A Hacker Just Pwned Over 150,000 Printers Exposed Online

Last year an attacker forced thousands of unsecured printers to spew racist and anti-semitic messages. But this year's attack is even bigger. An anonymous reader writes: A grey-hat hacker going by the name of Stackoverflowin has pwned over 150,000 printers that have been left accessible online. For the past 24 hours, Stackoverflowin has been running an automated script that searches for open printer ports and sends a rogue print job to the target's device. The script targets IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections. From high-end multi-functional printers at corporate headquarters to lowly receipt printers in small town restaurants, all have been affected. The list includes brands such as Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki, and Samsung.

The printed out message included recommendations for printer owners to secure their device. The hacker said that people who reached out were very nice and thanked him.
The printers apparently spew out an ASCII drawing of a robot, along with the words "stackoverflowin the hacker god has returned. your printer is part of a flaming botnet... For the love of God, please close this port." The messages sometimes also include a link to a Twitter feed named LMAOstack.

Oh, the humanity!

[Latent+Heat]

Of all the bad outcomes of a printer being hacked, that it "spews" racist printouts (everything racist, I guess, is spewed) until you switch off the printer or fix your security doesn't seem to be the worst thing?

Does your printer keep spewing pages that you find offensive until you make a Bitcoin payment to a racial supremacist group?

Re: Oh, the humanity!

I hope the dipshit plants a few trees to compensate for the 390 reams printed.

Re: Oh, the humanity!

[will_die]

with the price of printer ink and the size of blank paper some printers hold you could cost a company a few hundred dollars. even more uf someone refills tge unk and paper and allows the job to continue.

Re: Oh, the humanity!

[Mashiki]

FYI: In the west, trees are planted just after harvest. That's why we have sustainable forestry in the first place.

Re: Oh, the humanity!

[cthulhu11]

Forests are clearcut and monoculture tree farms planted. Sustainable only in weakly relative terms.

Re: Oh, the humanity!

[RockDoctor]

Speak for yourself in the West. Here on the East side of the Atlantic, we've long known the demerits of forestry monoculture, and haven't done that for some 40 years. Of course, that also means that we've got 80-odd years of monocultures to work through, but forestry practice has included dotting other species into any spaces that come available though wind-blow, trail cutting etc. Which isn't perfect, but that argument was over a generation ago in professional forestry management.

Re: Oh, the humanity!

[eric_harris_76]

The paper companies will do it for him. (Turns out, they sell paper made from trees. Who knew?)

Let's hope that paper is sequestered in a landfill, keeping the carbon in the cellulose away from oxygen.

Uh, wait

[DivineKnight]

Are a bunch of printers on the Internet with public IPs (a thought that previously has never crossed my mind, as it's not even a criminal offense...we'd need to invent a new category for it)?

Re:Uh, wait

[cusco]

Oh, most certainly, some of them in branch offices of multinational corporations. The better ones have hard drives for storing print jobs, FTP and configurable web pages, etc. I know of one local company which was appalled to find that their printer was being used to host a kiddie porn FTP site.

This is actually a fairly common configuration when the IT guy doesn't know how to set up a VPN (don't they teach that in computer classes any more?). They just drop it on the outside of the firewall, maybe set up DDNS from the built in configuration, and VIOLA! Now their clueless boss thinks they're a wizard because they can print from anywhere.

More disturbing to me is the amount of security equipment hanging off the Internet, an appalling amount of it with default or stupid passwords. I'm a physical security professional, key cards, security cameras, alarm systems, and the like. On the LinkedIn forums the question is fairly often posed "How do I let my customer view video from off-site?" Nine out of ten of the resulting answers are, "Put it on the Internet outside the firewall and configure DDNS." A ridiculous percentage of the IoT DDOS attack last year consisted of security cameras and DVRs/NVRs.

Re: Uh, wait

[cthulhu11]

I wonder how the hell these things are exposed. Residential and small business CPE does NAT and non-routeable space. Larger businesses with routable space manage theirs or pay someone too. I can only guess colleges, who have routable space and snooty faculty who prevent security.

This keeps happening because mfgs won't fix it

[El+Cubano]

I've been giving some thought to this whole botnet epidemic. It occurs to be that there is a very straightforward solution:

Every manufacturer, software vendor, etc., should ship their hardware, software, device, etc., in a mode in which all remote/external access is completely disabled. Then the user would be required to at least take a positive action to enable the remote or network capability.

