The legacy of the insecure IoT: HP’s JetDirect

If you are looking to trace the origins of an insecure IoT, you might want to take a walk down memory lane back to October 1991. Back then HP developed the first network printer server called JetDirect. This took the form of an internal circuit card shown here that came in both Token Ring (remember those?) and Ethernet versions that fit inside the early monochrome laser printers. I believe those early printers cost around $2400, so there was some cost motivation to share them around the LAN. HP had been selling the first desktop laser printers for several years and this was the first time that any of them could be easily connected to a network. During the 1990s there were several versions of JetDirect cards created, including external print servers that could connect to any printer that had a parallel port. It wasn’t long before they were commonly used, not just for printing but numerous other hacking activities.

Why is this the origin story of the insecure IoT? Check out this post on SecurityFocus from May 2003. Way before ransomware was common, the post describes a major vulnerability in the JetDirect web-based admin utility. Some network admins knew when they first got these devices that they could be configured via two different protocols: web and telnet. The post shows that the telnet interface didn’t have any default password, and if you had to reset the device, you would return to this default setting. Thus began the insecure IoT. At the time, there was a lot of discussion about printer insecurity, not just about HP but any network-connected printer: check out this SANS white paper from 2003.

When we look at this material with a modern eye, some of the hacks mentioned here seem, well quaint. But some are significant, such as having a hacker hosting malicious webpages and scripts on your printer, as mentioned in this recent article here. One of the attractions for using network printers is that usually no one looks carefully at their operations, either through activity logs or intrusion systems. Another advantage is that they are always on and if they have issues get rebooted quickly so they can continue to serve print jobs.

Now we have millions of network-connected devices of all shapes and sizes, but still have sub-par programming where passwords, secure protocols and other practices are few and far between. Granted, laying all this at the feet of HP isn’t really fair: they didn’t anticipate how networks would be abused decades later. But it shows that hardware vendors often give security short shrift. Since those early days, HP hasn’t been just sitting around either: In 2015 they came out with ultra-secure printers that protect any BIOS tampering and have other controls such as built-in intrusion detection.

It is nice to see that the JetDirect product, which started the insecure IoT, brought about some solid innovation in the modern era with better printer security. It has come full circle, to be sure.

2 thoughts on “The legacy of the insecure IoT: HP’s JetDirect

  1. You’re absolutely correct. JetDirects and their ilk are the pioneer IoT devices.

    So those us still using rock-solid and reliable HP LaserJets need to close off telnet ports in our firewalls and take additional action to button up our JetDirects.

    And then we have all the remote printing from offsite touted today by printer manufacturers with modern printers. Oh, how convenient to print something at home from that open wifi at Starbucks. Yet more security holes?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.