HP Disputes Printer Security Vulnerabilities

Matthew J. Schwarz writes for InformationWeek:

"HP is disputing the feasibility of several vulnerabilities in its JetDirect print server software that recently were highlighted by a researcher.

Information security researcher Sebastian Guerrero said that by using HP printer language command tags, he'd been able to retrieve other people's print jobs or assign them to a different user -- thus bypassing fingerprint or smart card checks built into a printer -- as well as crash a printer by using printer-command tags containing unexpected content.

'Based on what was disclosed it appears that the device was intentionally sent a corrupting job -- basically to try and disable the printer,' said Keith Moore, chief technologist at HP LaserJet Solutions group, speaking by phone about one of the disclosed vulnerabilities. 'If you're intentionally sending corrupt print jobs, yes the printer has a hard time knowing what to do with that, but that's where rebooting [comes in],' said Moore.

'The other claims don't seem to be supported, and if you properly configure the device --as we recommend -- [they] technically can't be done,' said Moore.

'HP takes our customers' security very seriously,' said a spokeswoman in a follow-up email. 'Our team has investigated the security allegations ... and determined that the claims that someone can bypass built-in biometric defenses and recover previously printed documents are false.'

The crucial point in HP's rebuttal of parts of Guerrero's research, however, hangs on printers being properly configured..." [read more at InformationWeek]