HP Keeps Installing Secret Backdoors In Enterprise Storage 193
Nerval's Lobster writes "For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products. The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP's StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products. The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP's StoreVirtual and HP P4000 products. Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would 'cripple the cluster,' according to information provided to The Register by an unnamed source. The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it's not hard to find: 'Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed,' according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public."
It's standard practice (Score:5, Interesting)
Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.
Yes, it's a security hole.
But it's also standard practice and should come as no surprise to anyone.
Re:It's standard practice (Score:5, Interesting)
IBM has, on midrange POWER systems, a service ID that has a constantly changing password. In case of loss of passwords and the like (mind you, passwords for the Service Processor, not the OS itself) you can call IBM and the CE will come, log with the service ID and wait on the phone till rochesters tells him what the password for that machine at that time is.
Neat system, if someone ever finds out how the key is computed it could be defeated but its a lot harder than say, a hard coded password...
DS4000 series System Storage DO have a hardcoded user/pass but the controller has rlogin turned off by default so unless you get to the cage and log in via serial cable it's safe...
Re:HPSupport acounts are not new, but hiding them (Score:2, Interesting)
On the system I worked on, there is a manufacturing mode that only someone with Admin privilege AND a manufacture mode password generator can enable. This means only HP support personnel can turn it on if the customer allows it.
Once it is turned on, root access can be gained using a private key.
Re:It's standard practice (Score:5, Interesting)
Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.
So trusting any vendor about any security is out of the question. Rolling your own stack is the only way to actually retain any control over your mission critical data.
But it's also standard practice and should come as no surprise to anyone
Or perhaps it is one of the "Seventeen Techniques for Truth Suppression" - 8. Dismiss the charges as "old news."
http://cryptome.org/2012/07/gent-forum-spies.htm [cryptome.org]
Re:Hmm are switches possible? (Score:4, Interesting)
It is absolutely possible, and not at all a bad idea.
When I have set servers up for remote support, I just add a script they can run to open a support tunnel to the phone home server. They can have it run on startup or they can run it on request (or refuse to run it, of course).
On a custom build device like a NAS, the button would be easy enough.
Standard Practice (Score:5, Interesting)
You people do realize that for *years* high end disk arrays shipped with *gasp* modems.
So if a problem occurred the array could 'phone home', open a case, upload logs and tell the vendor a problem took place. Then the vendor could dial in, diagnose the problem and dispatch a CE with the replacement part.
The techs accessing the arrays over the modems couldn't 'download' the customer data. Yes there were some companies that wouldn't allow the modem to be installed and would often have to sign very long legal documents basically saying that if a hardware failure happened and the vendor wasn't notified, the customer assumed responsibility.
Re:badg3r5 (Score:5, Interesting)
I signed up to a website and was given a large block of passwords to crunch. I can't remember my block, but it was full of 7 character alpha-numeric passwords. There were some 6 character password blocks left to crunch, but 99% of them were complete.
My P3 450 crunched them all weekend and beyond. In return, I was given complete access to the MD5 rainbow tables, through some forms on a website.
It was a near-instant search.
Assume that your 8 character passwords are fully hashed. All alpha-numeric passwords 7 characters and under were complete back then.
Asking Google to search for hashes is also fun.