firmware upgrades; if telnet has been disabled to avoid plain-text transmission of the password, FTP upgrades are also disabled.

The ability to use the EWS to upgrade HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. For users of the EWS, HP recommends setting the redirect from HTTP to HTTPS, using a properly signed certificate, and of course specifying a good password.

HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them

Easily available network tools that can perform effective MITM attacks against the TCP/IP protocol suite has caused of a lot of concern among customers. Let’s review what a MITM attack against the TCP/IP protocol suite does. A node intercepts IP packets from a node by pretending to be another node and then forwards the IP packets to the next correct node so it may end up at the final destination as if no interception had taken place; also, this MITM node intercepts packets traveling in the opposite direction (from the destination back to the source) in the same manner. What this means is that the MITM node has a copy of all the data sent between that source and that destination. If the MITM node has a copy of a PDF file that was sent between an email client and email server, it can use Adobe Acrobat Reader to open it. If the MITM node has a copy of a text document that was sent between an FTP client and an FTP server, it can open it with a text editor. If the MITM node has a copy of a print job, it can “open” it by sending it to a printer. In some cases, as with PostScript or simple text, a print job can be opened using other applications without having to send it to a printer. While a valid vulnerability, it is nonetheless a general vulnerability of the TCP/IP protocol suite and is not a vulnerability specific to printing.

Passive sniffing attacks are where another node on the network can record conversations. These attacks are analogously similar to using listening device hidden in a conference room to record a meeting conversation. Active attacks are also used to force network infrastructure equipment to behave in a manner that allows passive sniffing. This active/passive behavior is analogously similar to a person not being able to plant the listening device in the conference room and instead pulling a fire alarm in the building then recording the conversation of the individuals leaving the conference room. Properly deployed cryptographic protocols are a good defense against passive and active sniffing attacks. Networking infrastructure equipment can be configured to help hinder active attacks. Port access controls, such as 802.1X, help protect against unauthorized connections. In addition, many switch vendors offer various flavors of ARP protection and monitoring since ARP poisoning is a fundamental step in MITM attacks.

The defense against TCP/IP MITM attacks is the proper deployment of cryptographic protocols such as IPsec and SSL/TLS with a properly signed HP Jetdirect certificate. HP recommends the proper deployment of IPsec (SET 4) as a solution to this general vulnerability with the TCP/IP protocol suite.

HP Jetdirect Hacks: Printer/MFP access

Up until now, we have discussed HP Jetdirect security primarily. Some publicly available applications interface directly with the printer/MFP’s PJL library over a print connection. These tools often claim to bypass HP Jetdirect security. However, as we’ve seen from our functional diagram, HP Jetdirect controls the networking stack and does not parse PJL and cannot be configured to block PJL commands. However, printer/MFPs can be configured to provide a lot of security too. HP recommends following NIST checklist as a guideline to all customers concerned about printer/MFP security: http://www.hp.com/united-states/business/catalog/nist_checklist.html.

10