Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Publicly Accessible Printers Searchable On Google

Posted by Soulskill on from the message-in-a-bottle-on-the-digital-ocean dept.

Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."

32 of 192 comments (clear)

  1. First rule of embedded web servers by WaffleMonster · · Score: 4, Insightful

    User-agent: *
    Disallow: /

    1. Re:First rule of embedded web servers by countach · · Score: 3, Insightful

      I think the point is, at least it wouldn't be advertised on Google.

    2. Re:First rule of embedded web servers by SJHillman · · Score: 5, Informative

      But at least it keeps the major search engines from indexing your web-accessible device, which is where script kiddies and the malevolently ignorant will go to find strange machines to play with.

    3. Re:First rule of embedded web servers by Jeremiah+Cornelius · · Score: 3, Informative

      There is a way to upload new printer firmware - usually protected with default administrator credentials. First, set the printers TCP settings to point to YOUR own DNS host.... :-)

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
  2. This will stop quickly by Arancaytar · · Score: 3, Insightful

    As soon as a spammer figures out how to abuse it.

    1. Re:This will stop quickly by hduff · · Score: 3, Informative

      .....or 4chan.

      I'm wait for the LULZ.

      --
      "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
  3. Imagine... by inode_buddha · · Score: 4, Insightful

    A little bit of scripting and you can goatse thousands all around the world...

    --
    C|N>K
    1. Re:Imagine... by t3hfr3ak · · Score: 3, Informative

      Well, some states persecute for sharing offensive material over the internet. I'm sure the courts will say this falls into the category.

    2. Re:Imagine... by Splab · · Score: 4, Funny

      Since you are abusing their equipment, you are probably going to be up for all sorts of fun unlawful computer acts.

      And if you are going to prank them, send the "You're fired" from back to the future...

    3. Re:Imagine... by black3d · · Score: 4, Interesting

      Back in the early days of the web when I used to port-sniff for fun, I discovered an FTP enabled printer with an upload to print function so threw "The Complete Works of William Shakespeare" up into it to see what happened. Of course, the file disappeared after a few minutes so I really have no idea, but to this day I wonder if I perhaps unfortunately used up someone's paper. :\

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    4. Re:Imagine... by Anonymous Coward · · Score: 5, Funny

      You Sir are a knave; a rascal; an eater of broken meats; base, proud, shallow, beggarly, three-suited, hundred-pound, filthy, worsted-stocking knave; a lily-livered, action-taking knave, a whoreson, glass-gazing, super-serviceable finical rogue; one-trunk-inheriting slave; one that wouldst be a bawd, in way of good service, and art nothing but the composition of a knave, beggar, coward, pandar, and the son and heir of a mongrel bitch: one whom I will beat into clamorous whining, if thou deniest the least syllable of thy addition.

    5. Re:Imagine... by BitZtream · · Score: 3, Informative

      Yes, unauthorized access of pretty much anything is illegal, WTF makes you think it wouldn't be anyway?

      However, specifically, unauthorized access of a computer or telecommunications equipment is most certainly covered under several federal laws.

      Unauthorized access means 'doing anything they didn't want you to do, specifically stated in advance or otherwise.', so pretty much anytime you touch any computer without permission in any way, its covered.

      That doesn't consider any pornography or offensive content standards and a crapton of other laws.

      I'm just curious as to why you wouldn't instinctively know this is covered in about a billion different ways. Are you 12? Do you still think some silly little 'well they didn't say THAT' kind of thing is a legal loophole?

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Insert Cheese by fluffy99 · · Score: 5, Funny

    I wonder if any of them are the older HP LaserJets where you could change the display to read funny things like "Insert Cheese" or "Low on Mayo"?
    http://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message
    http://miscellany.kovaya.com/2007/10/insert-coin.html

    1. Re:Insert Cheese by Fallingcow · · Score: 3, Funny

      "lp0 on fire"

    2. Re:Insert Cheese by JamesTRexx · · Score: 4, Interesting

      Did this at the previous company I worked for as a 1st of April joke. Nobody had any clue as to how I did that. *lmao*

      Or maybe I should have been worried about why nobody had the knowledge about these exploits...

      --
      home
    3. Re:Insert Cheese by Laebshade · · Score: 5, Funny


      % cd projects/pevil
      % cat pevil
      #!/usr/bin/perl

      use warnings;
      use strict;
      use 5.014;
      use Printer::HP::Display;

      my $printer_ip = "172.30.20.129";
      my $printer = Printer::HP::Display->new($printer_ip);

      my ($text) = @ARGV;
      my $message = "I'm sorry Dave, I can't print that.";
      $message = $text if defined $text;

      $printer->set_display($message);
      say $printer->get_display;

    4. Re:Insert Cheese by Nimey · · Score: 4, Funny

      I did that to my old department head's printer a few years ago. I think it was asking for $0.25 to be inserted for a few weeks before he asked me to fix it.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    5. Re:Insert Cheese by Lehk228 · · Score: 4, Funny

      i would love to do that, but the knuckleheads i work with would end up jamming quarters into the vents on the printer

      --
      Snowden and Manning are heroes.
  5. Very useful by scotts13 · · Score: 5, Funny

    (GRIN) At one time, I had dial-in access to the Apple corporate network; back then AppleTalk and PAP were still supported. When I was having trouble getting an employee to answer his email, I'd just print the message to the printer in his office. That would usually get his or her attention.

