Hacker News new | past | comments | ask | show | jobs | submit login
Google has indexed thousands of publicly accessible HP printers (port3000.co.uk)
241 points by skattyadz on Jan 25, 2013 | hide | past | favorite | 141 comments



Idea for startup.

1. write a script to scrap google links to HP admin panel

2. filter out the IPs that are from US (given you want to work on US market)

3. assemble the list of printer types and current toner levels.

4. write a script that will print to each of those printers a one single page, stating your company "Cheapo Suppliers Inc" was notified that "your printer is low on toner. Call xxxxxx to re-fill. Lowest prices quaranteed within one day delivery!". You can add link to your shop page that already redirects user to specific type of printer they have, some type of one-click order (based on which toners are low).

5. daily rinse repeat.

6. sell your business to HP (at least try to).


Nostalgia Scam Time:

Back in the late 90s there was a common scam run against big-ish offices.

A caller would call asking to talk to the person in charge of printers, typically either IT or Facilities.

Once connected they would say that they are sending out the recipients free gift, which was some lame piece of electronics - often a small television. They would get the work address and confirmation to ship the free gift. They would claim that along with the free gift - they would send a sample toner cartridge that had "super fine toner in it, certified by HP to last 3 times as long as other toner cartridges"

Then, along with the free gift, a PALLET of toner cartridges would be sent - along with an invoice for some ridiculous amount.

When I got my first call about these "super fine toner cartridges" - I got suspicious and contacted HP. They told me about the scam - but that it was hard to find the people. They asked me to get as much info as I could from them if they called again. I got a call again, got as much info as I could without accepting the offer for the free gift - but they wound up sending it to me, along with the pallet of cartridges as well.

HP came to my office and picked it all up after contacting them again.

Over the years - I received more of these calls - and as soon as they brought up toner and free gifts, I tol them I knew the scam they were running - and they would promptly hang up on me...


There's some law against postal fraud that says whatever they send you though the post is yours (to avoid exactly this kind of scam)

You can try not paying the invoice and see what happens.


Yeah and then they retaliate by sending you two pallets of crap toner cartridges, had enough? No? Still not going to pay? Ok here are five pallets of crap toner cartridges sitting in your mail room. Call up the dump, "What? Toner? That probably a toxic waste, you'll have to make an appointment and pay the extortionate hazardous waste fee." Then the toner guy calls back "You either pay us or next time it will be 10 pallets."


That doesn't seem like a cost-effective way to scam someone. The victim could just sell the toner themselves, right?

Sounds pretty stupid.


Because it is a scam, the toner isn't viable toner. The SJ Mercury news had a story on this during the great re-inking (people refilling ink carts, HP retaliating) and this particular scam was tied to people getting 'scrap' toner (which is they offered to dispose of unused/old/not-to-spec toner, got paid to do so, took it and poured it into plastic toner holders and then tried to sell it as 'oem' or 'extra fine' toner etc) There were complaints that it clogged printers, had smearing issues, and cost money to throw away. So the scammers were getting it on both ends, money to dispose it, and money from people tricked into buying it. The key here is that if there were a legitimate way/value to selling this toner they wouldn't be using it in their scam, they would just be selling it.


At that point it's extortion and you can tell the police where the criminals are going to show up. No different than any other "We're going to keep dumping stuff on your lawn until you pay us protection money."


Is there a reason you couldn't just refuse delivery?


Yeah - this was in 1997...


I think that law dates back decades. I don't think it applies to non USPS carriers though. That said my Google-fu is weak against this particular law.


It's not a postal thing, I believe it's common law. If someone ships you something unsolicited, you are under no obligation to return the item or make payment.


Aha! "Unsolicited" was the missing piece in the Google puzzle. It's actually not common law. It's 39 USC § 3009: http://www.law.cornell.edu/uscode/text/39/3009, and was passed in the Postal Reorganization Act of 1970.

I believe this was originally in response to shoe manufacturers mailing people shoes and then invoicing for them if they weren't sent back.

As for whether it applies to non-USPS shipments, I have strong doubts. The law says "mail", and my understanding is that because the USPS is a protected monopoly, non-USPS carriers are explicitly not mail services.


Rest assured that this was going on with copiers in the early 80's as well!


I'm a little unclear as to how how exactly they planned to enforce payment for un-solicited toner. What am I missing?


