Slashdot Mirror

← Back to Stories (view on slashdot.org)

Exposed HP LaserJet Printers Offer Anonymous FTP To the Public (csoonline.com)

Posted by timothy on from the so-it's-a-public-service dept.

itwbennett writes: In a blog post on Monday, security researcher Chris Vickery outlined the risks associated with networked HP LaserJet printers, which have been made available to the public by the organizations hosting them. 'There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by ... any web browser... It doesn't take much creativity to realize that even highly illegal materials could be stored this way,' Vickery wrote. CSO's Steve Ragan picked up the thread: A quick search on Shodan to confirm Vickery's findings returned thousands of results.

74 comments

  1. In other news, water is wet by Anonymous Coward · · Score: -1

    You have no excuse to have a printer exposed to the greater web.

    1. Re:In other news, water is wet by geekmux · · Score: 2

      You have no excuse to have a printer exposed to the greater web.

      Root cause my friend...HP has no excuse for running an FTP server on a printer.

    2. Re:In other news, water is wet by Dunbal · · Score: 2

      But then how are they going to send copies of everything you print to the mothership/NSA/etc?

      --
      Seven puppies were harmed during the making of this post.
    3. Re:In other news, water is wet by Anonymous Coward · · Score: 3, Informative

      You have no excuse to have a printer exposed to the greater web.

      As a UMN (note how high they are on the list counting the exposed printers) alumni, I probably know more about their network setup than most. The default stance there has always been that every device on the network is given an IP (either dynamically or statically) that is fully resolvable to the world. They started with all of 128.101.*.* and then added 134.84.*.* and something else as well. It didn't seem like they would run out of addresses any time soon so they just kept handing them out; students, staff, faculty, janitors, etc.

      Now networked printers are cheap and easy to use. Cubicle dwellers who don't want to share can buy their own without much difficulty and put it on the network ... because they can. I would bet half the printers on there are connected to the wireless, which also hands out fully resolvable IP addresses. How are you going to talk Fred in accounting into not doing it when not doing it is so much more difficult than doing it? He's going to bring his MacBook to work and back every day, he wants his wireless color laserjet when he gets there. Good luck convincing him to spend the extra 1.6 seconds every day disconnecting and reconnecting a USB cable instead of printing over the network ... he could be using those 1.6 seconds to read more facebook.

      In summary, you won't get the printers off the exposed part of the network, not when the network is configured the way it is and the employees can add devices to it so easily.

    4. Re:In other news, water is wet by TWX · · Score: 2

      More to the point, in an IPv6 world and in an IPv4 world that didn't run out of addresses, this is actually how it's supposed to work. Every device is supposed to have a valid routable address, and it's up to firewalling, not non-routable networks, to create security.

      It's been quite some time since I played heavily with the settings on network printers, but there were a lot of options for how the network configuration could be set up. There were multiple protocols and options within each protocol including for things like management, web, and the like.

      Makes me wonder if this current scare is simply a case of technical staff not doing their jobs and setting up the printers correctly, just leaving everything default. Who needs IPX or NetBEUI on their printers now anyway?

      --
      Do not look into laser with remaining eye.
    5. Re:In other news, water is wet by Torodung · · Score: 2

      TL;DR - NAT can suck it. :P

    6. Re:In other news, water is wet by Anonymous Coward · · Score: 0

      But how could they improve their customers experience if they could not harvest their data and as a side track, monetize it? Doesn't anyone think about the experience?

    7. Re:In other news, water is wet by Anonymous Coward · · Score: 0

      Fuck that.

      I'll put my internal devices like printers on a 10. or 192.168. subnet and never have to give a rat's ass about firewall configs or bad firewall software as far as those devices are concerned. I don't have to care if the door's locked if there's no doorway.

      NAT FTW!

    8. Re:In other news, water is wet by sumdumass · · Score: 1

      Part of the 192.168 address range is routeable (class b) in case you didn't know.

  2. 1998 called by belthize · · Score: 2

    They want there bugs back. This issue has been haunting HP printers for decades.

    ftp://ftp.hp.com/pub/networkin...
    https://www.google.com/search?...

    1. Re:1998 called by belthize · · Score: 1

      (@*&#$(*&@#$(78 there ^H^H^H^H^H^H their.

      Stupid non-editing system and proof reading poster gahhh

    2. Re:1998 called by Anonymous Coward · · Score: -1

      Downvoted you to try to hide your embarrassing spelling. It's for your own good.

