
We hacked 28,000 unsecured printers to raise awareness of printer security issue - Pick-A-Hill2019
https://cybernews.com/security/we-hacked-28000-unsecured-printers-to-raise-awareness-of-printer-security-issues/
======
beshrkayali
Yeah that’s an ad stunt for their blog. Nothing interesting really. Probably
shodan and a little python script. Yes, IoT has a security problem but you
shouldn’t be going around using people’s ink to make an already made point.

~~~
heavenlyblue
As a hacking endeavour it is lame, yes. As a social one, I think it’s better
than many other I had seen in a long time.

------
spzb
After going to the effort of "hacking" 28,000 printers I was expecting them to
provide more details and analysis. As it stands, it's a bit of a "look at me"
script kiddie stunt

~~~
DominoTree
Seen people doing this exact thing for many years, the only difference each
time is the content printed.

~~~
myself248
Printer gerbil hungry, please load new cartridge of nuts.

------
_salmon
If you're interested in detecting these types of attacks, I wrote a printer
honeypot during my Masters program.

[https://github.com/sa7mon/miniprint](https://github.com/sa7mon/miniprint)

~~~
dordoka
I'm curious: if by chance you had some instance online, was it hit by the
article's "attack"?

------
rhn_mk1
They covered all the world. But there's no word about translations? Sending
documents to random people in English is kinda pointless (if not self-
serving)... and may spook some people.

I was kind of expecting they were selecting on device location to make sure
the recipient can understand the message.

~~~
whatch
> may spook some people

Right. I think the word "hacked" feels more aggressive and even scary than
something like "This printer is vulnerable. We are security researchers but it
could be real hackers. Here is how to secure it..."

It definitely draws attention, but in a very uncomfortable way.

It's even worse for people who do not speak English. As a Russian, I guess
"hacker/hacked" is recognizable in a lot of non-English speaking societies,
but other parts of the printed page are less so. So it definitely can
unnecessarily spook some of those people until they find a way to understand
the entire message.

------
numpad0
Is it generally illegal to send unsolicited ads over physical mail?

I mean, “hacking a printer” is surely illegal, so what if you sent a “Free
Weekly Security Newsletter“ with some news headlines and the footer saying “To
unsubscribe, secure your printer” for couple weeks?

------
rightbyte
So they wasted 140 000 A4 pages. Why not just let the poor printers be alone.
I see no need to show off just becouse the printer owners forgot to look them.

~~~
sokoloff
It looks like the document printed was a single page doc.

~~~
rightbyte
Oh, read 5 step guide as 5 page guide. But anyway.

------
buildbuildbuild
I hope the author ran this by their legal team first.

~~~
Pick-A-Hill2019
That was my exact initial reaction (which is why I posted it). Actually my
initial reaction was 'WTF???' and so I made sure to read right to the end just
in case I misunderstood and yep - they did in fact print off pdf files to
random printers.

Thought the HN crowd would love diving in to the rights and wrongs of it. It
reminded me of the 'old days' of fax spamming via uhmmm '2600' approved means
and methods.

With that said - Would I rather read some pages printed off for 'some weird
reason' (and got p*offed at the waste of paper etc) vs. inadvertantly becoming
part of a possible future bot-net?

I mean - How do you alert the owner of a 'Write Only' (pun intended) device?
And also hopefully at the same time kick up enough of 'Facebook/Twitter/XYZ'
storm that Joe/Sue Q. Public notices?

That's a tough one.

~~~
floatingatoll
Are you legally liable for botnet damage done to others if your unsecured
printer is made to join that botnet by an unauthorized third party?

Does the answer change if you were notified of a misconfiguration that could
allow this?

~~~
shakna
> Are you legally liable for botnet damage done to others if your unsecured
> printer is made to join that botnet by an unauthorized third party?

Depending on jurisdiction, sometimes.

> Does the answer change if you were notified of a misconfiguration that could
> allow this?

Depending on jurisdiction, often. Not quite always, as it may fall back on the
manufacturer for not releasing a "reasonable" way to secure the machine
without loss of function. But generally speaking, if you have been notified,
you're on the hook.

------
jeroenhd
What I'm missing here is statistics on how many people actually followed the
advice their botnet printers just spewed out. A simple check a week later to
see how many printer owners managed to secure their devices would be nice.

Hacking printers just to promote your blog is kinda scummy. If you do it to
help people secure their networks, then at least show how much you've managed
to help by publishing the numbers. Anyone can use Shodan and submit a PDF with
a script.

------
schoolornot
Sometimes I leave my door open at night. Does that give you the right to walk
into my house? Morons.

~~~
colejohnson66
No, but some (not me) would argue that because you didn’t try hard enough to
stop it, it’s your fault. In other words: victim blaming.

------
moepstar
Hacking printers has been around for ages, people will never learn, no matter
the consequences (sadly).

Phenoelit also have a few "fun" tools around to mess with printers:
[http://www.phenoelit.org/hp/docu.html](http://www.phenoelit.org/hp/docu.html)

I can't recall when exactly this was (around the 2000s), i think there was a
talk or paper by FX of Phenoelit who wrote a proxy for HP printers.

So you'd go Internet <-> Printer <-> internal Network - now, that should send
a few shivers up peoples spines but apparently not.

------
castratikron
Does this mean roboprinting will be a thing soon? Will my printer start
printing off ads for cruises and extended auto warranties?

------
DominoTree
Nothing here beyond wardialing for fax machines and sending them spam for a
firm. I'd call it hacking if it involved identifying forward-facing management
ports on the same printers.

------
umvi
Seems like kind of a jerk move.

"I went around and scratched the paint on 28,000 ICE cars to raise awareness
on climate change issues"

------
freddyym
A similar thing happened when someone made did this promoting the YouTuber
"PewDiePie"[1]

1\. -
[https://www.forbes.com/sites/thomasbrewster/2018/12/03/a-hac...](https://www.forbes.com/sites/thomasbrewster/2018/12/03/a-hacker-
forced-50000-printers-to-spread-pewdiepie-propagandaand-the-problem-is-much-
bigger-than-you-know/)

