Slashdot Mirror
Thousands of Publicly Accessible Printers Searchable On Google
Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."
User-agent: *
Disallow: /
I work at a university and the faculty in the department I work for refuse to let us firewall public addresses due to some misplaced fear that it would limit them in some way.
We get attempted spam on an almost daily basis. I say attempted because I believe they are trying to print images (for an ad) and it doesn't work, only giving some code with a URI.
AC for obvious reasons.
As soon as a spammer figures out how to abuse it.
A little bit of scripting and you can goatse thousands all around the world...
C|N>K
I wonder if any of them are the older HP LaserJets where you could change the display to read funny things like "Insert Cheese" or "Low on Mayo"?
http://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message
http://miscellany.kovaya.com/2007/10/insert-coin.html
"Error: Out of Paper on Drive D:"
#fuckbeta #iamslashdot #dicemustdie
(GRIN) At one time, I had dial-in access to the Apple corporate network; back then AppleTalk and PAP were still supported. When I was having trouble getting an employee to answer his email, I'd just print the message to the printer in his office. That would usually get his or her attention.
thank god slashdot shed light on this horrible cyber-security loophole that could be exploited by hackers and terrorists! just one more reason why the internet needs to be regulated!
I saw a story not too long ago about someone accessing their neighbor's printer to print out messages to the neighbor, pretending the printer was somehow alive; starting with some gibberish it became words and then paragraphs of text.
But you wouldn't do that to any of these printers because (pulls down microphone hidden in lamp suspended from ceiling) that would be wrong!
Wait, the printers can run applets? What?
Wow! Somebody took an introduction to GoogleFu! This is not news.
I'm a little surprised that those devices wouldn't have been firewalled off by default or behind NAT routers. It'd be interesting to see why they ended up on the Internet.
You're Fired McFly.
...if these printers were somewhere they could reasonably replace a fax machine. But then, even fax machines are abused/spammed.
And it doesn't have to be deliberate. I supplied the department with a year's worth of scrap paper when I tried to print a postscript file to a laser printer. Something in the Windows-to-Appletalk software got munged and the text of the file got printed instead of the document.
Chaos maximizes locally around me.
My printer sits behind a firewall at the university where I work, and the only traffic that gets through to it is from a whitelist of IPs and specific ports and protocols. It's not exactly secure (no kidding!), but at least the google bot isn't going to find it. People will probably be too busy probing the zillions of network printers elsewhere on campus that don't even have that level of filtering. I remember when I first read the specs on this HP printer. "Web server? Really? They're really asking for trouble. No thank you." It's disabled in the firmware settings. Thank goodness that option was there.
I pity the people who's printers show up on the first page of Google results.
Excuse my ignorance, but how does this happen? Big companies have firewalls and NAT, and everyday people have wi-fi routers and NAT. What sort of people have big swarths of IP address space, but no clue how to manage it?
As usual google lies. You can only access the first 1000 results from any query so they can put what they want in that box in this instance there are really only 73....
https://www.google.co.uk/search?q=inurl%3Ahp%2Fdevice%2Fthis.LCDispatcher&oq=inurl%3Ahp%2Fdevice%2Fthis.LCDispatcher&sourceid=chrome&ie=UTF-8#q=inurl:hp/device/this.LCDispatcher%3Fnav%3Dhp.Print&hl=en&safe=off&tbo=d&ei=DvcCUeCAPeiq0AWc2IGYBg&start=70&sa=N&filter=0&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.&fp=a0b2ec51e8be5bd5&biw=1120&bih=607
Yes, it needs someone to write a legal document that says that if you put it on the Internet, people can use it any way they can if you don't disallow them to do so in the thing itself. Ts&Cs don't disallow anybody anything on the Internet.
Second, another legal document should says that when somebody sends you an email telling you that your system is full of wholes, you either fix them, or you lose your right to sue any hackers that wonder around and that you could positively identify.
In market terms, that means that if Adobe and MS put 0-days on the backburner for years, people will be very vocal about it. Some things aren't protectable by iptables.
So now we've slashdotted printers. Good job guys.
First Post
Gotta love unsecured, web-facing peripherals.
