Thousands of Publicly Accessible Printers Searchable On Google

Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."

First rule of embedded web servers

[WaffleMonster]

User-agent: *
Disallow: /

Re:First rule of embedded web servers

[countach]

I think the point is, at least it wouldn't be advertised on Google.

Re:First rule of embedded web servers

[SJHillman]

But at least it keeps the major search engines from indexing your web-accessible device, which is where script kiddies and the malevolently ignorant will go to find strange machines to play with.

Re:First rule of embedded web servers

[Jeremiah+Cornelius]

There is a way to upload new printer firmware - usually protected with default administrator credentials. First, set the printers TCP settings to point to YOUR own DNS host.... :-)

This will stop quickly

[Arancaytar]

As soon as a spammer figures out how to abuse it.

Re:This will stop quickly

[hduff]

.....or 4chan.

I'm wait for the LULZ.

Re:This will stop quickly

This may fall under the junk fax laws, USCC 18 paragraph 2701. Unlike that nightmare of deliberately overriding state law with federal law that planted "SPAM ME" on the backside of every email user in the US, the old junk fax law actually had teeth in it because it was costing every fax-owning *business* money and time as their fax machines were run out of paper and toner constantly with all the junk fax. So it's a fairly robust law which might include this as electronic communicaitons to a fax/printer/copier machine in most offices.

Re:This will stop quickly

[Frontier+Owner]

kinda like how quickly fax machine spam stopped?

Re:This will stop quickly

[Lumpy]

0.01%? That is a rip off! Refinance now and get -0.25% that's right you will gain money! Dont pay your mortgage! WE PAY YOU!

Imagine...

[inode_buddha]

A little bit of scripting and you can goatse thousands all around the world...

Re:Imagine...

[t3hfr3ak]

Well, some states persecute for sharing offensive material over the internet. I'm sure the courts will say this falls into the category.

Re:Imagine...

[Splab]

Since you are abusing their equipment, you are probably going to be up for all sorts of fun unlawful computer acts.

And if you are going to prank them, send the "You're fired" from back to the future...

Re:Imagine...

[tripleevenfall]

You'd be in heap big trouble if a child picked up the printout, I think.

Re:Imagine...

[black3d]

Back in the early days of the web when I used to port-sniff for fun, I discovered an FTP enabled printer with an upload to print function so threw "The Complete Works of William Shakespeare" up into it to see what happened. Of course, the file disappeared after a few minutes so I really have no idea, but to this day I wonder if I perhaps unfortunately used up someone's paper. :\

Re:Imagine...

[Kaenneth]

So, you only visit website for which you have a written invitation?

As a business, if your front door is open, it's an invitation to come in and browse.

Re:Imagine...

You Sir are a knave; a rascal; an eater of broken meats; base, proud, shallow, beggarly, three-suited, hundred-pound, filthy, worsted-stocking knave; a lily-livered, action-taking knave, a whoreson, glass-gazing, super-serviceable finical rogue; one-trunk-inheriting slave; one that wouldst be a bawd, in way of good service, and art nothing but the composition of a knave, beggar, coward, pandar, and the son and heir of a mongrel bitch: one whom I will beat into clamorous whining, if thou deniest the least syllable of thy addition.

Re:Imagine...

[dbIII]

If the printers are simple JetDirect boxes

That reminds me of the time I found out a simple nmap portscan kills one model of JetDirect network to parallel boxes. Not just factory reset button dead, but replace an eprom or something similar at a HP repair centre dead. Since those things are so fragile and so wide open that you can actually kill them over a network without even trying I'm not surpised that other HP crap has no consideration of security.

Re:Imagine...

[BitZtream]

Yes, unauthorized access of pretty much anything is illegal, WTF makes you think it wouldn't be anyway?

However, specifically, unauthorized access of a computer or telecommunications equipment is most certainly covered under several federal laws.

Unauthorized access means 'doing anything they didn't want you to do, specifically stated in advance or otherwise.', so pretty much anytime you touch any computer without permission in any way, its covered.

That doesn't consider any pornography or offensive content standards and a crapton of other laws.

I'm just curious as to why you wouldn't instinctively know this is covered in about a billion different ways. Are you 12? Do you still think some silly little 'well they didn't say THAT' kind of thing is a legal loophole?

Insert Cheese

[fluffy99]

I wonder if any of them are the older HP LaserJets where you could change the display to read funny things like "Insert Cheese" or "Low on Mayo"?
http://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message
http://miscellany.kovaya.com/2007/10/insert-coin.html

Re:Insert Cheese

[spongman]

"pc load letter" ?