However, I am relatively certain this won't happen, for these reasons:

1. If people can't just &plug and play" their devices, then the manufacturer will end up having to bear a greater support burden (i.e., more people calling with problems like "I can't make my printer work on the WiFi")
2. If people have more problems many will complain, costing the manufacturer brand reputation
3. The way things currently stand it is cheaper for the manufacturer, and when things go wrong the customer bears the cost of cleaning up the mess
4. The vast majority of people either never have a problem or never realize that they have a problem (i.e., they are on a private network, a techie friend or family member does the setup and properly secures the device, etc.)

Given that manufacturers are in no rush to do anything that costs them more money (hardware margins are razor thin for just about every hardware company not named "Apple"), I really don't see this changing anytime soon, which is sad because this sort of mentality is making the Internet a worse place for everyone all around.

Re:This keeps happening because mfgs won't fix it

[AmiMoJo]

One simple way this kind of attack could be mitigated would be to simply limit connections to the local IP subnet. Requests from other subnets would be ignored unless the user had configured and set a password.

Most people only want to use the printer locally.

Re:This keeps happening because mfgs won't fix it

[CaptainDork]

This.

The cure for botnet infections and data breaches is litigation.

Re:This keeps happening because mfgs won't fix it

[tlhIngan]

Uh, disabling those protocols means the printer won't print at all, since many printers in corporate and home settings already are networked and not connected via USB or other things.

The bigger question is - how come said printers were hooked up to the Internet directly? Even the most basic firewall would fix it. For home users, said printer will be on WiFi or Ethernet, behind their NAT router, so all is good. And on a corporate network, it too should be behind the firewall and blocked.

Did some company f**k up and have their corporate network completely unfirewalled and exposed? I mean, what possible reason is there for having a printer open? Road users should VPN in (and really, on the road they don't usually need to print to a printer at corporate HQ).

Re:This keeps happening because mfgs won't fix it

[cusco]

how come said printers were hooked up to the Internet directly?

Stupid/lazy IT guy and stupid/lazy bosses. Boss wants to print from his laptop when he's lazing in the coffee shop downstairs. Too stupid and/or lazy to use a VPN, so the stupid and/or lazy IT guy (probably a contractor) drops it outside the firewall. I've been told to do this with security equipment so that the customer could view their cameras from home, and refused. Customer was pissed off. My boss was pissed off. Customer's IT staff thanked me and wrote a letter of appreciation to my employer.

Re:This keeps happening because mfgs won't fix it

[RockDoctor]

how come said printers were hooked up to the Internet directly?

Stupid/lazy IT guy and stupid/lazy bosses.

Or, as likely, non-existant IT guy(-ess) and a boss that simply doesn't understand that there is a question here. Until the printer starts spewing a page of "your printer is fucked up" every few hours.

Nope, I'd agree with the classification of this guy as a "grey hat".

Botnet?

[caution+live+frogs]

Having port 9100 open doesn't make my printer part of a botnet. It just allows me to print from anywhere. I often set the printer as the DMZ address on my network, because I'd rather have people sending crap at a printer than at my actual computers. This kind is crap is really annoying, not helpful. We COULD turn off external printer ports, but in some cases they are needed or desired. Wasting paper tellling me the port is open? Stupid. Pressuring printer companies to implement a way to only allow authenticated users to print to external ports? Knock yourself out.

(If your printer has the web configuration/admin page unsecured, or telnet config open - that's a different story.)

Re:Botnet?

[OrangeTide]

Remember when fax machines printed immediately so that anyone in the world could waste a few sheets of your paper?
We didn't consider that a security issue either.

Re:Botnet?

We did when the paper triggered the motion sensor security alarm.

Re:Botnet?

[Bert64]

On some models of printer, port 9100 can do a lot more than just accept data to be printed...

For instance, some Xerox printers let you upload firmware updates via port 9100, and vulnerabilities exist allowing remote code execution (see https://www.exploit-db.com/exp...)

Printers are fully capable computers, having processors far more powerful than even highend servers from a few years ago. If someone gains the ability to execute arbitrary code on one, then they have a foothold on your network capable of launching further attacks against other hosts.

Re:Botnet?

[guruevi]

You know CUPS and any self respecting laser printer have had authentication and encryption for like ages. You could even run CUPS on your router and allow your computer to print from anywhere on the Internet.

On the other hand, this is indeed not a hack, this is just a public printer server.

Re:Botnet?