Personally, I prefer searching for IP cameras
An enigma, wrapped in a riddle, shrouded in bacon and cheese
...in print.
a subdomain to mit.edu is open, you can even upload firmware
See Praeda - printer security project: http://www.foofus.net/?page_id=218
The number of small companies dwarf big companies. While a big company could potentially have a few of these in the open, they're much more likely to have the resources to have someone competent running the network. A typical small business (under 20 employees) will not have the resources to secure their network and will likely be oblivious to the exposure.
That doesn't address how they were able to access it. Yeah, we got it, small companies don't have the "resources" to have a secure network, but many of these routers and whatnot are defaulted to no let anyone come in.
I have a NAT router (wrt54g) and I put an HP printer on my network plugged into that router with all the default security setting in place.
How would they see this with their "cleverly crafted" google search?
If so, then exactly what am I doing wrong?
Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.
Mad Software: Rantings on Developing So
Considering how are going laws in US, you could end facing years of jail for each page you send to any of those printers. And you could be the one picked to serve as an example for others.
Do any of these web interfaces allow you to retrieve queued or recently printed documents? That would add a whole other layer to this particular security breach...
I can't wait for networked 3D printers to become commonplace. See also: http://www.smbc-comics.com/index.php?db=comics&id=2851
Yes, the search page say 86,700 results, or whatever. But you only get 13 results, and then the:
...
... nothing to see here, at all. Bullsh*t.
"In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed. If you like, you can repeat the search with the omitted results included."
Asking for omitted results gives you a grand total of 73 results, no matter WHAT the top of the results page says
So
I don't know about current HP printers, I do remember using the nice ftp server on them in the past..
Second rule of Internet Club, no connections directly from the Internet to your Intranet.
this could basically be used to do a PAP smear?
Fond memories of starting a print job on one side of campus, and walking to the other in time for it to be done, then hanging with friends knowing that my paper was printed and I could party for the night. The only real problem was making sure I didn't drink too much and leave the paper at their place on the way home, or drop it.
The following story is probably fabricated based on the reputation of the person who told it, but here goes. Allegedly back in the 80s he was hacking into dial-up stuff, and found a device that printed out credit cards or something. He couldn't actually get it to send him a card, but he could program the printer to do nothing but print cards. He did this over the weekend, and when they came in on Monday the machine had printed enough cards to block a door. In retrospect, I think the limiting factor on this is that the machine wouldn't have had such an enormous hopper of blank card stock. Most likely, if there is any basis in fact at all it's that he ran out one roll of blank cards and made a little pile before they figured it out.
1 page word doc in raw = 1 ream of paper.
Printers have been on google for ages. They come and go, but this article might just change that. I first stumbled upon them in 2004 when browsing results for "site:nd.edu". Notre Dame wasn't too careful then. Anyways, I not get 13 results for the search in the original blog post. Down a little from 86k, I think.
expletives welcomed
Blocked by URL Filter Database
Your requested URL has been blocked by the McAfee Web Gateway URL Filter database module.
The URL is listed in categories that are not allowed by your administrator at this time.
URL: http://port3000.co.uk/google-has-indexed-thousands-of-publicly-acce
URL Categories: Pornography
Reputation: Unverified
Media Type:
And I use these open web interfaces all the time to help guide dumb ass engineers how to fix things over the phone.
The first time I spotted an MFP on the internet I did send a print job letting them know that they should probably fix it (I did check the machine was in a English speaking country first!) But I no longer bother any more.
This seems more like HP's fault rather than Google's.
Here's an article from as far back as 2007
http://www.bloggingwv.com/print-around-the-world/
Perhaps, these thousands of printers (thousands? thats it?) are out there on purpose because people WANT others to be able to send them printouts? Perhaps, they just want something like email, but that they can read offline?
Perhaps its a way of collecting reading material? I think the smart thing to do is to go with that assumption and send them something to read.
"I opened my eyes, and everything went dark again"
inurl:hp/device/this.LCDispatcher Search that instead. You get a lot more results, and the ones that have, "eventlog" somewhere have a link in the page taking you to a print option.
The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.
Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.
--- Signature? You must be kidding!
There was a web hosted anime based around that idea called "Platonic Chain" about teenage girls using a range of exploits on IP cameras and other information that had been handily aggregated for them. It's short very low budget episodes from 2003 but really nails some implications of the coming goldfish bowl if we have a lot of wide open private information sources and amoral teens can get to them.