Sending random invoices to companies hoping they'll just pay without thinking about it is a pretty common scam actually. Here in Germany for instance you start getting dozens of fake invoices via ordinary mail the exact second you register a new company, and I guess it's not very different in other countries.


They're scam is that when they invoice - they hope that the company is big enough to the point where A/P just pays it when they say "Yeah so-and-so in IT confirmed this order" -- they are hoping that the initial contact and the AP departments dont talk.


Then why even bother sending a pallet of toner? Lots of other invoicing scams "invoice" for non-existent stuff.


Perhaps for psychological effect


http://business.ftc.gov/documents/bus24-avoiding-office-supp...

They threaten, talk to A/P directly and demand payment (skipping over the original agent), all sorts of ways.


How long ago was this written? They make reference to ordering typewriter ribbons ...


The PDF says March of 2000, but it was probably around for decades beforehand :)


Exactly.


No nostalgia required ... they still call, even the small business I work for gets at least one or two calls for toner cartridges and we work for your printing company a month.


Yup. They are still around and pretty ruthless. They get the printer models on the first call from a receptionist or someone "I'm calling about fixing the printer... that's a... HP... right? No? Konica, yeah, that's right we have that change in our forms."

Then they call back again and ask for the person in charge of ordering toner and reference the exact model. Sigh. Almost as bad as the "yellow page" people.


I've had not just people calling, but a door-to-door toner salesperson visit as recently as last year.


In the US, this will get you arrested, you will have a huge fine and probation, and prison time is not off the table.

I'll refer you to the CAN-SPAM Act of 2003, which does not just govern unsolicited e-mail, but all commercial mail which the law defines as electronic communication (bulk faxes, etc.)


Lets not overreact here.

The printers are on public wire.

You had not done any crime by using Google to find them.

You obtained access to their open HP admin panel via public link with no password or credentials you had to pass.

You haven't stole any information and, furthermore, there is NO confidential information even to be stolen to start with.

On the top of that, you cannot even determine who they are (name, company, address, email, nothing?). They are totally undefinable sitting by a raw IP address. Sure you know someone is using HP printer. Can you get legally punished for that?

I don't think that taking advantage of a publicly accessible information is punishable by jail, especially since noone got hurt and no information were stolen, whether it is information someone made their living off of (Aaron case), or just totally worthless information as of what brand computer of printer is being used. It would be hard for a company to sue you -- (lack of merit)?

If Google got away with snooping private data from open Wifs (and I am sure they made some sort of use from all that gathered data, even if only internally), then I am pretty sure you wont get any heat for such a petite stretch of snooping people's printers.

another though: you may say that someone can sue you for printing a page using their material and toner, but thats too little of damage to even start with. However, arguendo, if you would get slammed with class action lawsuit, you are most likely a millionaire from your idea anyways :)


But you are not AUTHORISED to access said resources, so you would be in violation of the Computer Fraud and Abuse Act.


It's about time for all people to recognize that web server software is an unrestricted broadcasting system by default and that if users want some sort of security they should definitely get behind a firewall or restrict MAC addresses. If they fail to enforce security it should be their fault, not the person accessing them. Apache and other web server software vendors should put that in their license. If that clause had been there maybe Aaron Swartz would still be alive today. As things stand today it's just a lame way to enable irresponsible people to set up web servers and printers containing web servers to put their hands up and way "not my fault." If people want to play geek they'd better learn geek, No excuses.


Who says I am not authorised? I can claim that public access is an implicit authorization, like any website! And there is no warning or message in the public control panels.


Can you really argue in good faith that you are legally authorized to print something on their printer?


Is a printer publicly accessible over an IP network really so different from a fax machine publicly accessible over switched phone network? Hell, many times (probably always these days) the fax machine is a printer so if the printer is a "computer" the fax machine half of it surely should be as well.

I can see them getting you for spam, just as they can with unsolicited faxes I believe, but anything more than that? Seems a little silly.

To add to the printer/fax comparison, I have known people who used printers in different physical locations within an organization as a "fax machine" that was easier to use with a computer. Need to send some documents to the guys across the state? Print it to them.


Yes, I think you can.

There have been case(s) I think (in USA) concerning websites where it was argued successfully that placing an non-password protected page available on the public internet was implied consent to access/use that service.

That seems the right way to do it. You can't then, for example, put up a website which enables printing and then claim that people who use it are financially liable for using that service.

