Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Publicly Accessible Printers Searchable On Google

Posted by Soulskill on from the message-in-a-bottle-on-the-digital-ocean dept.

Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."

19 of 192 comments (clear)

  1. First rule of embedded web servers by WaffleMonster · · Score: 4, Insightful

    User-agent: *
    Disallow: /

    1. Re:First rule of embedded web servers by SJHillman · · Score: 5, Informative

      But at least it keeps the major search engines from indexing your web-accessible device, which is where script kiddies and the malevolently ignorant will go to find strange machines to play with.

  2. Imagine... by inode_buddha · · Score: 4, Insightful

    A little bit of scripting and you can goatse thousands all around the world...

    --
    C|N>K
    1. Re:Imagine... by Splab · · Score: 4, Funny

      Since you are abusing their equipment, you are probably going to be up for all sorts of fun unlawful computer acts.

      And if you are going to prank them, send the "You're fired" from back to the future...

    2. Re:Imagine... by black3d · · Score: 4, Interesting

      Back in the early days of the web when I used to port-sniff for fun, I discovered an FTP enabled printer with an upload to print function so threw "The Complete Works of William Shakespeare" up into it to see what happened. Of course, the file disappeared after a few minutes so I really have no idea, but to this day I wonder if I perhaps unfortunately used up someone's paper. :\

      --
      "The true measure of a person is how they act when they know they won't get caught." - DSRilk
    3. Re:Imagine... by Anonymous Coward · · Score: 5, Funny

      You Sir are a knave; a rascal; an eater of broken meats; base, proud, shallow, beggarly, three-suited, hundred-pound, filthy, worsted-stocking knave; a lily-livered, action-taking knave, a whoreson, glass-gazing, super-serviceable finical rogue; one-trunk-inheriting slave; one that wouldst be a bawd, in way of good service, and art nothing but the composition of a knave, beggar, coward, pandar, and the son and heir of a mongrel bitch: one whom I will beat into clamorous whining, if thou deniest the least syllable of thy addition.

  3. Insert Cheese by fluffy99 · · Score: 5, Funny

    I wonder if any of them are the older HP LaserJets where you could change the display to read funny things like "Insert Cheese" or "Low on Mayo"?
    http://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message
    http://miscellany.kovaya.com/2007/10/insert-coin.html

    1. Re:Insert Cheese by JamesTRexx · · Score: 4, Interesting

      Did this at the previous company I worked for as a 1st of April joke. Nobody had any clue as to how I did that. *lmao*

      Or maybe I should have been worried about why nobody had the knowledge about these exploits...

      --
      home
    2. Re:Insert Cheese by Laebshade · · Score: 5, Funny


      % cd projects/pevil
      % cat pevil
      #!/usr/bin/perl

      use warnings;
      use strict;
      use 5.014;
      use Printer::HP::Display;

      my $printer_ip = "172.30.20.129";
      my $printer = Printer::HP::Display->new($printer_ip);

      my ($text) = @ARGV;
      my $message = "I'm sorry Dave, I can't print that.";
      $message = $text if defined $text;

      $printer->set_display($message);
      say $printer->get_display;

    3. Re:Insert Cheese by Nimey · · Score: 4, Funny

      I did that to my old department head's printer a few years ago. I think it was asking for $0.25 to be inserted for a few weeks before he asked me to fix it.

      --
      Hail Eris, full of mischief...

      E pluribus sanguinem
    4. Re:Insert Cheese by Lehk228 · · Score: 4, Funny

      i would love to do that, but the knuckleheads i work with would end up jamming quarters into the vents on the printer

      --
      Snowden and Manning are heroes.
  4. Very useful by scotts13 · · Score: 5, Funny

    (GRIN) At one time, I had dial-in access to the Apple corporate network; back then AppleTalk and PAP were still supported. When I was having trouble getting an employee to answer his email, I'd just print the message to the printer in his office. That would usually get his or her attention.

  5. First page of Google results by jfdavis668 · · Score: 4, Funny

    I pity the people who's printers show up on the first page of Google results.

  6. How did this happen? by countach · · Score: 5, Interesting

    Excuse my ignorance, but how does this happen? Big companies have firewalls and NAT, and everyday people have wi-fi routers and NAT. What sort of people have big swarths of IP address space, but no clue how to manage it?

    1. Re:How did this happen? by Changa_MC · · Score: 5, Interesting

      I have 1024 public IPs, and I'm the only one who does anything with them: we won't have a network person until the hiring freeze is lifted (read: never).
      There' was no NAT here, because that's not part of the IPv4 specs, and didn't even exist when this place was setup.

      I've setup basic NAT, my wireless users are on it, and a few desktops, but I can't move everyone onto it because some directors like to print from home to work, and some people require access to a router-to-router VPN to another site that only works if you have a public IP address. I'd love to get a better handle on how access tables on these routers work, but if I did that I'd have to take time away from my day job, and really who wants to get yelled at for working harder?

      I have no idea what I'm doing, but I can put anything I want on a public IP because there's literally no-one more knowledgeable to stop me. And I'm not gonna touch those printers because they're on a different subnet from my servers now, so screw it, they're literally not my job to secure.

      They've been like that for 20+ years, how bad can it be?

      --
      Changa hates change.
  7. Re:Not thousands, more like 73 by Anonymous Coward · · Score: 4, Informative

    Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

    actually it is abut 86,500 - the 73 results are considered unique, but when you "repeat the search with the omitted results included" at the end, it includes many, many more nodes.

  8. Re:already used for spam... by Scarletdown · · Score: 4, Funny

    Balls do not pay the rent.

    I suppose that depends on what you do for a living.

    --
    This space unintentionally left blank.
  9. HP Printers don't run Oracle's (Sun) JVM by MythicalMan · · Score: 4, Informative

    The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.

    Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.

    --
    --- Signature? You must be kidding!
  10. Re:already used for spam... by arglebargle_xiv · · Score: 4, Funny

    What I loved were the printers at all three of the colleges I went to all had complicated systems set up so that they could charge you to print on the printers. However, open up wireshark and in less than a second, you would receive a couple hundred packets from printers advertizing themselves. And it wasn't just student printers either; the very printers they were charging us to print from availible for free and letting everybody know.

    It's even worse than that, given that university regulations require that all software of this kind is developed in-house by underpaid student interns, the accounting software is usually as sucky as you can get. When I was a student you could set the page count in your postscript jobs to a negative value and it'd credit your account every time you printed something. I paid off my student loan that way.