HP Printer security flaw allows hackers to extract passwords

Owners of certain HP LaserJet Pro printers are being advised to protect themselves against a security vulnerability “as soon as possible”, after researchers found it was possible to remotely access admin passwords and other information.

The vulnerability, dubbed CVE-2013-4807, was discovered by Michał Sajdak of Securitum.pl who described how hackers could extract plaintext admin passwords via hidden URLs hardcoded into the printers’ hardware.

Sajdak discovered that if you access vulnerable LaserJet printers via a URL like this:

http://IP_ADDRESS/dev/save_restore.xml

you are not required to authenticate yourself, and a number of parameters are easily accessible.

For instance, in his example, Sajdak found a hex representation of the admin password:

In this case, 0x746573746f7765 is the hex equivalent to “testowe”.

Furthermore, Sajdak found that WiFi-enabled printers could leak the network’s WPS PIN:

http://IP_ADDRESS:8080/IoMgmt/Adapters/wifi0/WPS/Pin

The good news is that the security vulnerability was disclosed responsibly to Hewlett-Packard, and firmware updates for affected printers are available for users to download.

Sign up to our newsletter
Security news, advice, and tips.

The bad news is that many printer owners probably aren’t aware that the security issue exists, or simply won’t bother to apply the firmware update.

According to the security advisory published by Hewlett-Packard, a patch for the vulnerability is available the following printers: HP LaserJet Pro P1102w, HP LaserJet Pro P1606dn, HP LaserJet Pro M1212nf MFP, HP LaserJet Pro M1213nf MFP, HP LaserJet Pro M1214nfh MFP, HP LaserJet Pro M1216nfh MFP, HP LaserJet Pro M1217nfw MFP, HP LaserJet Pro M1218nfs MFP, and HP LaserJet Pro CP1025nw.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.