[athmanb]

The question is how confident are you that your printer firmware doesn't have a buffer overflow exploit that allows random code execution?
Considering that the average printer gets patched just about never, I wouldn't be.

Re:Botnet?

[haruchai]

Remember when fax machines printed immediately so that anyone in the world could waste a few sheets of your paper?
We didn't consider that a security issue either.

A few sheets? Ever heard of the Black Fax Attack?
Pranksters used to loop black construction paper through fax machines so that the recipient would run out of toner or have their machine gummed up real good.

Re:Botnet?

[aaarrrgggh]

Just set up a VPN already. Unattended devices should have zero unfiltered WAN access.

What is really needed is advanced network security for dummies-- things like an LCD display on your router to hand out tokens for computers to access the WAN, and 802.1x to segment each machine into a different VLAN unless the traffic is valid.

Re:Botnet?

[eneville]

This.

The message needs to use words that the reader will react to. If 'botnet' wasn't used, would this even had made news?

Re:Botnet?

[nnull]

This! I don't understand why these printers are left out in the open? Or why are they being DMZ'd? I don't understand this mentality.

Re:Botnet?

[fisted]

I often set the printer as the DMZ address on my network, because I'd rather have people sending crap at a printer than at my actual computers.

This is the dumbest thing I've read in a while.

Re:Botnet?

[hawk]

>For instance, some Xerox printers let you upload
>firmware updates via port 9100, and vulnerabilities
>exist allowing remote code execution

Damnit, I *knew* I should have listened when he warned me not buy the gatling gun with servos option . . . :)

hawk

Re:Botnet?

[swillden]

I often set the printer as the DMZ address on my network, because I'd rather have people sending crap at a printer than at my actual computers.

You don't want people to send crap to your actual computers, so you open a huge hole through your firewall, right into a powerful computer that has horribly buggy, rarely-updated firmware and frequently communicates with all of your actual computers, through their (also likely buggy) print drivers -- which on many systems execute with system permissions?

You need to rethink that strategy.

My recommendation (with some caveats, see below) is to use Google Cloud Print. Your printer opens a secure (TLS) outbound connection to a Google server, from which it receives print jobs. No need to open any inbound ports. Likewise, when you print your print jobs are send from your computer (or phone / tablet / Chromebook, works on all of them) over a secure connection to a Google server, which queues them for delivery to your printer.

Just like your solution, you can print from anywhere. More conveniently, you don't need to know your home IP address (or have DNS set up), and you don't have to fiddle with your firewall configuration. The downsides are (1) you need a printer that supports Cloud Print (or have it connected to an always-on computer -- not a good option, IMO) and (2) you have to be comfortable with letting Google see your print jobs -- and, theoretically, datamine them. AFAIK that doesn't actually happen, but you should assume it does. Personally, 99% of what I print is content written in Google Docs anyway.

Re:Botnet?

[gerf]

Problem is that some firmwares make it so that I can't use remanufactured toner cartridges (e.g. my Samsung CL-325W). Thanks DRM and the DMCA.

Re:Botnet?

[RockDoctor]

My recommendation [...] is to use Google Cloud Print. Your printer opens a secure (TLS) outbound connection to a Google server, from which it receives print jobs. No need to open any inbound ports. Likewise, when you print your print jobs are send from your computer (or phone / tablet / Chromebook, works on all of them) over a secure connection to a Google server, which queues them for delivery to your printer.

And if the data I'm printing is both commercially confidential AND detrimental to the interests of US-based companies, and regulated by countries that are not the USA, and I have stringent confidentiality clauses in my contract?

Actually, I've had exactly this conversation with computer techs from the American company on whose premises we were working when they wanted to use our (the company that was renting them and their equipment) printer as a backup in case their printer went down. And he'd already accepted why I refused to give them access to the confidential data.

Re:Botnet?

[OrangeTide]

Teenagers egged my house, let's call the SECRET SERVICE!

If you hack my printer

[OrangeTide]

I'll throw it out because I don't use that thing anymore. I can't even imagine what I would need with hardcopies anymore.

Ah, printers, the grand-fathers of IoT insecurity

[ffkom]

Printers were probably the first devices to be connected to the Internet in vast amounts without any consideration of security. Things do not seem to have changed.

just tie up someones phone with end less faxes!

[Joe_Dragon]

https://www.youtube.com/watch?...

So what?

