
Google has indexed thousands of publicly accessible HP printers - skattyadz
http://port3000.co.uk/google-has-indexed-thousands-of-publicly-acce
======
joering2
Idea for startup.

1\. write a script to scrap google links to HP admin panel

2\. filter out the IPs that are from US (given you want to work on US market)

3\. assemble the list of printer types and current toner levels.

4\. write a script that will print to each of those printers a one single
page, stating your company "Cheapo Suppliers Inc" was notified that "your
printer is low on toner. Call xxxxxx to re-fill. Lowest prices quaranteed
within one day delivery!". You can add link to your shop page that already
redirects user to specific type of printer they have, some type of one-click
order (based on which toners are low).

5\. daily rinse repeat.

6\. sell your business to HP (at least try to).

~~~
samstave
Nostalgia Scam Time:

Back in the late 90s there was a common scam run against big-ish offices.

A caller would call asking to talk to the person in charge of printers,
typically either IT or Facilities.

Once connected they would say that they are sending out the recipients free
gift, which was some lame piece of electronics - often a small television.
They would get the work address and confirmation to ship the free gift. They
would claim that along with the free gift - they would send a sample toner
cartridge that had "super fine toner in it, certified by HP to last 3 times as
long as other toner cartridges"

Then, along with the free gift, a PALLET of toner cartridges would be sent -
along with an invoice for some ridiculous amount.

When I got my first call about these "super fine toner cartridges" - I got
suspicious and contacted HP. They told me about the scam - but that it was
hard to find the people. They asked me to get as much info as I could from
them if they called again. I got a call again, got as much info as I could
without accepting the offer for the free gift - but they wound up sending it
to me, along with the pallet of cartridges as well.

HP came to my office and picked it all up after contacting them again.

Over the years - I received more of these calls - and as soon as they brought
up toner and free gifts, I tol them I knew the scam they were running - and
they would promptly hang up on me...

~~~
doktrin
I'm a little unclear as to how how exactly they planned to enforce payment for
un-solicited toner. What am I missing?

~~~
illuminate
[http://business.ftc.gov/documents/bus24-avoiding-office-
supp...](http://business.ftc.gov/documents/bus24-avoiding-office-supply-scams)

They threaten, talk to A/P directly and demand payment (skipping over the
original agent), all sorts of ways.

~~~
Pinatubo
How long ago was this written? They make reference to ordering typewriter
ribbons ...

~~~
illuminate
The PDF says March of 2000, but it was probably around for decades beforehand
:)

------
mrj
Worse than printing somewhere remote, many of those are probably also
scanners. If the original is left on the glass (I forget it all the time), an
attacker could scan it remotely.

~~~
ihsw
That's a very bad idea, you should call your lawyer/a law firm to prepare for
the impending deluge of threatening letters and lawsuits filed against you.

~~~
mrj
I only pointed out that there is more danger for people with publicly
available printers than just getting random junk printed.

You are jumping to conclusions.

~~~
pbhjpbhj
These sorts of interfaces are often connected to fileshares, so there's
probably a route in there for a cracker. Also it may be possible to upload
firmware - either corrupted firmware that bricks the printer or firmware that
sends copies of all printed docs to a file store.

------
modernerd
Some of the IPs are registered to large US universities, who list abuse/tech
support email addresses in their records. I've already emailed several with a
headsup and had a couple of "thank you!"s in reply.

~~~
flxmglrb
You're lucky you haven't gotten accused of "hacking" yet.

~~~
KMag
Smart good Samaritans still use dead drop email addresses.

------
josh2600
So... Where's Ang Cui at?

In case you guys haven't seen it, Ang Cui is the guy who did the Cisco hack
last month and he's also the guy with the coolest resume on the planet.