Re:Insert Cheese

[Fallingcow]

"lp0 on fire"

Re:Insert Cheese

[JamesTRexx]

Did this at the previous company I worked for as a 1st of April joke. Nobody had any clue as to how I did that. *lmao*

Or maybe I should have been worried about why nobody had the knowledge about these exploits...

Re:Insert Cheese

[Laebshade]

% cd projects/pevil
% cat pevil
#!/usr/bin/perl

use warnings;
use strict;
use 5.014;
use Printer::HP::Display;

my $printer_ip = "172.30.20.129";
my $printer = Printer::HP::Display->new($printer_ip);

my ($text) = @ARGV;
my $message = "I'm sorry Dave, I can't print that.";
$message = $text if defined $text;

$printer->set_display($message);
say $printer->get_display;

Re:Insert Cheese

[Nimey]

I did that to my old department head's printer a few years ago. I think it was asking for $0.25 to be inserted for a few weeks before he asked me to fix it.

Re:Insert Cheese

[Lehk228]

i would love to do that, but the knuckleheads i work with would end up jamming quarters into the vents on the printer

Re:Insert Cheese

[suutar]

so install a small net, and you have soda money for years :)

Error

[girlintraining]

"Error: Out of Paper on Drive D:"

Very useful

[scotts13]

(GRIN) At one time, I had dial-in access to the Apple corporate network; back then AppleTalk and PAP were still supported. When I was having trouble getting an employee to answer his email, I'd just print the message to the printer in his office. That would usually get his or her attention.

Help! I'm trapped in here!

I saw a story not too long ago about someone accessing their neighbor's printer to print out messages to the neighbor, pretending the printer was somehow alive; starting with some gibberish it became words and then paragraphs of text.

But you wouldn't do that to any of these printers because (pulls down microphone hidden in lamp suspended from ceiling) that would be wrong!

First page of Google results

[jfdavis668]

I pity the people who's printers show up on the first page of Google results.

Re:First page of Google results

[Jstlook]

That gets us up to 8 google pages of unsecured printers. I don't think my settings are at 10k sites per page ... I could be wrong though.

Re:First page of Google results

[antdude]

Mr. T, is that you?

How did this happen?

[countach]

Excuse my ignorance, but how does this happen? Big companies have firewalls and NAT, and everyday people have wi-fi routers and NAT. What sort of people have big swarths of IP address space, but no clue how to manage it?

Re:How did this happen?

[QuadEddie]

The number of small companies dwarf big companies. While a big company could potentially have a few of these in the open, they're much more likely to have the resources to have someone competent running the network. A typical small business (under 20 employees) will not have the resources to secure their network and will likely be oblivious to the exposure.

Re:How did this happen?

[Charliemopps]

Jimmy: So hows the new real estate agency dad said you started?
Uncle Jim: The whole office is a mess. We've got a bunch of computers, and we got one of those box things to connect them all together at walmart... But it only has 10 plugins and now we've got this new printer...
Jimmy: Uh... I think we can just get a bunch of old network cards, put them in that computer in the basement and install linux on it...
Uncle Jim: Is Linux secure?
Jimmy: It's the best. I think Nasa uses it.
Uncle Jim: Wow, this is great that was going to cost me Twenty...er... hey I'll give you $10 an hour to do it.
Jimmy:Really? Awsome... *starts doing wikipedia searches for linux*

Re:How did this happen?

[black3d]

Worse, the "cheap" guys frequently intentionally disable router-based firewalls and DMZ the entire internal network so they can "troubleshoot" remotely having to use only RDP, because they have no experience or knowledge of appropriate secure methods of remote troubleshooting.

Re:How did this happen?

[Changa_MC]

I have 1024 public IPs, and I'm the only one who does anything with them: we won't have a network person until the hiring freeze is lifted (read: never).
There' was no NAT here, because that's not part of the IPv4 specs, and didn't even exist when this place was setup.

I've setup basic NAT, my wireless users are on it, and a few desktops, but I can't move everyone onto it because some directors like to print from home to work, and some people require access to a router-to-router VPN to another site that only works if you have a public IP address. I'd love to get a better handle on how access tables on these routers work, but if I did that I'd have to take time away from my day job, and really who wants to get yelled at for working harder?

I have no idea what I'm doing, but I can put anything I want on a public IP because there's literally no-one more knowledgeable to stop me. And I'm not gonna touch those printers because they're on a different subnet from my servers now, so screw it, they're literally not my job to secure.

They've been like that for 20+ years, how bad can it be?

Re:How did this happen?

[profplump]

My DHCP is configured to hand out "public" addresses. Even over WiFi. Is there some reason it shouldn't be?

The idea that NAT is the way things should work is ridiculous -- it makes networking harder in about 25 different ways, makes the Internet a provider-consumer system instead of a peer-to-peer system, and it provides no "protection" beyond what you'd get from any other stateful firewall.

