Vulnerabilities / Threats

7/31/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

HP Launches Printer Bug Bounty Program

Bugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.

HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program.

Bugcrowd is heading up HP's new private bug bounty program, with award amounts based on the severity of the flaws. A recent report from Bugcrowd shows an increase of 21% in vulnerabilities discovered in printers.

Printers often get overlooked as potential attack vectors. But with rising threats targeting other Internet of Things (IoT) devices and printers getting outfitted with more advanced functions, they're becoming a more attractive weak link.

"Like the PC, printers have become incredibly powerful devices, increasing in storage and processing power. However, we haven't reached awareness to secure print devices, and all the good security practices that are employed to protect PCs and other important nodes in the network are not being deployed with consistency to printers," says Shivaun Albright, chief technologist for printing security at HP. "HP's goal is to continually improve and help our customers manage their devices."  

HP previously had worked directly with researchers who discovered flaws in its printers. "We've always actively encouraged researchers to report vulnerabilities," Albright says.

Its new printer bug bounty program calls for researchers to root out firmware flaws, such as cross-site request forgery (CSRF), remote code execution (RCE), and cross-site scripting (XSS). "Bugcrowd and HP have worked with one researcher to physically send [to them] an enterprise grade A3 printer to fully assess all components from the outside in," Albright says.

The program initially is for HP LaserJet Enterprise printers and HP PageWide Enterprise printers and MFPs (A3 and A4 formats).

While IoT devices have received a lot of attention security-wise of late, printers have not. "There's a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily," Albright says. "That said, printers may be the most common IoT device an individual uses."  

The Mirai botnet attack in 2016 was a big wake-up call: "[It] took down the Internet in a major way. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix," she says.

Printers often get lost in the shuffle when it comes to enterprise security. "There is currently a gap in discussions between decision-makers and those implementing the technology," Albright notes. "We're also seeing mismanagement in the deployment of printers leaving critical ports and settings open. This makes it easy for attackers to remotely access the device."

HP recommends that printer customers work closely with their channel partners to use managed print services programs, and that remote workers avoid printing via unsecure Wi-Fi networks, for example.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/3/2018 | 10:34:33 AM
Ancient threat
How many remember, and tested, the infamous google search string for OFFICEJET printers that could access and display the internal web page of officejets AROUND the world and with internal IP address to boot!!!   i tried it an dit worked - impressive failure indeed. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.