Slashdot Mirror
Thousands of Publicly Accessible Printers Searchable On Google
Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."
But at least it keeps the major search engines from indexing your web-accessible device, which is where script kiddies and the malevolently ignorant will go to find strange machines to play with.
Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.
actually it is abut 86,500 - the 73 results are considered unique, but when you "repeat the search with the omitted results included" at the end, it includes many, many more nodes.
The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.
Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.
--- Signature? You must be kidding!