Re:How did this happen?

[Charliemopps]

Exaclty, I work for a multi-billion dollar company and we have finance reports that are produced then exported to excel files because that's all the directors know how to use. They then make pivot tables or simple formulas on them, often incorrectly and our entire businesses numbers are based on that shit. Simple things like the "average" function that treats NULL as 0... completely hoses what they think are valid numbers. Even when you show them the damned function in the help menu and it explicitly explains this they refuse to believe anythings wrong. The numbers have always worked before right? All businesses are full of this kind of shit. If it doesn't appear to be broken, don't fix it.

Re:How did this happen?

[SourceFrog]

it provides no "protection" beyond what you'd get from any other stateful firewall.

Yes, because no stateful firewalls have had any vulnerabilities in them ever.

I agree with all your other points, and think it's high time for NAT to just die already, for a whole host of reasons - but let's be honest, one thing it does do is indeed add one small layer of extra security ... "NAT plus stateful firewall" cannot be less secure than "same stateful firewall on its own".

Google + inurl: == FUN!

[CanHasDIY]

Gotta love unsecured, web-facing peripherals.


Personally, I prefer searching for IP cameras

Not thousands, more like 73

[Mr.+McGibby]

Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

Re:Not thousands, more like 73

Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

actually it is abut 86,500 - the 73 results are considered unique, but when you "repeat the search with the omitted results included" at the end, it includes many, many more nodes.

Re: Not thousands, more like 73

[Mr.+McGibby]

No, those are the actual number of results. 86500 is an estimate that Google comes up with so it doesn't have to figure out the exact number on the first page. If you include the omitted results then you get 73 unique results.

3D

[WrecklessSandwich]

I can't wait for networked 3D printers to become commonplace. See also: http://www.smbc-comics.com/index.php?db=comics&id=2851

I work in the photocopy industry...

And I use these open web interfaces all the time to help guide dumb ass engineers how to fix things over the phone.

The first time I spotted an MFP on the internet I did send a print job letting them know that they should probably fix it (I did check the machine was in a English speaking country first!) But I no longer bother any more.

Google's fault?

[technomom]

This seems more like HP's fault rather than Google's.

Apparently not new.

[cswiii]

Here's an article from as far back as 2007

http://www.bloggingwv.com/print-around-the-world/

Re:Fond memories...

[cusco]

I used to print cards for AAA, they came on fan-fold paper and fed through an enormous monstrosity of a printer, quite literally 4 feet tall, 3 feet wide and 7 or 8 feet long. You could start a print job and by the end of a box of cards an hour later the server room would go from quite cool to really warm. Let the AC catch up for an hour or so and start again and it would go through most of the next box. My predecessor didn't wait between boxes one time and the phone system started alarming because it was over 90 degrees.

Yeah, the story's probably not true, but if the ends of one box of paper was taped to the start of the next box (a common practice with fan fold printers) he certainly could have destroyed some hardware.

Re:already used for spam...

[Scarletdown]

Balls do not pay the rent.

I suppose that depends on what you do for a living.

HP Printers don't run Oracle's (Sun) JVM

[MythicalMan]

The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.

Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.

Re:already used for spam...

[guacamole]

I used to work at a university too. I was aware of security issues with printers as far back as year 2000. One shocking thing is that, not only the printer and web ports are wide open, a lot of people do not even bother to set a telnet password on them.

There are a few half baked solutions. Most printers out there have rudimentary access control capability. I have had experience with HP printers. All of them allowed me to control access by subnet number. Also, if you know that no one needs to access a printer from outside of the subnet, then leave the default gateway setting blank or 0.0.0.0. This is not perfect, but at least you know that a random web surfer from Mongolia will not stumble upon your printer's web interface.

Re:already used for spam...

What I loved were the printers at all three of the colleges I went to all had complicated systems set up so that they could charge you to print on the printers. However, open up wireshark and in less than a second, you would receive a couple hundred packets from printers advertizing themselves. And it wasn't just student printers either; the very printers they were charging us to print from availible for free and letting everybody know.

Re:already used for spam...

[arglebargle_xiv]

What I loved were the printers at all three of the colleges I went to all had complicated systems set up so that they could charge you to print on the printers. However, open up wireshark and in less than a second, you would receive a couple hundred packets from printers advertizing themselves. And it wasn't just student printers either; the very printers they were charging us to print from availible for free and letting everybody know.

It's even worse than that, given that university regulations require that all software of this kind is developed in-house by underpaid student interns, the accounting software is usually as sucky as you can get. When I was a student you could set the page count in your postscript jobs to a negative value and it'd credit your account every time you printed something. I paid off my student loan that way.