    3. Re:1998 called by belthize · · Score: 1

      Probably best if I'm just taken out back and lethally shot. It's the only way I'll learn.

    4. Re:1998 called by Ghostworks · · Score: 2

      1995 called. It just wanted to remind you that abusing a printer in this way was actually a minor plot point of Johhny Mnemonic.

      Yes, the problem is so old that Hollywood actually -- and surely accidentally -- got it right.

    5. Re:1998 called by Anonymous Coward · · Score: 0

      You don't want to die of eternal bleeding, do you?

    6. Re:1998 called by TWX · · Score: 2

      William Gibson is a fairly smart guy, if he wrote stuff into the screenplay that was inspired by real stuff, even if carried to borderline-insane extremes.

      Had they not had that ridiculous, poorly-animated dolphin swimming through the mind thing I might consider it halfway decent movie, at least up there with the original Total Recall. That dolphin thing though, just too much.

      --
      Do not look into laser with remaining eye.
    7. Re:1998 called by TechyImmigrant · · Score: 1

      Laser printers were infecting and reinfecting 68K macintoshes over the network when I was in college in 1990.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    8. Re:1998 called by belthize · · Score: 1

      As long as it's temporary I don't mind to much.

    9. Re:1998 called by belthize · · Score: 2

      Oh fuck me .... to ^H^H too. Really just go ahead and put me out of everyone's misery.

    10. Re:1998 called by Falos · · Score: 2

      Relax. We could care less. You're meaning gets across for all intensive purposes.

    11. Re:1998 called by mspohr · · Score: 1

      As we used to say in the ER... All bleeding stops... eventually.

      --
      I don't read your sig. Why are you reading mine?
    12. Re:1998 called by The-Ixian · · Score: 1

      No, you must be mistaken... Apple products are not vulnerable to malware, anyone on /. can tell you that...

      --
      My eyes reflect the stars and a smile lights up my face.
    13. Re:1998 called by KGIII · · Score: 1

      What I want to know is how did he have that many Macs networked in 1990??? ;-)

      --
      "So long and thanks for all the fish."
  3. old news by Anonymous Coward · · Score: 1

    People have been doing this shit for years. People doing shit like printing out all sorts of crap etc to run the printers out of toner, paper etc. I wouldn't be surprised with some crappy printers out there that you wouldn't be able to start a fire with some.

    Printer related bullshit like this was the IoT hacking of the 1990s :P

    1. Re:old news by arth1 · · Score: 1

      Indeed. I used to change the LCD panels on the HP printers to say "Insert Coin".

    2. Re:old news by TWX · · Score: 0

      I can't deny a certain amount of sophormoric enjoyment changing the screen to identify that a particular color cartride is out, on a black and white printer...

      --
      Do not look into laser with remaining eye.
    3. Re:old news by fahrbot-bot · · Score: 1

      Indeed. I used to change the LCD panels on the HP printers to say "Insert Coin".

      Better than "PC Load Letter" - what the fuck does that mean? [ My Office Space reference for the day. ]

      --
      It must have been something you assimilated. . . .
    4. Re:old news by FooAtWFU · · Score: 1

      People doing shit like printing out all sorts of crap etc to run the printers out of toner, paper etc.

      I personally draw the line at using hpsetdisp.pl to make the printer display a friendly "Insert Coin" or "Out Of Cheese" message.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    5. Re:old news by Anonymous Coward · · Score: 0

      "Out Of Cheese"

      Someone else remembers. There's probably still a note in my HR file somewhere about setting printer messages to "00:00 OUT OF CHEESE. LOAD SHARP CHEDDAR LONG EDGE FIRST"...

    6. Re:old news by Stavr0 · · Score: 1

      "PLAID CARTRIDGE LOW"

      [And *that* is my Spaceballs reference for the day.]

    7. Re:old news by Myrrh · · Score: 1

      Hence the old UNIX error "/dev/lp0: on fire" ...

    8. Re:old news by arth1 · · Score: 1

      Better than "PC Load Letter" - what the fuck does that mean?

      Speaking of inappropriate error messages:
      Symantec Backup Exec System Recovery, when encountering a backup destination that can't hold the backup, will report:

      Error EBAB03F1: The printer is out of paper.

      How... useful!

  4. Shodan marketing by Anonymous Coward · · Score: 1

    This is just another "look at what i found with [product][signup]" marketing bullshit, i'am not signing up for anything at shodan, a "search" behind a paywall/freemium says everything about the operation.

