Posted by: Sharon Fisher
If you — or, more likely, your boss — are having conniptions about the alleged Seekrit Backdoors in HP storage hardware, you can relax. Sort of. On the other hand, you may have a bigger problem.
To recap — a blogger discovered an administrative account with an easily-guessed password in HP’s StoreOnce storage hardware. HP has reportedly done this before, in other hardware. In response, a number of publications have leapt to claim that “HP is putting back doors into its equipment!”
Part of the problem is the whole term “back door,” which implies something nefarious the vendor put in on purpose to be able to have access to the data on the system. And that’s not what this is. If HP is “guilty” of anything, it’s guilty of something a whole lot of vendors also do: That is, putting in a set of administrative logins, default passwords, or features — typically to allow the administrator, or the vendor, or the support organization, to recover the system from some sort of user screwup. It happens with all sorts of networking hardware, not just storage, and certainly not just HP.
It’s like the way I left a spare house key in the freezer in my garage. If I was stupid and locked myself out, it was a way to get in without having to call a locksmith or break a window.
Now, if burglars found out I did this, that would be bad, because they could all go fishing around in the freezer and find my spare key. Similarly, what makes this issue a problem in computers is when it becomes known that, psst, all of the boxes from Vendor Y ship with an account called “admin” and a default password of “password.” That makes it a security vulnerability, because, you know, this doesn’t always get changed the way it should and, you know, hackers share this sort of information with each other. Then we have a problem.
One of the standard things administrators are supposed to do when they get in a new piece of equipment is to look for these standard admin accounts, and either get rid of them, change the default password they ship with, or whatever. A lot of these details get documented, either in the manual or on the support forums.
Sadly, not every administrator reads the manual and does research on what vulnerabilities are baked in to a new piece of equipment. This is why, every few months, there’s a new warning about this kind of thing. This time, it just happened to be storage hardware, and from HP.
As recently as late June, the Computer Emergency Response Team (CERT) issued a warning about default passwords in new equipment. Chances are, before the year is out, there’ll be yet another incident based on the fact that administrators don’t always do the work they should before they connect the new hardware to the network. It’s just one of those Things.
And it’s been going on a long time. If you read any of the “Eek! HP Backdoor!” articles, check out the comments, where the graybeards are rolling their eyes and patiently pointing out all the other systems that have built-in admin accounts and default passwords.
Yes, it’s an issue, but not just for HP, and not just for storage hardware. So go check your equipment — all of it — read the manuals, and make sure all the default passwords are changed, and you can tell your boss you’ve taken care of all the scary “back doors.”
Incidentally, I have a new place to stash my spare house key.