That would be like putting a bench on a busy street and then popping up and charging people if they happened to sit on it - if they sit down, you can tell them they're not authorised to sit without payment, or you can advertise lack of authorisation (eg with a price list) but otherwise you're implying consent.


Yeah, and there is a guy currently fighting in court because he changed some numbers in a URL and was able to get information on other customers from AT&T ... CFAA.


This is different in essential details. Google are indexing these pages. That means the pages are advertised as part of the public internet.

Now not every layman knows how to properly hook things up to the internet, but there is a definite implied consent in doing so. If the pages were restricted by password and we were bypassing it, or they were locked to an IP and we could spoof it, then there wouldn't be an implied consent to access the service being provided; but that's not the case here.

If you want to look at intent then it's notable that many listed are University addresses - people setting up those printers absolutely know what they're doing.

If you purposefully used excessive paper/ink or you kill the hardware with a broken firmware update then those things are definitely not authorised by the implied consent and would constitute vandalism.


But we didn't change anything here; is just a website that says: "Select the file you want to print" and that's it.


And you think the owners of the printers really enjoy others using them like that? That all those IPs are set up like this on purpose?


Is there a fact we can examine to answer that/those questions?


If you have to ask the question, I think you already know the answer.


The enjoyment or lack of it by the printer owners is probably not a valid legal argument.


[Citation needed]

(also, how very considerate of you)


Do you really believe that? That the owners of the printers on this public wire would appreciate, in fact deliberately encourage, anonymous users accessing them like that?


good faith doesnt matter. it (at least should) matter what the law says.


> Who says I am not authorised?

The Federal Prosecutor threatening with 50years of jail time Or you can accept this no-brainer plea bargain for only 1year.

See also, 50 million posts on this subject last couple weeks since prominent software engineer suicided himself.


http://en.wikipedia.org/wiki/Weev is getting sued for inputting information on a public website which at that point gave him details about users...


I don't see where the implied consent is unless they were advertising the availability of those addresses on the public internet, eg they were listed in Google. It's a small but crucial difference to the legal position IMO.


If I leave my keys in the car, leave the car turned on with the door opened, are you authorized to drive my car?


One cannot reason about computers using analogies and expect to come to any useful conclusion.


> The printers are on public wire. > You had not done any crime by using Google to find them. > You obtained access to their open HP admin panel via public link with no password or credentials you had to pass.

There's even less barrier to sending a junk fax, and that can get you fined and potentially jailed.


I will argue. Junk fax is a message send to a number for no reason. In my example I would only send messages (print) on the printers that would be low with toner. I would NOT print on every single printer just because I can. Huge difference.


Your statement is totally sane. But the legal system isn't. Typing a public URL passes for "hacking" in our crazy courts.


You miss the point. Even if it is not illegal for you to connect to the printer, it is illegal to spam.


I think it would fall under unauthorized access.


Better yet, print a QR code, they can just scan it with their iPhone.


What a great way to distribute malware. Host it on a server somewhere, encode the URL in a QR code, and print just the code, blown up large, with no descriptors to printers everywhere. People will be so intrigued they'll just scan it. Aaaaaaaaand infected.


talking about hp printers and malware: http://www.youtube.com/watch?v=njVv7J2azY8


That's probably illegal not only in the US.


Worse than printing somewhere remote, many of those are probably also scanners. If the original is left on the glass (I forget it all the time), an attacker could scan it remotely.


Some scanners (and printers, for that matter) store cached copies of recently scanned/printed items. Probably you could grab those if you knew what you were doing.


That's a very bad idea, you should call your lawyer/a law firm to prepare for the impending deluge of threatening letters and lawsuits filed against you.


I only pointed out that there is more danger for people with publicly available printers than just getting random junk printed.

You are jumping to conclusions.


These sorts of interfaces are often connected to fileshares, so there's probably a route in there for a cracker. Also it may be possible to upload firmware - either corrupted firmware that bricks the printer or firmware that sends copies of all printed docs to a file store.


Some of the IPs are registered to large US universities, who list abuse/tech support email addresses in their records. I've already emailed several with a headsup and had a couple of "thank you!"s in reply.


You're lucky you haven't gotten accused of "hacking" yet.


Smart good Samaritans still use dead drop email addresses.


So... Where's Ang Cui at?

In case you guys haven't seen it, Ang Cui is the guy who did the Cisco hack last month and he's also the guy with the coolest resume on the planet.