Nothing new here, I have been fiddling with this for years. Go to your printers web page, cut some text and paste it into Google and have fun.
..are old
If you click to the next page of results, google corrects its estimate to read
" Page 2 of 13 results (0.13 seconds)"
Alhough it does admit
"In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed.
If you like, you can repeat the search with the omitted results included."
If you choose to show the omitted results, and click through the pages, you get to the 8th page, which indicates:
"Page 8 of 72 results (0.12 seconds)"
Still nowhere near 86,000
And while I'm sure the owners of those 72 printers might want to take some steps to secure them, its hardly the huge problem that "86000 results" would suggest.
I submitted this flaw to Slashdot in late 2011 (with a one word search term I believe!) and it never appeared in any story. I did post up about the story rejection on OSNews a few months later.
If I could find out how to search for old Slashdot submissions I would do, but I can't see anything in my Slashdot account settings/profile that lets me see all the atempted submissions I made.
The article focuses on a single model line that, as you describe, should not be exposed to the internet.
But, more recently, HP and others have flooded the market with AirPrint and CloudPrint machines that are explicitly intended to allow internet printing. I know that the cloudy services are supposed to be protected, at least by a password, but how long before that entire class of printers is exposed due to some bug or other issue.
I'm still completely failing to understand the need or desire to print over the internet. Even if these things remain secure from script kiddies, the idea of these corporations monitoring, possibly in detail, everything that I print is a privacy/security nightmare.
Who has real need for that shit?
This article seems to focus on spreading FUD about HP printers. The truth is that most network-enabled printers have similar web interfaces and system administrators need to be diligent about securing them if they are going to attach them to a network. This is nothing new and it's not specific to HP in any way. Most any printer with a web interface, including many (all?) of the ones showing up in that Google search, offer mechanisms to require a password to access them. They also usually offer SSL to protect the passwords from packet sniffing, but a good systems administrator should not even allow their printers to be visible beyond their firewall. If they merely spent the time to set a password on the web interface, then Google would not index them. The link to the web listener is merely the documentation on configuring the network settings for an HP JetDirect printer. You'll find something similar for Brother, Canon, Epson, Ricoh, etc. The last link about an unpatched JVM is complete misinformation. The link points to an article about Java's latest vulnerability being patched, but I've searched online and can find no evidence that any HP printers actually run Java. The best I can determine is that they are referring to the HP LaserJet Toolbox which is an embedded Java Applet on some web interfaces for LaserJets. There is no need to update the firmware on your HP printer for this. The security vulnerability there would be in a JVM running on the computer that you are using, not the printer, and that JVM is fully upgrade-able and can even be removed if your concerned about Java. The only real news here is just how many system administrators have left their printers exposed to the Internet without a firewall, and, on top of that, have not bothered with even basic security on their devices like setting a password on the web interface and mandating HTTPS to secure their printers.
This article seems to focus on spreading FUD about HP printers. The truth is that most network-enabled printers have similar web interfaces and system administrators need to be diligent about securing them if they are going to attach them to a network. This is nothing new and it's not specific to HP in any way. Most any printer with a web interface, including many (all?) of the ones showing up in that Google search, offer mechanisms to require a password to access them. They also usually offer SSL to protect the passwords from packet sniffing, but a good systems administrator should not even allow their printers to be visible beyond their firewall. If they merely spent the time to set a password on the web interface, then Google would not index them.
The link to the web listener is merely the documentation on configuring the network settings for an HP JetDirect printer. You'll find something similar for Brother, Canon, Epson, Ricoh, etc. The last link about an unpatched JVM is complete misinformation. The link points to an article about Java's latest vulnerability being patched, but I've searched online and can find no evidence that any HP printers actually run Java. The best I can determine is that they are referring to the HP LaserJet Toolbox which is an embedded Java Applet on some web interfaces for LaserJets. There is no need to update the firmware on your HP printer for this. The security vulnerability there would be in a JVM running on the computer that you are using, not the printer, and that JVM is fully upgrade-able and can even be removed if your concerned about Java.
The only real news here is just how many system administrators have left their printers exposed to the Internet without a firewall, and, on top of that, have not bothered with even basic security on their devices like setting a password on the web interface and mandating HTTPS to secure their printers.