HP built back doors into its storage products

Expensive printer ink venture HP has been forced to admit it built secret backdoors into its enterprise storage products.

The confession follows reports from Technion. The security problem was found in HP’s StoreOnce systems in June before it emerged there were more backdoors in other HP storage and SAN products.

According to HP: “all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer”.

In other words, HP claims that the back doors are usable only with permission of the customer.

The announcement, coming as it does on the back of the Prism scandal in the US, is raising eyebrows – with good reason. After all if the NSA knows that HP has backdoors in its server it could use a secret court order to demand access.

An HP cloud executive told TechEye last month that there was already a corporate understanding of these privacy questions before the Prism revelations.

“There’s not much you can do if a government has access to your data and is being provided legally, or illegally, depending on the country you’re in, with access via your service providers,” Steve Dietch, VP, worldwide cloud at HP, said.

The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP’s StoreVirtual and HP P4000 products.

But HP points out that even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines.  It could, however, use the information to cripple the storage cluster.

A danger is that a business rival could find one of the backdoors and use it as a kind of corporate sabotage.

The backdoor was easy to find. All you have to do is open an SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn’t know existed and your father’s brother was someone called Robert.

Technion attempted to notify HP for weeks with no result before deciding to go public.

The hash hiding the login “is easily brute-forced” and has been done so at least 55 times.

HP has said that it will issue a patch by 17 July.