from Hacker News

Google has indexed thousands of publicly accessible HP printers

by skattyadz on 1/25/13, 4:17 PM with 141 comments

  • by joering2 on 1/25/13, 5:21 PM

    Idea for startup.

    1. write a script to scrap google links to HP admin panel

    2. filter out the IPs that are from US (given you want to work on US market)

    3. assemble the list of printer types and current toner levels.

    4. write a script that will print to each of those printers a one single page, stating your company "Cheapo Suppliers Inc" was notified that "your printer is low on toner. Call xxxxxx to re-fill. Lowest prices quaranteed within one day delivery!". You can add link to your shop page that already redirects user to specific type of printer they have, some type of one-click order (based on which toners are low).

    5. daily rinse repeat.

    6. sell your business to HP (at least try to).

  • by mrj on 1/25/13, 4:43 PM

    Worse than printing somewhere remote, many of those are probably also scanners. If the original is left on the glass (I forget it all the time), an attacker could scan it remotely.

  • by modernerd on 1/25/13, 5:40 PM

    Some of the IPs are registered to large US universities, who list abuse/tech support email addresses in their records. I've already emailed several with a headsup and had a couple of "thank you!"s in reply.

  • by josh2600 on 1/25/13, 5:27 PM

    So... Where's Ang Cui at?

    In case you guys haven't seen it, Ang Cui is the guy who did the Cisco hack last month and he's also the guy with the coolest resume on the planet.

    He actually found a way to compromise printers during the print process, so by printing his resume, he pwns your printer. This seems like a bull in the china shop situation for that code.

  • by bintery on 1/25/13, 5:24 PM

    That's really nothing compared to searching for Canon ImageRunner admin pages (google lets you search for a URL by content/markers/text in the page info/name) - over on those imagerunner tech forums, people were able to bring up previous scans going back however far, and in minutes be looking at passports, medical records, college information, etc...

    Maybe more disturbing is that as these things are decommissioned they are just 'junked'. Meaning sent over seas as is to be 'disposed' - anything ever copied, scanned, or sent on that thing is in there somewhere and some foreign nation is in control of MFDs that were in hospitals, law firms, architect/contractor office, police stations, and on and on and on.

    The holes have been largely fixed through encryption and other techniques but only very recently - which I've been able to work around myself with forensic tools. I won't provide the link here, but if you google around you can find discussion on this topic pretty easily.

  • by achillean on 1/25/13, 5:53 PM

    This is actually one of the earliest searches that was used on the Shodan search engine! Shodan specializes in finding all devices connected to the Internet (including Telnet, SSH, FTP, SNMP etc.):

    http://www.shodanhq.com/search?q=hp+jetdirect http://www.shodanhq.com/search?q=laserjet http://www.shodanhq.com/search?q=HP-ChaiSOE

  • by kabdib on 1/25/13, 5:48 PM

    I wrote a scriptable "chooser" when I was at Apple -- it let you programmatically find and select a printer to print to.

    I enumerated every printer on campus (about 900 of them at the time, I think), and came /this close/ to printing a snarky page -- a fake version of the "Five Star News" internal company news -- on each one of them. Decided not to; probably a good career move that I resisted that urge.

  • by VMG on 1/25/13, 4:53 PM

    So is the secret service going to knock on my door if I click a link? I can't tell anymore.

  • by cs702 on 1/25/13, 5:24 PM

    I've written about this before.[1] Many network-connected printers simply assume that the local network they connect to will be securely protected from external threats, so they're not configured to withstand even the simplest of attacks. This is exactly the opposite of what many security experts recommend: devices should be secure regardless of whether the network they're on is secure or not.

    Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[2]

    I'm waiting for the great network printer security apocalypse...