  6. Help! I'm trapped in here! by Anonymous Coward · · Score: 3, Funny

    I saw a story not too long ago about someone accessing their neighbor's printer to print out messages to the neighbor, pretending the printer was somehow alive; starting with some gibberish it became words and then paragraphs of text.

    But you wouldn't do that to any of these printers because (pulls down microphone hidden in lamp suspended from ceiling) that would be wrong!

  7. First page of Google results by jfdavis668 · · Score: 4, Funny

    I pity the people who's printers show up on the first page of Google results.

  8. How did this happen? by countach · · Score: 5, Interesting

    Excuse my ignorance, but how does this happen? Big companies have firewalls and NAT, and everyday people have wi-fi routers and NAT. What sort of people have big swarths of IP address space, but no clue how to manage it?

    1. Re:How did this happen? by Charliemopps · · Score: 3, Funny

      Jimmy: So hows the new real estate agency dad said you started?
      Uncle Jim: The whole office is a mess. We've got a bunch of computers, and we got one of those box things to connect them all together at walmart... But it only has 10 plugins and now we've got this new printer...
      Jimmy: Uh... I think we can just get a bunch of old network cards, put them in that computer in the basement and install linux on it...
      Uncle Jim: Is Linux secure?
      Jimmy: It's the best. I think Nasa uses it.
      Uncle Jim: Wow, this is great that was going to cost me Twenty...er... hey I'll give you $10 an hour to do it.
      Jimmy:Really? Awsome... *starts doing wikipedia searches for linux*

    2. Re:How did this happen? by black3d · · Score: 3, Insightful

      Worse, the "cheap" guys frequently intentionally disable router-based firewalls and DMZ the entire internal network so they can "troubleshoot" remotely having to use only RDP, because they have no experience or knowledge of appropriate secure methods of remote troubleshooting.

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    3. Re:How did this happen? by Changa_MC · · Score: 5, Interesting

      I have 1024 public IPs, and I'm the only one who does anything with them: we won't have a network person until the hiring freeze is lifted (read: never).
      There' was no NAT here, because that's not part of the IPv4 specs, and didn't even exist when this place was setup.

      I've setup basic NAT, my wireless users are on it, and a few desktops, but I can't move everyone onto it because some directors like to print from home to work, and some people require access to a router-to-router VPN to another site that only works if you have a public IP address. I'd love to get a better handle on how access tables on these routers work, but if I did that I'd have to take time away from my day job, and really who wants to get yelled at for working harder?

      I have no idea what I'm doing, but I can put anything I want on a public IP because there's literally no-one more knowledgeable to stop me. And I'm not gonna touch those printers because they're on a different subnet from my servers now, so screw it, they're literally not my job to secure.

      They've been like that for 20+ years, how bad can it be?

      --
      Changa hates change.
    4. Re:How did this happen? by profplump · · Score: 3, Insightful

      My DHCP is configured to hand out "public" addresses. Even over WiFi. Is there some reason it shouldn't be?

      The idea that NAT is the way things should work is ridiculous -- it makes networking harder in about 25 different ways, makes the Internet a provider-consumer system instead of a peer-to-peer system, and it provides no "protection" beyond what you'd get from any other stateful firewall.

  9. Not thousands, more like 73 by Mr.+McGibby · · Score: 3, Informative

    Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

    --
    Mad Software: Rantings on Developing So
    1. Re:Not thousands, more like 73 by Anonymous Coward · · Score: 4, Informative

      Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

      actually it is abut 86,500 - the 73 results are considered unique, but when you "repeat the search with the omitted results included" at the end, it includes many, many more nodes.

  10. 3D by WrecklessSandwich · · Score: 3, Interesting

    I can't wait for networked 3D printers to become commonplace. See also: http://www.smbc-comics.com/index.php?db=comics&id=2851

  11. Re:already used for spam... by Scarletdown · · Score: 4, Funny

    Balls do not pay the rent.

    I suppose that depends on what you do for a living.

    --
    This space unintentionally left blank.
  12. HP Printers don't run Oracle's (Sun) JVM by MythicalMan · · Score: 4, Informative

    The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.

    Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.

    --
    --- Signature? You must be kidding!
  13. Re:already used for spam... by arglebargle_xiv · · Score: 4, Funny

    What I loved were the printers at all three of the colleges I went to all had complicated systems set up so that they could charge you to print on the printers. However, open up wireshark and in less than a second, you would receive a couple hundred packets from printers advertizing themselves. And it wasn't just student printers either; the very printers they were charging us to print from availible for free and letting everybody know.

    It's even worse than that, given that university regulations require that all software of this kind is developed in-house by underpaid student interns, the accounting software is usually as sucky as you can get. When I was a student you could set the page count in your postscript jobs to a negative value and it'd credit your account every time you printed something. I paid off my student loan that way.