    1. Re:Shodan marketing by ArchieBunker · · Score: 2

      Yeah what's up with his search engine? After the first page you need to register? Fuck that.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    2. Re:Shodan marketing by Anonymous Coward · · Score: 2, Interesting

      Quite the opposite, I suspect the recent influx of news about Shodan is a concerted effort to get it shut down.

      A couple weeks ago we had stories about this search engine let me find Hello Kitty's database full of children. Over the weekend we saw hit pieces about this search engine lets people spy on your sleeping kids. Today we have this search engine exposes FTP servers where people can store "highly illegal materials" (he isn't talking about your MP3 collection). Insecure webcams, insecure FTP servers, insecure databases, these have existed for years. In fact they've all been searchable by Shodan (and Google) for years. There's nothing new or newsworthy about it, but the articles keep coming, and they keep specifically mentioning Shodan.

      Notice how these stories all have a think-of-the-children hysteria angle? Someone's trying *very hard* to equate the Shodan name with "this is a pedophile service and needs to be shut down."

  5. 0This FP for GNAA by Anonymous Coward · · Score: -1, Offtopic

    of prograa8ing a sad world. At bought the farm....

  6. Only in the nineties.... by Anonymous Coward · · Score: -1

    20 years ago this was known to those that actually gave a damn and used it.

    Now it's made public again, so joe schmo and linda pinda can talk about it as an intermezzo somewhere along brunch, in the middle of a crowded room, so some black ops dude sitting at the other end of the bar can have a little chuckle, a nice giggle, a ludicrously absurd outburst of mental energy.
    oh well

    The nineties called, they want their stories back.

    and quit spreading the info to the pleebs. you can't hide in the crowd anymore, actually, you never could. once you're being sent to the slaughter, you can be sure you'll end up hamburger patty.

    uuduu

  7. IoT by Torodung · · Score: 4, Insightful

    (*sarcasm*) No. Everything must be internet enabled! We are in the age of the Internet of Things. You probably don't even use "apps," do you? I bet you compile your own code, too. You are a Luddite. Get off my lawn! (*sarcasm*)

    1. Re:IoT by Anonymous Coward · · Score: 0

      Uhm.. it's a printer. In an office environment it might have a higher priority to give everyone access to the networked printer than to give everyone access to the internet.
      If there is something that do belong on the net it is the printer.

  8. CP by Anonymous Coward · · Score: 0

    Wow, who know HP was the original cloud storage provider for pornography?

  9. That's what they get for buying HP by Anonymous Coward · · Score: 0

    'Nuff said.

  10. FTP, eh? by Anonymous Coward · · Score: 0

    Does it also serve up a RIPterm bbs?

  11. NAT, firewall by Torodung · · Score: 1

    Does anyone seriously have an IP protocol printer that isn't behind a NAT and a firewall to boot? Is this really a thing? Listening printer IP ports sitting out in the DMZ? (*boggle*)

    (I guess, or he wouldn't have written the blog.) :/

    1. Re:NAT, firewall by gstoddart · · Score: 5, Insightful

      Honestly, never underestimate just how terrible security is or can be ... between vendors which leave stuff vulnerable for years, or mis-configurations, things which have never been patched, or things which seemed like a good idea at the time ... the internet is a hideous mess of things which are appalling but nonetheless happen every day.

      Either because nobody cares, or nobody has the money to care, or management comes down on the side of "easy" instead of "correct".

      I think most of us would be shocked/depressed/angry to realize just how much stuff is hanging outside of any firewall or NAT whatsoever.

      The people are likely to be secure are paranoid, diligent, a little crazed, and likely have others telling them to "relax, it's not a big deal". Never underestimate how often someone says "dear god, we can't do this" only to be overruled by someone who doesn't see it as a threat ... it happens all the damned time.

      The people who get overruled just need to cover their asses so if it happens they can say "told you so". This has been true for years.

      I'm betting tons of people around here can give you horror stories about loudly warning about this kind of stuff only to be told to shut up and do it.

      --
      Lost at C:>. Found at C.
    2. Re:NAT, firewall by Anonymous Coward · · Score: 1

      Yes it is, in the early days of the internet the norm was for everything to be publically accessible, some places (especially universities) haven't moved away from this or have only partially done so (i.e. there is a campus firewall but it's default-allow and is not a NAT). I expect there would be strong resistance from academics to a move to a more locked down model which gives more power to central IT.

