Exposed HP LaserJet Printers Offer Anonymous FTP To the Public

itwbennett writes: In a blog post on Monday, security researcher Chris Vickery outlined the risks associated with networked HP LaserJet printers, which have been made available to the public by the organizations hosting them. 'There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by ... any web browser... It doesn't take much creativity to realize that even highly illegal materials could be stored this way,' Vickery wrote. CSO's Steve Ragan picked up the thread: A quick search on Shodan to confirm Vickery's findings returned thousands of results.

Re:In other news, water is wet

You have no excuse to have a printer exposed to the greater web.

As a UMN (note how high they are on the list counting the exposed printers) alumni, I probably know more about their network setup than most. The default stance there has always been that every device on the network is given an IP (either dynamically or statically) that is fully resolvable to the world. They started with all of 128.101.*.* and then added 134.84.*.* and something else as well. It didn't seem like they would run out of addresses any time soon so they just kept handing them out; students, staff, faculty, janitors, etc.

Now networked printers are cheap and easy to use. Cubicle dwellers who don't want to share can buy their own without much difficulty and put it on the network ... because they can. I would bet half the printers on there are connected to the wireless, which also hands out fully resolvable IP addresses. How are you going to talk Fred in accounting into not doing it when not doing it is so much more difficult than doing it? He's going to bring his MacBook to work and back every day, he wants his wireless color laserjet when he gets there. Good luck convincing him to spend the extra 1.6 seconds every day disconnecting and reconnecting a USB cable instead of printing over the network ... he could be using those 1.6 seconds to read more facebook.

In summary, you won't get the printers off the exposed part of the network, not when the network is configured the way it is and the employees can add devices to it so easily.

This has been going on for decades

[tekrat]

HP printers used to also have a built-in web-server. You could access printer functions from the page. I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.

I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank, but now that printers have storage, yep, it's a bigger problem that HP, all these years later, has never addressed.

Re:illegal storage

[godel_56]

If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you.

The "server" will be someone ELSE's laser printer, and you'll probably be accessing it via a VPN, or Tails and Tor, so it's not a problem (for you).