Thousands of Publicly Accessible Printers Searchable On Google 192
Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."
First rule of embedded web servers (Score:5, Insightful)
User-agent: *
Disallow: /
Re:First rule of embedded web servers (Score:4, Insightful)
I think the point is, at least it wouldn't be advertised on Google.
Re:First rule of embedded web servers (Score:5, Informative)
But at least it keeps the major search engines from indexing your web-accessible device, which is where script kiddies and the malevolently ignorant will go to find strange machines to play with.
Re: (Score:2)
I think the idea is to hack a printer and serve a malicious applet to the user computer on the administration pages using a Java (or browser, or Flash, etc) vulnerability, not that the JVM is running on the printer
Re:First rule of embedded web servers (Score:4, Informative)
There is a way to upload new printer firmware - usually protected with default administrator credentials. First, set the printers TCP settings to point to YOUR own DNS host.... :-)
This will stop quickly (Score:4, Insightful)
As soon as a spammer figures out how to abuse it.
Re: (Score:2, Insightful)
This may fall under the junk fax laws, USCC 18 paragraph 2701. Unlike that nightmare of deliberately overriding state law with federal law that planted "SPAM ME" on the backside of every email user in the US, the old junk fax law actually had teeth in it because it was costing every fax-owning *business* money and time as their fax machines were run out of paper and toner constantly with all the junk fax. So it's a fairly robust law which might include this as electronic communicaitons to a fax/printer/copi
Re: (Score:2)
Re: (Score:2)
Hey, did you get that great vacation opportunity, too? Only $99* for a week in Fiji!
*Airfare, hotel, food, and transportation extra.
Re:This will stop quickly (Score:4, Informative)
.....or 4chan.
I'm wait for the LULZ.
Re: (Score:2)
But what you might really love is the opportunity to re-finance your home at 0.01%!
Re: (Score:3)
0.01%? That is a rip off! Refinance now and get -0.25% that's right you will gain money! Dont pay your mortgage! WE PAY YOU!
Imagine... (Score:4, Insightful)
A little bit of scripting and you can goatse thousands all around the world...
Re: (Score:2)
I was just considering that.
Anyone know if there are laws against it?
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
You'd be in heap big trouble if a child picked up the printout, I think.
Re:Imagine... (Score:5, Funny)
Since you are abusing their equipment, you are probably going to be up for all sorts of fun unlawful computer acts.
And if you are going to prank them, send the "You're fired" from back to the future...
Re: (Score:2)
Probably the same laws that say you can't use someone else's computer without their permission. Just because it's unsecured doesn't mean you're allowed to walk in.
Re: (Score:3)
So, you only visit website for which you have a written invitation?
As a business, if your front door is open, it's an invitation to come in and browse.
Re: (Score:2)
Websites are intended to face the general public, this is implicitly understood. A better analogy is there's an unmarked door on the side of the store and when you peak in, you see it's an office or some other place the public obviously doesn't belong even if it's still wide open.
Re: (Score:2)
Aren't there laws in the US against sending spam faxes because it uses the paper up? That might be used against the sender of the print job.
If the printers are simple JetDirect boxes, there will probably be no logging of where the jobs came from. If they're bigger multifunction machines with hard drives, you'll be logged.
Re: (Score:2)
There should be a law, and if this becomes a problem there will be one. However, the existing laws almost certainly concern sending faxes and are unlikely to apply.
Re: (Score:3)
That reminds me of the time I found out a simple nmap portscan kills one model of JetDirect network to parallel boxes. Not just factory reset button dead, but replace an eprom or something similar at a HP repair centre dead. Since those things are so fragile and so wide open that you can actually kill them over a network without even trying I'm not surpised that other HP crap has no consideration of security.
Re: (Score:2)
JetDirect boxes log to loghost.assignedomain. by default, have for 15 years. If you use DHCP with syslog set there, they automatically log to that log host.
If you're JetDirect boxes aren't logging automatically when you plug them in your network is configured wrong.
Re: (Score:2)
How about just printing this article?
White hat warning, and all.
So what if it's 15 pages long.
Re:Imagine... (Score:4, Informative)
Yes, unauthorized access of pretty much anything is illegal, WTF makes you think it wouldn't be anyway?
However, specifically, unauthorized access of a computer or telecommunications equipment is most certainly covered under several federal laws.
Unauthorized access means 'doing anything they didn't want you to do, specifically stated in advance or otherwise.', so pretty much anytime you touch any computer without permission in any way, its covered.
That doesn't consider any pornography or offensive content standards and a crapton of other laws.
