A Hacker Just Pwned Over 150,000 Printers Exposed Online

Last year an attacker forced thousands of unsecured printers to spew racist and anti-semitic messages. But this year's attack is even bigger. An anonymous reader writes: A grey-hat hacker going by the name of Stackoverflowin has pwned over 150,000 printers that have been left accessible online. For the past 24 hours, Stackoverflowin has been running an automated script that searches for open printer ports and sends a rogue print job to the target's device. The script targets IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections. From high-end multi-functional printers at corporate headquarters to lowly receipt printers in small town restaurants, all have been affected. The list includes brands such as Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki, and Samsung.

The printed out message included recommendations for printer owners to secure their device. The hacker said that people who reached out were very nice and thanked him.
The printers apparently spew out an ASCII drawing of a robot, along with the words "stackoverflowin the hacker god has returned. your printer is part of a flaming botnet... For the love of God, please close this port." The messages sometimes also include a link to a Twitter feed named LMAOstack.

Re: Oh, the humanity!

I hope the dipshit plants a few trees to compensate for the 390 reams printed.

This keeps happening because mfgs won't fix it

[El+Cubano]

I've been giving some thought to this whole botnet epidemic. It occurs to be that there is a very straightforward solution:

Every manufacturer, software vendor, etc., should ship their hardware, software, device, etc., in a mode in which all remote/external access is completely disabled. Then the user would be required to at least take a positive action to enable the remote or network capability.

However, I am relatively certain this won't happen, for these reasons:

1. If people can't just &plug and play" their devices, then the manufacturer will end up having to bear a greater support burden (i.e., more people calling with problems like "I can't make my printer work on the WiFi")
2. If people have more problems many will complain, costing the manufacturer brand reputation
3. The way things currently stand it is cheaper for the manufacturer, and when things go wrong the customer bears the cost of cleaning up the mess
4. The vast majority of people either never have a problem or never realize that they have a problem (i.e., they are on a private network, a techie friend or family member does the setup and properly secures the device, etc.)

Given that manufacturers are in no rush to do anything that costs them more money (hardware margins are razor thin for just about every hardware company not named "Apple"), I really don't see this changing anytime soon, which is sad because this sort of mentality is making the Internet a worse place for everyone all around.

Re:This keeps happening because mfgs won't fix it

[CaptainDork]

This.

The cure for botnet infections and data breaches is litigation.

Botnet?

[caution+live+frogs]

Having port 9100 open doesn't make my printer part of a botnet. It just allows me to print from anywhere. I often set the printer as the DMZ address on my network, because I'd rather have people sending crap at a printer than at my actual computers. This kind is crap is really annoying, not helpful. We COULD turn off external printer ports, but in some cases they are needed or desired. Wasting paper tellling me the port is open? Stupid. Pressuring printer companies to implement a way to only allow authenticated users to print to external ports? Knock yourself out.

(If your printer has the web configuration/admin page unsecured, or telnet config open - that's a different story.)

Re:Botnet?

[OrangeTide]

Remember when fax machines printed immediately so that anyone in the world could waste a few sheets of your paper?
We didn't consider that a security issue either.

Re:Botnet?

We did when the paper triggered the motion sensor security alarm.

Re:Botnet?

[Bert64]

On some models of printer, port 9100 can do a lot more than just accept data to be printed...

For instance, some Xerox printers let you upload firmware updates via port 9100, and vulnerabilities exist allowing remote code execution (see https://www.exploit-db.com/exp...)

Printers are fully capable computers, having processors far more powerful than even highend servers from a few years ago. If someone gains the ability to execute arbitrary code on one, then they have a foothold on your network capable of launching further attacks against other hosts.

Re:Botnet?

[guruevi]

You know CUPS and any self respecting laser printer have had authentication and encryption for like ages. You could even run CUPS on your router and allow your computer to print from anywhere on the Internet.

On the other hand, this is indeed not a hack, this is just a public printer server.