      The university I am at usually allocates private addresses when installing new printers (we have paralell public and private subnets on the same lans that are routed to each other but obviously the private ones aren't reacable from the internet) but there are still printers on public IPs allocated years ago.

    3. Re:NAT, firewall by Anonymous Coward · · Score: 0

      Regarding the NAT part, we're maybe in for a new wave of this with IPv6. On a small LAN one could do with a link-local address, but people are going to want to print from other subnets, so a routable address must be configured. Since NAT is discouraged with IPv6, it will be a globally routable one. This will likely be the default configuration for printers. Users with at least half a brain will set up a firewall as a parallel to the NAT on IPv4. However I'm sure a large number of people don't even know they have IPv6, or blindly hack at their gateway's config until IPv6 works, to tick a box. Not saying it's going to be pandemonium, but will be interesting to see,.

    4. Re:NAT, firewall by Anonymous Coward · · Score: 0

      Security is like insurance. Until someone needs it, no one thinks twice about it. I worked on a security software project and it was a tough sale. Most companies are very "I don't care, just get it to work" so that objective is a higher priority than anything else.

    5. Re:NAT, firewall by Bert64 · · Score: 1

      NAT isn't used for security, in fact it's a major inconvenience and things work better on routable addresses...
      People only use NAT because they don't have enough addresses to do things properly.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:NAT, firewall by Anonymous Coward · · Score: 0

      Looking at this makes me think that the movie Independence Day was not so far fetched. Aliens who just left their network vulnerable.

    7. Re:NAT, firewall by painandgreed · · Score: 1

      Does anyone seriously have an IP protocol printer that isn't behind a NAT and a firewall to boot? Is this really a thing? Listening printer IP ports sitting out in the DMZ? (*boggle*)

      (I guess, or he wouldn't have written the blog.) :/

      Doesn't matter. Seems printers these days all have Bluetooth and wireless printing as features and turned on by default with things like Bonjour happily asking outsiders to come in.

  12. This has been going on for decades by tekrat · · Score: 1, Informative

    HP printers used to also have a built-in web-server. You could access printer functions from the page. I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.

    I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank, but now that printers have storage, yep, it's a bigger problem that HP, all these years later, has never addressed.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:This has been going on for decades by Anonymous Coward · · Score: 0

      Total BS. Network security isn't HP's responsiblity. If people can get to your printer on your network who is to blame?? Layers people..

    2. Re:This has been going on for decades by oh_my_080980980 · · Score: 1

      Says the ass-wipe that let's a botnet take over his computer...

    3. Re:This has been going on for decades by Anonymous Coward · · Score: 0

      So, did you put your fax machine behind a firewall too?

      Sometimes it was actually useful for me to print on a machine 5000 km away in another office.

    4. Re:This has been going on for decades by nuckfuts · · Score: 1

      I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.

      I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank...

      Here's a hypothetical scenario for you:

      I'm walking through a public parking lot looking at all the cars to see if any are left unlocked. Either by ignorance or oversight you've left your car unlocked. I decide to open your door and take a piss on your seat. Would you consider that an "amusing prank"?

      I mean, after all, you deserve it. You should have known better than to leave your vehicle unlocked.

    5. Re:This has been going on for decades by Anonymous Coward · · Score: 0

      More like you noticed that opening the gas tank doesn't trigger the alarm on most cars, so you go around emptying everyone's gas tanks. Now that we have hoses, it's convenient to refill the tank with cool-aid, leave a couple straws, and let everyone stopping by to take a sip.

    6. Re:This has been going on for decades by slimjim8094 · · Score: 1

      There's a big difference between a car that's not yours and is well understood to be someone else's private property and an open web server on the open internet, voluntarily offering up pages to passers-by. It's more like you're wandering through a locker room and one of the lockers is open. You notice there's a box of chocolates saying "take one", so you do. Of course the box could've been intended for someone else, but with the locker door open who is to know? The missing access control is what made it ambiguous that the voluntary offering was intended for anybody on the internet.

      That said, as far as printers go, it is implicit that the printer is there for the use of whomever can physically access it - not random people a thousand miles away. Printing "you've been hacked" just demonstrates foreknowledge that it was illicit access. But if it was some webserver offering up files or status pages or whatever, there's a lot of cases where it could be ambiguous. Config pages are problematic because there's no legitimate cause (that I know of) to configure a device you're not sure is yours*. Probably the sweet spot of ambiguity is webcams - lots of webcams are for use by the public, but lots are not and still publicly available.

      *I will confess to moving a neighbor's wireless router from channel 3 (seriously?) to a channel that didn't interfere with 2/3 of the available channels...