    --

    I ran a quick nmap command (nmap -T4 -A -v -PE [IP address]) on a few of the many printers indexed by Google, and here's a typical result, showing tons of open ports and passwordless login options (I've deleted the hostname and IP address to protect the innocent):

      Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 12:15 EST
  NSE: Loaded 36 scripts for scanning.
  Initiating Ping Scan at 12:15
  Scanning XXX.XXX.XXX.XXX [1 port]
  Completed Ping Scan at 12:15, 0.10s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 12:15
  Completed Parallel DNS resolution of 1 host. at 12:15, 0.14s elapsed
  Initiating Connect Scan at 12:15
  Scanning [HOSTNAME] (XXX.XXX.XXX.XXX) [1000 ports]
  Discovered open port 23/tcp on XXX.XXX.XXX.XXX
  Discovered open port 21/tcp on XXX.XXX.XXX.XXX
  Discovered open port 443/tcp on XXX.XXX.XXX.XXX
  Discovered open port 80/tcp on XXX.XXX.XXX.XXX
  Increasing send delay for XXX.XXX.XXX.XXX from 0 to 5 due to max_successful_tryno increase to 5
  Increasing send delay for XXX.XXX.XXX.XXX from 5 to 10 due to max_successful_tryno increase to 6
  Warning: XXX.XXX.XXX.XXX giving up on port because retransmission cap hit (6).
  Discovered open port 14000/tcp on XXX.XXX.XXX.XXX
  Discovered open port 631/tcp on XXX.XXX.XXX.XXX
  Discovered open port 280/tcp on XXX.XXX.XXX.XXX
  Completed Connect Scan at 12:15, 37.26s elapsed (1000 total ports)
  Initiating Service scan at 12:15
  Scanning 7 services on [HOSTNAME] (XXX.XXX.XXX.XXX)
  Completed Service scan at 12:16, 13.09s elapsed (7 services on 1 host)
  NSE: Script scanning XXX.XXX.XXX.XXX.
  NSE: Starting runlevel 1 (of 1) scan.
  Initiating NSE at 12:16
  Completed NSE at 12:16, 3.57s elapsed
  NSE: Script Scanning completed.
  Nmap scan report for [HOSTNAME] (XXX.XXX.XXX.XXX)
  Host is up (0.11s latency).
  Not shown: 978 closed ports
  PORT      STATE    SERVICE      VERSION
  21/tcp    open     ftp          HP LaserJet P4014 printer ftpd
  |_ftp-anon: Anonymous FTP login allowed
  23/tcp    open     telnet       HP JetDirect telnetd
  25/tcp    filtered smtp
  80/tcp    open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  111/tcp   filtered rpcbind
  135/tcp   filtered msrpc
  139/tcp   filtered netbios-ssn
  280/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  443/tcp   open     ssl/http     HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  445/tcp   filtered microsoft-ds
  515/tcp   filtered printer
  631/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  1433/tcp  filtered ms-sql-s
  1720/tcp  filtered H.323/Q.931
  3168/tcp  filtered unknown
  4550/tcp  filtered unknown
  6000/tcp  filtered X11
  6112/tcp  filtered dtspc
  8654/tcp  filtered unknown
  9100/tcp  filtered jetdirect
  14000/tcp open     tcpwrapped
  19315/tcp filtered unknown
  Service Info: Device: printer
    --

    [1] http://news.ycombinator.com/item?id=4412714

    [2] http://www.schneier.com/blog/archives/2008/01/my_open_wirele...

  • by KwanEsq on 1/25/13, 5:27 PM

    Interestingly, if you try to browse far into the results, Google decided it actually only has 73 to display (after telling it to include ommitted similar results).

  • by mentat on 1/25/13, 6:54 PM

    A friendly thing to do would be develop a script that took the google results, checked with whois for abuse address and sent emails. Of course that could also end up with one being sent to jail for a long time.

  • by feefie on 1/25/13, 6:28 PM

    How can I tell if my home printer is securely protected? Is there a good web page or text book anyone can recommend that will teach me more details about this? Thanks.

  • by jhdevos on 1/25/13, 4:41 PM

    Should we now all print documents to those printers with warnings saying that they are publicly accessible?

  • by meaty on 1/25/13, 7:53 PM

    So within 24 hours, lots of people are going to find out what a goatse is I reckon.