I'm just curious as to why you wouldn't instinctively know this is covered in about a billion different ways. Are you 12? Do you still think some silly little 'well they didn't say THAT' kind of thing is a legal loophole?
Re:Imagine... (Score:5, Interesting)
Re:Imagine... (Score:5, Funny)
You Sir are a knave; a rascal; an eater of broken meats; base, proud, shallow, beggarly, three-suited, hundred-pound, filthy, worsted-stocking knave; a lily-livered, action-taking knave, a whoreson, glass-gazing, super-serviceable finical rogue; one-trunk-inheriting slave; one that wouldst be a bawd, in way of good service, and art nothing but the composition of a knave, beggar, coward, pandar, and the son and heir of a mongrel bitch: one whom I will beat into clamorous whining, if thou deniest the least syllable of thy addition.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I was surprised to see in the LinkedIn security industry discussion threads how many of our competitors think nothing of think nothing of making their customers' security cameras, DVR/NVR, or access control/intrusion panel accessible from the Internet. Several posters have gotten quite irate when I point out that if the customer can get to it then so can any script kiddie. I w
Platonic Chain (Score:2)
There was a web hosted anime based around that idea called "Platonic Chain" about teenage girls using a range of exploits on IP cameras and other information that had been handily aggregated for them. It's short very low budget episodes from 2003 but really nails some implications of the coming goldfish bowl if we have a lot of wide open private information sources and amoral teens
Insert Cheese (Score:5, Funny)
I wonder if any of them are the older HP LaserJets where you could change the display to read funny things like "Insert Cheese" or "Low on Mayo"?
http://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message [spiceworks.com]
http://miscellany.kovaya.com/2007/10/insert-coin.html [kovaya.com]
Re: (Score:3)
"pc load letter" ?
Re:Insert Cheese (Score:4, Funny)
"lp0 on fire"
Re:Insert Cheese (Score:5, Interesting)
Or maybe I should have been worried about why nobody had the knowledge about these exploits...
Re:Insert Cheese (Score:5, Funny)
I did that to my old department head's printer a few years ago. I think it was asking for $0.25 to be inserted for a few weeks before he asked me to fix it.
Re:Insert Cheese (Score:5, Funny)
Re: (Score:3)
Re:Insert Cheese (Score:5, Funny)
% cd projects/pevil
% cat pevil
#!/usr/bin/perl
use warnings;
use strict;
use 5.014;
use Printer::HP::Display;
my $printer_ip = "172.30.20.129";
my $printer = Printer::HP::Display->new($printer_ip);
my ($text) = @ARGV;
my $message = "I'm sorry Dave, I can't print that.";
$message = $text if defined $text;
$printer->set_display($message);
say $printer->get_display;
Re: (Score:2)
Error (Score:3)
"Error: Out of Paper on Drive D:"
Very useful (Score:5, Funny)
(GRIN) At one time, I had dial-in access to the Apple corporate network; back then AppleTalk and PAP were still supported. When I was having trouble getting an employee to answer his email, I'd just print the message to the printer in his office. That would usually get his or her attention.
Help! I'm trapped in here! (Score:3, Funny)
I saw a story not too long ago about someone accessing their neighbor's printer to print out messages to the neighbor, pretending the printer was somehow alive; starting with some gibberish it became words and then paragraphs of text.
But you wouldn't do that to any of these printers because (pulls down microphone hidden in lamp suspended from ceiling) that would be wrong!
Might be useful... (Score:2)
...if these printers were somewhere they could reasonably replace a fax machine. But then, even fax machines are abused/spammed.
And it doesn't have to be deliberate. I supplied the department with a year's worth of scrap paper when I tried to print a postscript file to a laser printer. Something in the Windows-to-Appletalk software got munged and the text of the file got printed instead of the document.
1 page word doc in raw = 1 ream of paper. (Score:2)
1 page word doc in raw = 1 ream of paper.
Re: (Score:2)
First page of Google results (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
with instructions how to "fix" it and why it needs to be done and a contact email
I see you working. Trying to get those spammers busted...
Re: (Score:3)
Mr. T, is that you?
Re: (Score:2)
You might want to read that message on page two.
Re: (Score:3)
How did this happen? (Score:5, Interesting)
Excuse my ignorance, but how does this happen? Big companies have firewalls and NAT, and everyday people have wi-fi routers and NAT. What sort of people have big swarths of IP address space, but no clue how to manage it?
Re: (Score:2, Insightful)
Re: (Score:2)
The lucky ones come into contact with a company like mine before disaster strikes...