He actually found a way to compromise printers during the print process, so by
printing his resume, he pwns your printer. This seems like a bull in the china
shop situation for that code.

~~~
kefs
This is what you're talking about.

And for those that haven't seen it.. do yourself a favour and sit through the
entire hour-long video; you won't regret it.

[http://arstechnica.com/security/2013/01/hack-turns-the-
cisco...](http://arstechnica.com/security/2013/01/hack-turns-the-cisco-phone-
on-your-desk-into-a-remote-bugging-device/)

------
bintery
That's really nothing compared to searching for Canon ImageRunner admin pages
(google lets you search for a URL by content/markers/text in the page
info/name) - over on those imagerunner tech forums, people were able to bring
up previous scans going back however far, and in minutes be looking at
passports, medical records, college information, etc...

Maybe more disturbing is that as these things are decommissioned they are just
'junked'. Meaning sent over seas as is to be 'disposed' - anything ever
copied, scanned, or sent on that thing is in there somewhere and some foreign
nation is in control of MFDs that were in hospitals, law firms,
architect/contractor office, police stations, and on and on and on.

The holes have been largely fixed through encryption and other techniques but
only very recently - which I've been able to work around myself with forensic
tools. I won't provide the link here, but if you google around you can find
discussion on this topic pretty easily.

~~~
glhaynes
_anything ever copied, scanned, or sent on that thing is in there somewhere_

I wouldn't be terribly surprised to find out my MFD has more persisted and
recoverable in it than my first guess of how much it has (nothing), but it
certainly doesn't have every page that's ever gone in or out of it.

------
achillean
This is actually one of the earliest searches that was used on the Shodan
search engine! Shodan specializes in finding all devices connected to the
Internet (including Telnet, SSH, FTP, SNMP etc.):

<http://www.shodanhq.com/search?q=hp+jetdirect>
<http://www.shodanhq.com/search?q=laserjet>
<http://www.shodanhq.com/search?q=HP-ChaiSOE>

------
kabdib
I wrote a scriptable "chooser" when I was at Apple -- it let you
programmatically find and select a printer to print to.

I enumerated every printer on campus (about 900 of them at the time, I think),
and came /this close/ to printing a snarky page -- a fake version of the "Five
Star News" internal company news -- on each one of them. Decided not to;
probably a good career move that I resisted that urge.

~~~
paulhauggis
Someone did just this in my high school. They nearly got expelled.

------
VMG
So is the secret service going to knock on my door if I click a link? I can't
tell anymore.

~~~
KMag
The secret service is going to knock for some reason or another anyway, so
stop living in fear and live your life.

------
cs702
I've written about this before.[1] Many network-connected printers simply
assume that the local network they connect to will be securely protected from
external threats, so they're not configured to withstand even the simplest of
attacks. This is exactly the opposite of what many security experts recommend:
devices should be secure regardless of whether the network they're on is
secure or not.

Bruce Schneier's personal WiFi network at home is fully open, because -- in
his own words: "If I configure my computer to be secure regardless of the
network it's on, then it simply doesn't matter. And if my computer isn't
secure on a public network, securing my own network isn't going to reduce my
risk very much."[2]

I'm waiting for the great network printer security apocalypse...

\--

I ran a quick nmap command (nmap -T4 -A -v -PE [IP address]) on a few of the
many printers indexed by Google, and here's a typical result, showing tons of
open ports and passwordless login options (I've deleted the hostname and IP
address to protect the innocent):

    
    
      Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 12:15 EST
      NSE: Loaded 36 scripts for scanning.
      Initiating Ping Scan at 12:15
      Scanning XXX.XXX.XXX.XXX [1 port]
      Completed Ping Scan at 12:15, 0.10s elapsed (1 total hosts)
      Initiating Parallel DNS resolution of 1 host. at 12:15
      Completed Parallel DNS resolution of 1 host. at 12:15, 0.14s elapsed
      Initiating Connect Scan at 12:15
      Scanning [HOSTNAME] (XXX.XXX.XXX.XXX) [1000 ports]
      Discovered open port 23/tcp on XXX.XXX.XXX.XXX
      Discovered open port 21/tcp on XXX.XXX.XXX.XXX
      Discovered open port 443/tcp on XXX.XXX.XXX.XXX
      Discovered open port 80/tcp on XXX.XXX.XXX.XXX
      Increasing send delay for XXX.XXX.XXX.XXX from 0 to 5 due to max_successful_tryno increase to 5
      Increasing send delay for XXX.XXX.XXX.XXX from 5 to 10 due to max_successful_tryno increase to 6
      Warning: XXX.XXX.XXX.XXX giving up on port because retransmission cap hit (6).
      Discovered open port 14000/tcp on XXX.XXX.XXX.XXX
      Discovered open port 631/tcp on XXX.XXX.XXX.XXX
      Discovered open port 280/tcp on XXX.XXX.XXX.XXX
      Completed Connect Scan at 12:15, 37.26s elapsed (1000 total ports)
      Initiating Service scan at 12:15
      Scanning 7 services on [HOSTNAME] (XXX.XXX.XXX.XXX)
      Completed Service scan at 12:16, 13.09s elapsed (7 services on 1 host)
      NSE: Script scanning XXX.XXX.XXX.XXX.
      NSE: Starting runlevel 1 (of 1) scan.
      Initiating NSE at 12:16
      Completed NSE at 12:16, 3.57s elapsed
      NSE: Script Scanning completed.
      Nmap scan report for [HOSTNAME] (XXX.XXX.XXX.XXX)
      Host is up (0.11s latency).
      Not shown: 978 closed ports
      PORT      STATE    SERVICE      VERSION
      21/tcp    open     ftp          HP LaserJet P4014 printer ftpd
      |_ftp-anon: Anonymous FTP login allowed
      23/tcp    open     telnet       HP JetDirect telnetd
      25/tcp    filtered smtp
      80/tcp    open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
      | html-title: hp LaserJet 9050
      |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
      111/tcp   filtered rpcbind
      135/tcp   filtered msrpc
      139/tcp   filtered netbios-ssn
      280/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
      | html-title: hp LaserJet 9050
      |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
      443/tcp   open     ssl/http     HP-ChaiSOE 1.0 (HP LaserJet http config)
      | html-title: hp LaserJet 9050
      |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
      445/tcp   filtered microsoft-ds
      515/tcp   filtered printer
      631/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
      | html-title: hp LaserJet 9050
      |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
      1433/tcp  filtered ms-sql-s
      1720/tcp  filtered H.323/Q.931
      3168/tcp  filtered unknown
      4550/tcp  filtered unknown
      6000/tcp  filtered X11
      6112/tcp  filtered dtspc
      8654/tcp  filtered unknown
      9100/tcp  filtered jetdirect
      14000/tcp open     tcpwrapped
      19315/tcp filtered unknown
      Service Info: Device: printer
    
    

\--

[1] <http://news.ycombinator.com/item?id=4412714>

[2]
[http://www.schneier.com/blog/archives/2008/01/my_open_wirele...](http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

~~~
mattkirman
A few months ago I erroneously port scanned our office HP networked printers
(I meant to scan our internal servers but a typo meant I selected the wrong IP
range). As soon as nmap encountered the JetDirect ports every single printer
spewed out a dozen pages of total gibberish. Put it this way - I bet the
owners of the printers you just scanned are slightly puzzled why their printer
kicked into life.

More worryingly is that on many unpatched HP printers[1] it is entirely
possible to push an unauthorised firmware update through port 9100.[2]

\--

[1] Enabling OS updates is one thing but I wonder how many businesses actively
update their printers to the latest firmware versions?

[2]
[http://h20000.www2.hp.com/bizsupport/TechSupport/Document.js...](http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03102449)

~~~
cs702
mattkirman: nothing happened to the owners of those printers, because I didn't
run nmap with the "--allports" option. As the man page explains, by default
nmap doesn't send anything to port 9100 precisely to avoid running into this
issue:

    
    
      --allports (Don't exclude any ports from version detection).
          By default, Nmap version detection skips TCP port 9100 because some
          printers simply print anything sent to that port, leading to dozens
          of pages of HTTP GET requests, binary SSL session requests, etc.
          This behavior can be changed by modifying or removing the Exclude
          directive in nmap-service-probes, or you can specify --allports to
          scan all ports regardless of any Exclude directive.

------
KwanEsq
Interestingly, if you try to browse far into the results, Google decided it
actually only has 73 to display (after telling it to include ommitted similar
results).

~~~
eli
Google makes only a rough estimate of the total number of results. Try it on
any query that returns a relatively small number of results.

