July 16, 2013

HP Builds Backdoors into Storage Products… Always a Bad Thing?

In what should come as a surprise to just about nobody, Hewlett-Packardrevealed on July 9th that their StoreVirtual Storage products contain hidden administrator accounts with root access that can be used by HP support to access the operating system. The account exists “to help customers resolve complex support issues”. Thankfully, HP claims, the account isn’t able to access data stored on the machine. But an unnamed source told The Register that the account is capable of rebooting specific cluster nodes and resetting the hardware to factory defaults. Oh, that’s much better.

The idea of vendor backdoors is nothing new, and it should come as no surprise to anyone familiar with HP’s history of building them into everything from laptops to enterprise storage products. And nobody should be pretending that HP is the only vendor who has them.

I don’t think vendor backdoors are an inherently evil or terrible idea. They could be used to save data on a system that’s otherwise become inaccessible (through hardware or software fault), or to regain control of a compromised system. The problem isn’t necessarily that these accounts exist, but in the way these backdoor features are or are not communicated to owners of the products which contain them.

First of all, I feel that vendors have a responsibility to disclose to administrators that such backdoors exist. As someone who is responsible for the security of a system, you need to be capable of defending every possible attack vector. No matter how secure the vendor claims the backdoor is, if the administrator doesn’t even know it exists, they’re not going to be capable of defending it against attacks.

Second, they need to be properly secured. Reports coming in show that even though a challenge-response method is used by HP to authenticate to the backdoor account, the passwords generated are wholly insecure (an example password was 7 characters long and contained only numbers and lowercase letters).

Lastly, administrators should have the option to completely disable such features, or vendors could offer versions of the same product that don’t contain them at all. Disabling a backdoor does present its own risks–namely the inability of the administrator or the vendor to access a device if it’s been compromised or damaged, and as security-minded individuals we often have to weigh the benefits of certain features with the potential downsides of disabling them. But that decision should ultimately be in the hands of the administrator, not the vendor whose products they’ve decided to use.