Re:How did this happen? (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re:How did this happen? (Score:4, Funny)
Jimmy: So hows the new real estate agency dad said you started?
Uncle Jim: The whole office is a mess. We've got a bunch of computers, and we got one of those box things to connect them all together at walmart... But it only has 10 plugins and now we've got this new printer...
Jimmy: Uh... I think we can just get a bunch of old network cards, put them in that computer in the basement and install linux on it...
Uncle Jim: Is Linux secure?
Jimmy: It's the best. I think Nasa uses it.
Uncle Jim: Wow, this is great that was going to cost me Twenty...er... hey I'll give you $10 an hour to do it.
Jimmy:Really? Awsome... *starts doing wikipedia searches for linux*
Re: (Score:2)
Re:How did this happen? (Score:5, Interesting)
I have 1024 public IPs, and I'm the only one who does anything with them: we won't have a network person until the hiring freeze is lifted (read: never).
There' was no NAT here, because that's not part of the IPv4 specs, and didn't even exist when this place was setup.
I've setup basic NAT, my wireless users are on it, and a few desktops, but I can't move everyone onto it because some directors like to print from home to work, and some people require access to a router-to-router VPN to another site that only works if you have a public IP address. I'd love to get a better handle on how access tables on these routers work, but if I did that I'd have to take time away from my day job, and really who wants to get yelled at for working harder?
I have no idea what I'm doing, but I can put anything I want on a public IP because there's literally no-one more knowledgeable to stop me. And I'm not gonna touch those printers because they're on a different subnet from my servers now, so screw it, they're literally not my job to secure.
They've been like that for 20+ years, how bad can it be?
Re: (Score:2)
Bring on IPv6, where we can all have a pile of public adresses, but even more public printers from clowns who never thought of setting up a half decent firewall on their router/gateway/modem/bridge.
Re: (Score:3)
Exaclty, I work for a multi-billion dollar company and we have finance reports that are produced then exported to excel files because that's all the directors know how to use. They then make pivot tables or simple formulas on them, often incorrectly and our entire businesses numbers are based on that shit. Simple things like the "average" function that treats NULL as 0... completely hoses what they think are valid numbers. Even when you show them the damned function in the help menu and it explicitly explai
Re: (Score:2)
Re: (Score:2)
Re:How did this happen? (Score:4, Insightful)
My DHCP is configured to hand out "public" addresses. Even over WiFi. Is there some reason it shouldn't be?
The idea that NAT is the way things should work is ridiculous -- it makes networking harder in about 25 different ways, makes the Internet a provider-consumer system instead of a peer-to-peer system, and it provides no "protection" beyond what you'd get from any other stateful firewall.
Re: (Score:3)
it provides no "protection" beyond what you'd get from any other stateful firewall.
Yes, because no stateful firewalls have had any vulnerabilities in them ever.
I agree with all your other points, and think it's high time for NAT to just die already, for a whole host of reasons - but let's be honest, one thing it does do is indeed add one small layer of extra security ... "NAT plus stateful firewall" cannot be less secure than "same stateful firewall on its own".
Re: (Score:2)
Most large universities in the US are wide open. It's a wild zoo out there. I used to work as a system administrator at a large public university, and most department managers and users were against using a central firewall. The only way around this was to configure a firewall on each individual machine.
Re: (Score:2)
when i worked hp printer support, it was generally people with a hub connected to a cable/dsl modem and sharing the connection to all the devices. this was around 2006 and a number of providers would supply separate ip addresses to each machine connected to the hub in this way. whenever troubleshooting setups, if i noticed a publicly addressable ip on a printer, i'd send it a page just to demonstrate to the customer why they needed a router instead of a hub. most of them would run out to best buy and call b
Re: (Score:2)
Google + inurl: == FUN! (Score:3)
Personally, I prefer searching for IP cameras [slashdot.org]
Re: (Score:2)
Yes, now imagine if they were things like coffee makers, toasters, and other small appliances, Java enabled, left open on the Internet.
Have a grudge against somebody? Make their toast extra dark and their coffee extra weak.
Re: (Score:2)
I saved this toast cartoon from many years ago... fun.
https://docs.google.com/file/d/0B9E-AUVchcP6NmhoNS1nQlphNHM/edit [google.com]
Re: (Score:2)
Have a grudge against somebody? Make their toast extra dark and their coffee extra weak.
Wow, Dr. Evil you are not.
Re: (Score:2)
- Mostly a bunch of business/office cameras. Yawn, if I want to look at some desks inside a boring office building I can do that when I'm at work. If I want to look at the reception area of random business I can walk out into the real world and enter businesses just like those.
