows PCs for over 20 years. https://www.tripwire.com/state-of-security/featured/boobytrapped-printers-windows-malware/
http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack

When Firmware Modifications Attack: A Case Study of Embedded Exploitation. http://blog.narotama.ac.id/wp-content/uploads/2014/12/When-Firmware-Modifications-Attack-A-Case-Study-of-Embedded-Exploitation.pdf
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 17 January 2017 - 05:05 PM

What portscanner did you use? Do you know if it did a full port scan, or just the most common one?

 

And what do you mean with "presumably behind a firewall"?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 bvz

bvz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 17 January 2017 - 11:13 PM

@Crazy Cat:

 

Thanks for the links.  I looked through them and they are suitably frightening. That said the first two seem to be about compromising printers once you are already inside the local subnet?  I'm not sure.

 

@Didier Stevens:

 

I used a port scanner on my chromebook.  It is called "LAN Portscanner" but I don't know if it checks all ports or just common ones.  I have reached out to the developer to see (as a result of reading your post) so I will see if they reply.

 

The URL for the app is here: https://chrome.google.com/webstore/detail/lan-portscanner/onkkglkjdlnhhdmblopeaokcllhnceej?hl=en-US

 

I said "presumably behind a firewall" because this is a consumer level printer (not even SOHO level).  Most people who have internet access usually use the router/modem combo that they get from their ISP's.  Most of these have a firewall baked into them if I am not mistaken (that said, I am often mistaken...) as well as NAT.  That is what I meant, but I am completely open to being corrected on this front if I am making stupid assumptions.

 

Edit: I just read the reviews and they indicate that it only scans the 18 most common ports so that seems like a bust.  I'll have to figure something else out.

 

If the printer is serving up its own network via wifi direct, is it safe to connect to that network with my desktop iMac and run a (presumably) real port scanner against it?


Edited by bvz, 17 January 2017 - 11:14 PM.


#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:09 PM

Posted 18 January 2017 - 03:58 PM

You don't have to worry about connecting your Mac.

 

And I'm not suggesting you should do a full port scan.

My question was just to make sure that you understood that your list of open ports could be incomplete.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users