    Even better, a lot of people in the UK have Thomson routers which have an easily calculable WPA default password. Most of these also have smart tvs these days too which will allow anything to be pushed to them.

  • by penguat on 1/25/13, 4:41 PM

    So, next question is how much malware is hanging around for those printers? Are all / mostly / some / none compromised?

  • by smallegan on 1/25/13, 5:42 PM

    Those poor IT Support guys that get a call because their small business clients network is going down due to everyone hitting their printer(s) at once because they show up on the first page :-\

  • by bitwize on 1/25/13, 7:21 PM

    You did this from your house?

    What are you, stoned or stupid?

  • by tmosleyIII on 1/25/13, 7:30 PM

    You can find a lot of open machines and sensitive information using Google, this one for the HP printers was submitted to the Google Hacking Database[1] in 2004.

    [1] http://www.exploit-db.com/google-dorks/

  • by kunai on 1/26/13, 12:00 AM

    I did the Google search, and while the first page does indeed show 86K results, as soon as I navigate to the second, the number drops to 13...

    Am I the only one with this problem, or did Google really not index "thousands of publicly accessible HP printers"?

  • by GBond on 1/25/13, 6:30 PM

    If you recall from the early days of google, there are plenty of indexed dark data that Google actively scrubs out of the public results. For example it was trivial at one point to find credit card numbers and social security numbers.

  • by hn-miw-i on 1/26/13, 5:30 AM

    One million trees just died. The problem with some of the earlier HP printers was that they would accept unsigned firmware updates, you could literally reflash the thing with an update instruction in postscript.

    Some work was done at Columbia University with developing trojanised firmware, i recall a firmware that could transmit CC# over tcp when it saw then in the print stream.

    Extreme care must be taken if connecting printers to the Internet. It's at best a horrible idea and I'd say that most of these are unknown to their owners. Hopefully this gets some MSM coverage and people address the connected printer problem forever. (not likely)

  • by jagermo on 1/25/13, 5:44 PM

    As far as I know this problem has been around for years. If you want to dive deeper into this, i recommend you visit Shodan (http://www.shodanhq.com/)

  • by aw3c2 on 1/25/13, 4:54 PM

  • by daralthus on 1/25/13, 8:05 PM

    Make sure to watch Ang Cui's demonstration on printer malware at 28c3. http://www.youtube.com/watch?v=njVv7J2azY8

  • by rbchv on 1/25/13, 6:19 PM

    Use this only to test your own printers. http://cdn.memegenerator.net/instances/400x/33855503.jpg

  • by FollowSteph3 on 1/25/13, 5:30 PM

    I'd hate to be at the top of that google search result!!

  • by tlrobinson on 1/25/13, 5:56 PM

  • by sandycheeks on 1/25/13, 8:47 PM

    The first thing I thought of was a course that I took decades ago that discussed using printers for covert channels to get data out of secure networks.

    I wonder if any of those are honeypots. It may be interesting to see if any visitors do something clever or unexpected.

  • by afita on 1/25/13, 9:06 PM

    I'm surprised nobody mentioned PrintFS in this thread: http://www.remote-exploit.org/articles/printfs/index.html

  • by fnordfnordfnord on 1/26/13, 6:18 AM

    Time for fun. Insert Coin, PC Load Letter, etc. Good times. http://miscellany.kovaya.com/2007/10/insert-coin.html

  • by deadairspace on 1/26/13, 2:56 AM

    Wow. There is at least one printer on there in a US governmental department, and on one of the settings pages is a huge list of emails of employees. And now I'm probably on some kind of list.

  • by TranceMan on 1/25/13, 7:24 PM

    >What happened to you today?

    My printer got slashdotted :(

    > Eh?

  • by hippich on 1/25/13, 7:42 PM

    And again - so many wasted IPv4s...

  • by kristopolous on 1/25/13, 6:50 PM

    And bam, junk fax companies are back in business.

  • by humanspecies on 1/25/13, 6:09 PM

    This is truly an old hack, from the days of Altavista, you can find all sorts of open devices and even file folders(I think they've censored those results now) on the internet.