- The odd control room of I don't k
Re: (Score:2)
Not thousands, more like 73 (Score:4, Informative)
Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.
Re:Not thousands, more like 73 (Score:4, Informative)
Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.
actually it is abut 86,500 - the 73 results are considered unique, but when you "repeat the search with the omitted results included" at the end, it includes many, many more nodes.
Re: Not thousands, more like 73 (Score:3)
No, those are the actual number of results. 86500 is an estimate that Google comes up with so it doesn't have to figure out the exact number on the first page. If you include the omitted results then you get 73 unique results.
Re: (Score:2)
Honeypot (Score:2)
3D (Score:4, Interesting)
Did anyone bother to click through? (Score:2, Insightful)
"In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed. If you like, you can repeat the search with the omitted results included."
Asking for omitted results gives you a grand total of 73 results, no matter WHAT the top of the results page says
So
Re: (Score:2)
"Page 25 of about 2,590,000 results"
I clicked the link in the article and there 2,590,000 results. I went to page 25 and they still look like valid results. Definitely more than 73 printers.
Re: (Score:2)
FTP? (Score:2)
I don't know about current HP printers, I do remember using the nice ftp server on them in the past..
Second rule of Internet Club, no connections directly from the Internet to your Intranet.
I work in the photocopy industry... (Score:2, Informative)
And I use these open web interfaces all the time to help guide dumb ass engineers how to fix things over the phone.
The first time I spotted an MFP on the internet I did send a print job letting them know that they should probably fix it (I did check the machine was in a English speaking country first!) But I no longer bother any more.
Google's fault? (Score:3)
Apparently not new. (Score:3)
Here's an article from as far back as 2007
http://www.bloggingwv.com/print-around-the-world/ [bloggingwv.com]
hmmmm why assume this is a mistake? (Score:2)
Perhaps, these thousands of printers (thousands? thats it?) are out there on purpose because people WANT others to be able to send them printouts? Perhaps, they just want something like email, but that they can read offline?
Perhaps its a way of collecting reading material? I think the smart thing to do is to go with that assumption and send them something to read.
HP Printers don't run Oracle's (Sun) JVM (Score:4, Informative)
The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.
Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.
Uh.. No.. Try 72 (Score:2)
If you click to the next page of results, google corrects its estimate to read
" Page 2 of 13 results (0.13 seconds)"
Alhough it does admit
"In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed.
If you like, you can repeat the search with the omitted results included."
If you choose to show the omitted results, and click through the pages, you get to the 8th page, which indicates:
"Page 8 of 72 results (0.12 seconds)"
Still nowhere near 86,000
And whi
I submitted this to Slashdot in late 2011 (Score:2)
I submitted this flaw to Slashdot in late 2011 (with a one word search term I believe!) and it never appeared in any story. I did post up [osnews.com] about the story rejection on OSNews a few months later.
If I could find out how to search for old Slashdot submissions I would do, but I can't see anything in my Slashdot account settings/profile that lets me see all the atempted submissions I made.
Re: (Score:2)
*checks printer*
Re: (Score:3)
Re: (Score:3)
I used to work at a university too. I was aware of security issues with printers as far back as year 2000. One shocking thing is that, not only the printer and web ports are wide open, a lot of people do not even bother to set a telnet password on them.
There are a few half baked solutions. Most printers out there have rudimentary access control capability. I have had experience with HP printers. All of them allowed me to control access by subnet number. Also, if you know that no one needs to access a printe
Re: (Score:2, Interesting)
What I loved were the printers at all three of the colleges I went to all had complicated systems set up so that they could charge you to print on the printers. However, open up wireshark and in less than a second, you would receive a couple hundred packets from printers advertizing themselves. And it wasn't just student printers either; the very printers they were charging us to print from availible for free and letting everybody know.
Re:already used for spam... (Score:5, Funny)
What I loved were the printers at all three of the colleges I went to all had complicated systems set up so that they could charge you to print on the printers. However, open up wireshark and in less than a second, you would receive a couple hundred packets from printers advertizing themselves. And it wasn't just student printers either; the very printers they were charging us to print from availible for free and letting everybody know.
It's even worse than that, given that university regulations require that all software of this kind is developed in-house by underpaid student interns, the accounting software is usually as sucky as you can get. When I was a student you could set the page count in your postscript jobs to a negative value and it'd credit your account every time you printed something. I paid off my student loan that way.
Re:already used for spam... (Score:5, Funny)
Balls do not pay the rent.
I suppose that depends on what you do for a living.