~~~
jrochkind1
86000 is certainly a _rough_ estimate of, um, 17.

------
mentat
A friendly thing to do would be develop a script that took the google results,
checked with whois for abuse address and sent emails. Of course that could
also end up with one being sent to jail for a long time.

~~~
plumeria
Why would anyone go to jail for this?

~~~
csense
The nail that sticks up gets hammered.

If someone else later does something bad with the publicly accessible printer
and there's a witch hunt for the responsible party, and the only lead they
have is that you emailed them about the possibility in advance...then they'll
go after you, even though you were just trying to do a good thing.

And if you're expecting the victim / police / legal system to understand that,
technically speaking, it could have literally been _anyone with an Internet
connection_...Or if you think that your good intentions and lack of criminal
record mean that the most you'll get is a slap on the wrist even if they think
your email "proves" that you did it...you're quite naive, especially given all
the recent coverage of Aaron Swartz.

~~~
plumeria
Also, if someone really wanted to do something bad at least they would do it
from Tor or a shadowy proxy from eastern Europe...

~~~
csense
Yes, but a Good Samaritan probably wouldn't go to such lengths to hide their
identity.

------
feefie
How can I tell if my home printer is securely protected? Is there a good web
page or text book anyone can recommend that will teach me more details about
this? Thanks.

~~~
andreasvc
In a home network you typically have a router that separates your LAN (local
area network) from the internet and shares one public IP among the devices in
your network; in that case you have little to worry about. You can tell by the
kinds of IP addresses your devices have: if it starts with 192.168.x.y,
172.x.y.z, or 10.x.y.z, then it's not reachable from the internet. The problem
with these printers is that on their network there's no such separation and
they are listening on a publicly routed IP address, but they've been designed
with the tacit assumption that they will be used on a secured network.

~~~
X-Istence
Unless you have IPv6 turned on ... in which case many of these printers will
automatically grab an IPv6 and be publicly accessible.

~~~
ingenium
Depends. Some builds of Tomato (Toastman's for sure) put a firewall up on IPv6
by default. Asus's firmware does NOT firewall IPv6 at all. If you have shell
access to your router, I suggest putting up a firewall on IPv6. The following
should work (change br0 to the bridged LAN interface and eth0 to the WAN
interface, sometimes it's a vlan):

    
    
      ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
      ip6tables -A FORWARD -i eth0 -o br0 -p all -j DROP
      ip6tables -A FORWARD -i br0 -j ACCEPT
      ip6tables -A FORWARD -o br0 -j ACCEPT
      ip6tables -A FORWARD -j DROP
    

Of course insert whatever open ports you want after the first line.

------
jhdevos
Should we now all print documents to those printers with warnings saying that
they are publicly accessible?

~~~
dspillett
I'm assuming that it is just the setup/status/diagnostics control panel so
you'll not be able to print anything arbitrary (shame, it could be a fun
game!). If you are of a mind to wind someone up you might be able to kick out
a pile of test pages and reconfigure the thing so it is no use until someone
does a factory reset.

A similar but worse case was some years ago when a range of consumer
router+firewall boxes had a fault which made them present their control
interface on the WAN interface and had no password set by default. A large
number of those somehow got into a search index (it may have also been Google,
I can't rightly remember), and from there you can probably do more harm than
you can from a printer.

~~~
Permit
I've looked at two and both had the option to print a file that you uploaded.
Of course I didn't actually try to print anything, but it looks like you
probably could.

~~~
pliu
I may or may not have just printed out some random messages for people to
find.

There is something strangely compelling about sending thoughts out into the
ether with no chance of feedback. Fax pranks are before my time, but I totally
get it. I hope I made somebody smile today.

------
meaty
So within 24 hours, lots of people are going to find out what a goatse is I
reckon.

Even better, a lot of people in the UK have Thomson routers which have an
easily calculable WPA default password. Most of these also have smart tvs
these days too which will allow anything to be pushed to them.

~~~
pbhjpbhj
> _Even better, a lot of people in the UK have Thomson routers which have an
> easily calculable WPA default password._ //

That rather looks to oversteps the legal line.

