Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/31/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

HP Launches Printer Bug Bounty Program

Bugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.

HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program.

Bugcrowd is heading up HP's new private bug bounty program, with award amounts based on the severity of the flaws. A recent report from Bugcrowd shows an increase of 21% in vulnerabilities discovered in printers.

Printers often get overlooked as potential attack vectors. But with rising threats targeting other Internet of Things (IoT) devices and printers getting outfitted with more advanced functions, they're becoming a more attractive weak link.

"Like the PC, printers have become incredibly powerful devices, increasing in storage and processing power. However, we haven't reached awareness to secure print devices, and all the good security practices that are employed to protect PCs and other important nodes in the network are not being deployed with consistency to printers," says Shivaun Albright, chief technologist for printing security at HP. "HP's goal is to continually improve and help our customers manage their devices."  

HP previously had worked directly with researchers who discovered flaws in its printers. "We've always actively encouraged researchers to report vulnerabilities," Albright says.

Its new printer bug bounty program calls for researchers to root out firmware flaws, such as cross-site request forgery (CSRF), remote code execution (RCE), and cross-site scripting (XSS). "Bugcrowd and HP have worked with one researcher to physically send [to them] an enterprise grade A3 printer to fully assess all components from the outside in," Albright says.

The program initially is for HP LaserJet Enterprise printers and HP PageWide Enterprise printers and MFPs (A3 and A4 formats).

While IoT devices have received a lot of attention security-wise of late, printers have not. "There's a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily," Albright says. "That said, printers may be the most common IoT device an individual uses."  

The Mirai botnet attack in 2016 was a big wake-up call: "[It] took down the Internet in a major way. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix," she says.

Printers often get lost in the shuffle when it comes to enterprise security. "There is currently a gap in discussions between decision-makers and those implementing the technology," Albright notes. "We're also seeing mismanagement in the deployment of printers leaving critical ports and settings open. This makes it easy for attackers to remotely access the device."

HP recommends that printer customers work closely with their channel partners to use managed print services programs, and that remote workers avoid printing via unsecure Wi-Fi networks, for example.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Anamikasinha123
50%
50%
Anamikasinha123,
User Rank: Apprentice
3/31/2020 | 4:57:24 AM
Re: Ancient threat
 Thanks for putting this information . Here is a blog which will help to Fix Missing Network Printer issues in the windows system. The main issue is of outdated drivers if printer stop working. So you should update all the drivers
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/3/2018 | 10:34:33 AM
Ancient threat
How many remember, and tested, the infamous google search string for OFFICEJET printers that could access and display the internal web page of officejets AROUND the world and with internal IP address to boot!!!   i tried it an dit worked - impressive failure indeed. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25747
PUBLISHED: 2020-09-25
The Telnet service of Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) can allow a remote attacker to gain access to RTSP and ONFIV services without authentication. Thus, the attacker can watch live streams from the camera, rotate the camera, change some settings (brightn...
CVE-2020-25748
PUBLISHED: 2020-09-25
A Cleartext Transmission issue was discovered on Rubetek RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339). Someone in the middle can intercept and modify the video data from the camera, which is transmitted in an unencrypted form. One can also modify responses from NTP and RTSP s...
CVE-2020-25749
PUBLISHED: 2020-09-25
The Telnet service of Rubetek cameras RV-3406, RV-3409, and RV-3411 cameras (firmware versions v342, v339) could allow an remote attacker to take full control of the device with a high-privileged account. The vulnerability exists because a system account has a default and static password. The Telnet...
CVE-2020-24592
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVE-2020-24593
PUBLISHED: 2020-09-25
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.