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    7. Re:This has been going on for decades by nuckfuts · · Score: 1

      By printing "1000 copies" in 50-point typeface, the self-professed "hacker" wasn't just harmlessly drawing attention to the exposure. He was deliberately using up a significant amount of consumables and causing unnecessary wear on limited-lifespan parts such as the fuser unit. This is not akin to eating a piece of chocolate from a box left lying around. There is nothing "ambiguous" about it. Anyone with an ounce of common sense should understand that the printer exposure is not a "voluntary offering" for "anyone on the internet" to use up the owner's expensive consumables.

  13. Get out of jail free card and IP6 will just make i by Joe_Dragon · · Score: 1

    Get out of jail free card and IP6 will just make it even easier to clam by ISP modem just auto put it on the net.

  14. old newsssssss by Anonymous Coward · · Score: 0

    There was a research paper from Singapore last summer that explained this much better. The guy even created a drone for finding exposed printers.

  15. What? by wardrich86 · · Score: 1

    A quick search on Shodan to confirm Vickery's findings returned thousands of results.

    The quote implies that the link would go to Shodan, but instead it points to another article.

  16. Wi-fi printers, ugh. by thejynxed · · Score: 1

    It isn't just the LaserJets, the OfficeJets, etc all have this issue, and there is one right now within range of my home wi-fi network (and of course my other wireless devices) that helpfully tells me that it is offering an open wi-fi network (while every single wireless router within signal range is password protected). Yes, I have seriously been considering sending the owners a message over their own printer.

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
    1. Re:Wi-fi printers, ugh. by thejynxed · · Score: 1

      One thing I forgot to mention - yes, I can use HP printer management tools to do silly things like read what is queued in their print spool and how much toner is left in the device.

      --
      @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  17. To be clear... by argStyopa · · Score: 1

    The reported "thousands of results" are thousands of exposed printers, not necessarily thousands of files so hosted.

    --
    -Styopa
  18. By Design You Moron! by Anonymous Coward · · Score: 1

    It's called FTP printing. It was a thing. It can only be accomplished by having the service running and the port open on the printer. Presumably you want your fucking printer to work as advertised. So, HP enabled the service and port, so you can fucking print and FTP print if you want to.

    That you plugged these old printers into the internet, rather than behind a firewall is not HP's problem. It is an ID10T or PEBCAK issue.

    Now, if you want to blame HP et al for stupid lack of security then look no further than WebPrint and AirPrint. These two features willfully encourage the printer's connection to the internet, even tunneling through firewalls. These two feature are moronic security holes manufactured and encouraged by the manufacturers while still making printing a pain in the ass.

  19. Really old news and a young 'researcher'... by Anonymous Coward · · Score: 0

    Well, this is very, very, very old hat. I have been sending files to HP printers using FTP for 20 years. It is the easiest way to print from an unconfigured Linux/UNIX machine - without installing CUPS. However, the company IT should not make the FTP port available outside the LAN and that has nothing to do with HP.

  20. Fax machines... by Anonymous Coward · · Score: 0

    Oh, the horror. Fax machines are on the public net too. In fact, I think are required to be that way in order to be of any use whatsoever...

  21. illegal storage by phantomfive · · Score: 1

    If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:illegal storage by godel_56 · · Score: 3, Informative

      If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you.

      The "server" will be someone ELSE's laser printer, and you'll probably be accessing it via a VPN, or Tails and Tor, so it's not a problem (for you).

  22. anon by Anonymous Coward · · Score: 0

    Well, at least it's anonymous.

  23. Risks associated with networked HP printers .. by tetraverse · · Score: 1

    What is this useless advice doing on slashdot. Now if he only told us how this free, open source software got onto the printer in the first place and why only HP network printers.

  24. Not news by Anonymous Coward · · Score: 0

    This is really old news. No current model for sale has these issues. Oddly, people don't expect their decade-old router to be secure these days. But for some reason people think old printers should be. Oh well.

  25. Your HP printers... by Kazoo+the+Clown · · Score: 1

    Your HP printers are my cloudserver. I back up all my data in PAR files to them. All your printers are belong to us.

  26. Why would you forward port 80 to your printer? by Anonymous Coward · · Score: 0

    from the article:

    software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by visiting http://[Printer_IP_Address]/hp/device/[File_Name] with any web browser...

    Wouldn't this require port 80 to be forwarded? I don't see them specifying an alternate port in that request.