Hp Jetdirect Hacks: Sniffing Print Jobs And Replaying Them; Hp Jetdirect Hacks: Printer/Mfp Access - HP J3111A - JetDirect 600N Network Card Manuallines

firmware upgrades; if telnet has been disabled to avoid plain-text transmission of the password, FTP
upgrades are also disabled.
The ability to use the EWS to upgrade HP Jetdirect devices is described here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. How
the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. For
users of the EWS, HP recommends setting the redirect from HTTP to HTTPS, using a properly signed
certificate, and of course specifying a good password.

HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them

Easily available network tools that can perform effective MITM attacks against the TCP/IP protocol
suite has caused of a lot of concern among customers. Let's review what a MITM attack against the
TCP/IP protocol suite does. A node intercepts IP packets from a node by pretending to be another
node and then forwards the IP packets to the next correct node so it may end up at the final
destination as if no interception had taken place; also, this MITM node intercepts packets traveling in
the opposite direction (from the destination back to the source) in the same manner. What this means
is that the MITM node has a copy of all the data sent between that source and that destination. If the
MITM node has a copy of a PDF file that was sent between an email client and email server, it can
use Adobe Acrobat Reader to open it. If the MITM node has a copy of a text document that was sent
between an FTP client and an FTP server, it can open it with a text editor. If the MITM node has a
copy of a print job, it can "open" it by sending it to a printer. In some cases, as with PostScript or
simple text, a print job can be opened using other applications without having to send it to a printer.
While a valid vulnerability, it is nonetheless a general vulnerability of the TCP/IP protocol suite and is
not a vulnerability specific to printing.
Passive sniffing attacks are where another node on the network can record conversations. These
attacks are analogously similar to using listening device hidden in a conference room to record a
meeting conversation. Active attacks are also used to force network infrastructure equipment to
behave in a manner that allows passive sniffing. This active/passive behavior is analogously similar
to a person not being able to plant the listening device in the conference room and instead pulling a
fire alarm in the building then recording the conversation of the individuals leaving the conference
room. Properly deployed cryptographic protocols are a good defense against passive and active
sniffing attacks. Networking infrastructure equipment can be configured to help hinder active attacks.
Port access controls, such as 802.1X, help protect against unauthorized connections. In addition,
many switch vendors offer various flavors of ARP protection and monitoring since ARP poisoning is a
fundamental step in MITM attacks.
The defense against TCP/IP MITM attacks is the proper deployment of cryptographic protocols such
as IPsec and SSL/TLS with a properly signed HP Jetdirect certificate. HP recommends the proper
deployment of IPsec (SET 4) as a solution to this general vulnerability with the TCP/IP protocol suite.

HP Jetdirect Hacks: Printer/MFP access

Up until now, we have discussed HP Jetdirect security primarily. Some publicly available applications
interface directly with the printer/MFP's PJL library over a print connection. These tools often claim to
bypass HP Jetdirect security. However, as we've seen from our functional diagram, HP Jetdirect
controls the networking stack and does not parse PJL and cannot be configured to block PJL
commands. However, printer/MFPs can be configured to provide a lot of security too. HP
recommends following NIST checklist as a guideline to all customers concerned about printer/MFP
security: http://www.hp.com/united-states/business/catalog/nist_checklist.html.
10