[ddtmm]

A bunch of printers publicly available on the internet. And that's the manufacturer's problem? This has noting to do with anything other than some people setting up their printers for public access, intentionally of accidentally. Noting to see here...

Re:Ah, printers, the grand-fathers of IoT insecuri

[sims+2]

At work we have open wifi to date the most interesting thing I've seen connected to it was an HP printer.
Why is that interesting?

Because as best as I can tell the printer is somewhere the next city block over we only noticed because stuff here started offering to print to it.

The public wifi also shuts of at 6PM so maybe it's a business? IDK.

Haven't had any problems with people printing stuff to our printer however due to the network size and having more than one printer of the same model we have had issues with accidentally printing to a printer in the wrong building.

Giant Penis (attention grabber)

Funny story, third hand but from a source I 100% believe.

Walking back from a bar to his car in the downtown of a mid-size American city a friend of my friend notices open WiFi. *Score!* He connects to the network and gets a list of connected devices. He sees the usual stuff, but also something he'd never seen before. He does a quick search and finds out it's a commercial banner printer. It does 600dpi prints up to 30" wide off of rolls that can be 250' long. *SCORE!*

At this point WiFi is pretty new to most people, and security is barely on anyone's mind. He does a relatively nice thing - he finds a standard HP Laserjet and prints off a letter explaining that their WiFi is open, their 5-figure printer is exposed to the world, and it would be a really good idea to fix that. He even gives them a link to their AP's documentation showing how to set up password access.

As you might imagine, he was a pretty frequent visitor to the bar - so he watched and waited for a while. Seeing no change in their openness, he repeated the warning letter and made it pretty clear they should take the potential for damage seriously. He ended up traveling away for work reasons, and when he returned over two full weeks later he was eager to return to his local spot.

Of course there was still no change in the open network, and the printer was still available. After some thought, he got pretty well inebriated, and knew exactly what to do. He downloaded the printer's driver software to his laptop, found a good high resolution picture and printed a 30' long veiny erect penis on their big buck banner printer. The next week, the WiFi was password protected at that location.

A new meaning to "reams" of paper?

[Latent+Heat]

At least it wasn't as offensive as racist slogans?

this in a printer being printed to not a hack!

[Joe_Dragon]

this in a printer being printed to not a hack! It's just that some people have them with PUB IP's now with IPV6 and an ISP router it may be giving out pub IPv6 ip's with DHCP.

Re:this in a printer being printed to not a hack!

[CaptainDork]

Semantics.

It's illegal in the US:

Unauthorized access" entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent.

Another anecdote

[Megane]

Back in the early 2Ks, I worked for a certain networking gear manufacturer who gets confused with a food service company. Two or three times, a particular virus popped up that looked for open Windows file shares and would drop a copy of itself on said file share, naively hoping that a moron would later see it and click on it. Well, some bright spark had decided that for some reason, printers needed to be set up as a pseudo file share. This would then dump raw ASCII to the printer. (I suppose it might have been possible to get into some HP graphics mode with the right escape characters)

The problem was that in this mode, a form feed character would cause a page eject. Now imagine what happens when a binary file is thrown at this. We had at least one printer (I think it was an LJ4 series) wear out from all the pages it was quickly spewing if its paper tray was particularly well filled.

Read the latest research in printer security?

[l1404223]

Using a public printer to "print" is the least evil thing you can do. Read this weeks research on printer security: http://hacking-printers.net/ https://github.com/RUB-NDS/PRE... Whenever you can print a document on a printer (for example, using port 9100 or cross-site-printing from a malicious website) you can do much worse stuff like: - Capture print jobs (all PostScript printers since 32 years are vulnerable!) - Access the file system (most PostScript printers allow this, some PJL devices do) - Dump the printer's NVRAM or memory ("feature" of all Brother laser printers and some Xerox devices) - Obtain credentials for Scan-to-Mail, Active Directory etc. stored on the device (Brother, OKI, some HPs, ...) - Install new firmware on the device (modification however is difficult as many vendors use code-signing) - Destroy the printer's NVRAM using legitimate PJL commands (various HP, Brother, Lexmark, Dell, Konica Minolta, ...)

Spewing?

[Latent+Heat]

So the issue at hand is that the printer hacking used up printer supplies and that the hacked pages were racist, misogynist, homophobic, homoerotic, xenophobic, jingoistic, pornographic, plain disgusting, or simply annoying are peripheral concerns?

Think of the environment

[GeezerGeek49]

He just caused printers to use about 18 trees worth of paper.