~~~
meaty
Probably yes, but there is no excuse for incompetence on the part of the ISPs
when they ship routers to the customers.

------
penguat
So, next question is how much malware is hanging around for those printers?
Are all / mostly / some / none compromised?

------
smallegan
Those poor IT Support guys that get a call because their small business
clients network is going down due to everyone hitting their printer(s) at once
because they show up on the first page :-\

------
bitwize
You did this from your _house_?

What are you, stoned or stupid?

------
tmosleyIII
You can find a lot of open machines and sensitive information using Google,
this one for the HP printers was submitted to the Google Hacking Database[1]
in 2004.

[1] <http://www.exploit-db.com/google-dorks/>

------
kunai
I did the Google search, and while the first page does indeed show 86K
results, as soon as I navigate to the second, the number drops to 13...

Am I the only one with this problem, or did Google really not index "thousands
of publicly accessible HP printers"?

------
GBond
If you recall from the early days of google, there are plenty of indexed dark
data that Google actively scrubs out of the public results. For example it was
trivial at one point to find credit card numbers and social security numbers.

------
hn-miw-i
One million trees just died. The problem with some of the earlier HP printers
was that they would accept unsigned firmware updates, you could literally
reflash the thing with an update instruction in postscript.

Some work was done at Columbia University with developing trojanised firmware,
i recall a firmware that could transmit CC# over tcp when it saw then in the
print stream.

Extreme care must be taken if connecting printers to the Internet. It's at
best a horrible idea and I'd say that most of these are unknown to their
owners. Hopefully this gets some MSM coverage and people address the connected
printer problem forever. (not likely)

------
jagermo
As far as I know this problem has been around for years. If you want to dive
deeper into this, i recommend you visit Shodan (<http://www.shodanhq.com/>)

------
aw3c2
Direct link on Google.com:
[https://www.google.com/search?q=inurl%3Ahp%2Fdevice%2Fthis.L...](https://www.google.com/search?q=inurl%3Ahp%2Fdevice%2Fthis.LCDispatcher)

------
daralthus
Make sure to watch Ang Cui's demonstration on printer malware at 28c3.
<http://www.youtube.com/watch?v=njVv7J2azY8>

------
rbchv
Use this only to test your own printers.
<http://cdn.memegenerator.net/instances/400x/33855503.jpg>

------
FollowSteph3
I'd hate to be at the top of that google search result!!

~~~
pbhjpbhj
I've a vague recollection that Google stepped in to prevent such searches
working in the past?

------
tlrobinson
Webcams too: <https://news.ycombinator.com/item?id=5116676>

------
sandycheeks
The first thing I thought of was a course that I took decades ago that
discussed using printers for covert channels to get data out of secure
networks.

I wonder if any of those are honeypots. It may be interesting to see if any
visitors do something clever or unexpected.

------
afita
I'm surprised nobody mentioned PrintFS in this thread: <http://www.remote-
exploit.org/articles/printfs/index.html>

------
fnordfnordfnord
Time for fun. Insert Coin, PC Load Letter, etc. Good times.
<http://miscellany.kovaya.com/2007/10/insert-coin.html>

------
deadairspace
Wow. There is at least one printer on there in a US governmental department,
and on one of the settings pages is a huge list of emails of employees. And
now I'm probably on some kind of list.

------
TranceMan
>What happened to you today?

My printer got slashdotted :(

> Eh?

------
hippich
And again - so many wasted IPv4s...

~~~
walshemj
yes why would a printer need to be externally addressable - the problem will
only get worse if ipv6 (aka ipv4 with rivets as the sainted verity stobb calls
it) takes off.

~~~
Aloha
I used to do it so I could print stuff for consumption or filling out when I
got home from the field... also, because I could (a good reason for anything).
Now I use IPP for the same purpose, less security risk.

------
kristopolous
And bam, junk fax companies are back in business.

~~~
mhurron
They never were out of business.

------
humanspecies
This is truly an old hack, from the days of Altavista, you can find all sorts
of open devices and even file folders(I think they've censored those results
now) on the internet.