Re:Botnet?

[athmanb]

The question is how confident are you that your printer firmware doesn't have a buffer overflow exploit that allows random code execution?
Considering that the average printer gets patched just about never, I wouldn't be.

Re:Botnet?

[haruchai]

Remember when fax machines printed immediately so that anyone in the world could waste a few sheets of your paper?
We didn't consider that a security issue either.

A few sheets? Ever heard of the Black Fax Attack?
Pranksters used to loop black construction paper through fax machines so that the recipient would run out of toner or have their machine gummed up real good.

Re:Botnet?

[aaarrrgggh]

Just set up a VPN already. Unattended devices should have zero unfiltered WAN access.

What is really needed is advanced network security for dummies-- things like an LCD display on your router to hand out tokens for computers to access the WAN, and 802.1x to segment each machine into a different VLAN unless the traffic is valid.

If you hack my printer

[OrangeTide]

I'll throw it out because I don't use that thing anymore. I can't even imagine what I would need with hardcopies anymore.

Ah, printers, the grand-fathers of IoT insecurity

[ffkom]

Printers were probably the first devices to be connected to the Internet in vast amounts without any consideration of security. Things do not seem to have changed.

Re:Ah, printers, the grand-fathers of IoT insecuri

[sims+2]

At work we have open wifi to date the most interesting thing I've seen connected to it was an HP printer.
Why is that interesting?

Because as best as I can tell the printer is somewhere the next city block over we only noticed because stuff here started offering to print to it.

The public wifi also shuts of at 6PM so maybe it's a business? IDK.

Haven't had any problems with people printing stuff to our printer however due to the network size and having more than one printer of the same model we have had issues with accidentally printing to a printer in the wrong building.

Giant Penis (attention grabber)

Funny story, third hand but from a source I 100% believe.

Walking back from a bar to his car in the downtown of a mid-size American city a friend of my friend notices open WiFi. *Score!* He connects to the network and gets a list of connected devices. He sees the usual stuff, but also something he'd never seen before. He does a quick search and finds out it's a commercial banner printer. It does 600dpi prints up to 30" wide off of rolls that can be 250' long. *SCORE!*

At this point WiFi is pretty new to most people, and security is barely on anyone's mind. He does a relatively nice thing - he finds a standard HP Laserjet and prints off a letter explaining that their WiFi is open, their 5-figure printer is exposed to the world, and it would be a really good idea to fix that. He even gives them a link to their AP's documentation showing how to set up password access.

As you might imagine, he was a pretty frequent visitor to the bar - so he watched and waited for a while. Seeing no change in their openness, he repeated the warning letter and made it pretty clear they should take the potential for damage seriously. He ended up traveling away for work reasons, and when he returned over two full weeks later he was eager to return to his local spot.

Of course there was still no change in the open network, and the printer was still available. After some thought, he got pretty well inebriated, and knew exactly what to do. He downloaded the printer's driver software to his laptop, found a good high resolution picture and printed a 30' long veiny erect penis on their big buck banner printer. The next week, the WiFi was password protected at that location.

Read the latest research in printer security?

[l1404223]

Using a public printer to "print" is the least evil thing you can do. Read this weeks research on printer security: http://hacking-printers.net/ https://github.com/RUB-NDS/PRE... Whenever you can print a document on a printer (for example, using port 9100 or cross-site-printing from a malicious website) you can do much worse stuff like: - Capture print jobs (all PostScript printers since 32 years are vulnerable!) - Access the file system (most PostScript printers allow this, some PJL devices do) - Dump the printer's NVRAM or memory ("feature" of all Brother laser printers and some Xerox devices) - Obtain credentials for Scan-to-Mail, Active Directory etc. stored on the device (Brother, OKI, some HPs, ...) - Install new firmware on the device (modification however is difficult as many vendors use code-signing) - Destroy the printer's NVRAM using legitimate PJL commands (various HP, Brother, Lexmark, Dell, Konica Minolta, ...)