He actually found a way to compromise printers during the print process, so by printing his resume, he pwns your printer. This seems like a bull in the china shop situation for that code.


This is what you're talking about.

And for those that haven't seen it.. do yourself a favour and sit through the entire hour-long video; you won't regret it.

http://arstechnica.com/security/2013/01/hack-turns-the-cisco...


That's really nothing compared to searching for Canon ImageRunner admin pages (google lets you search for a URL by content/markers/text in the page info/name) - over on those imagerunner tech forums, people were able to bring up previous scans going back however far, and in minutes be looking at passports, medical records, college information, etc...

Maybe more disturbing is that as these things are decommissioned they are just 'junked'. Meaning sent over seas as is to be 'disposed' - anything ever copied, scanned, or sent on that thing is in there somewhere and some foreign nation is in control of MFDs that were in hospitals, law firms, architect/contractor office, police stations, and on and on and on.

The holes have been largely fixed through encryption and other techniques but only very recently - which I've been able to work around myself with forensic tools. I won't provide the link here, but if you google around you can find discussion on this topic pretty easily.


anything ever copied, scanned, or sent on that thing is in there somewhere

I wouldn't be terribly surprised to find out my MFD has more persisted and recoverable in it than my first guess of how much it has (nothing), but it certainly doesn't have every page that's ever gone in or out of it.


This is actually one of the earliest searches that was used on the Shodan search engine! Shodan specializes in finding all devices connected to the Internet (including Telnet, SSH, FTP, SNMP etc.):

http://www.shodanhq.com/search?q=hp+jetdirect http://www.shodanhq.com/search?q=laserjet http://www.shodanhq.com/search?q=HP-ChaiSOE


I wrote a scriptable "chooser" when I was at Apple -- it let you programmatically find and select a printer to print to.

I enumerated every printer on campus (about 900 of them at the time, I think), and came /this close/ to printing a snarky page -- a fake version of the "Five Star News" internal company news -- on each one of them. Decided not to; probably a good career move that I resisted that urge.


Asking from ignorance here, is there a common protocol in use to communicate with printers e.g. find, interact with (print) and query (ask for toner level for instance) them?

Seems it would make a valuable tool for managing a larger number of printers, to know when to switch the toner for instance.


Someone did just this in my high school. They nearly got expelled.


So is the secret service going to knock on my door if I click a link? I can't tell anymore.


The secret service is going to knock for some reason or another anyway, so stop living in fear and live your life.


I've written about this before.[1] Many network-connected printers simply assume that the local network they connect to will be securely protected from external threats, so they're not configured to withstand even the simplest of attacks. This is exactly the opposite of what many security experts recommend: devices should be secure regardless of whether the network they're on is secure or not.

Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[2]

I'm waiting for the great network printer security apocalypse...

--

I ran a quick nmap command (nmap -T4 -A -v -PE [IP address]) on a few of the many printers indexed by Google, and here's a typical result, showing tons of open ports and passwordless login options (I've deleted the hostname and IP address to protect the innocent):

  Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 12:15 EST
  NSE: Loaded 36 scripts for scanning.
  Initiating Ping Scan at 12:15
  Scanning XXX.XXX.XXX.XXX [1 port]
  Completed Ping Scan at 12:15, 0.10s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 12:15
  Completed Parallel DNS resolution of 1 host. at 12:15, 0.14s elapsed
  Initiating Connect Scan at 12:15
  Scanning [HOSTNAME] (XXX.XXX.XXX.XXX) [1000 ports]
  Discovered open port 23/tcp on XXX.XXX.XXX.XXX
  Discovered open port 21/tcp on XXX.XXX.XXX.XXX
  Discovered open port 443/tcp on XXX.XXX.XXX.XXX
  Discovered open port 80/tcp on XXX.XXX.XXX.XXX
  Increasing send delay for XXX.XXX.XXX.XXX from 0 to 5 due to max_successful_tryno increase to 5
  Increasing send delay for XXX.XXX.XXX.XXX from 5 to 10 due to max_successful_tryno increase to 6
  Warning: XXX.XXX.XXX.XXX giving up on port because retransmission cap hit (6).
  Discovered open port 14000/tcp on XXX.XXX.XXX.XXX
  Discovered open port 631/tcp on XXX.XXX.XXX.XXX
  Discovered open port 280/tcp on XXX.XXX.XXX.XXX
  Completed Connect Scan at 12:15, 37.26s elapsed (1000 total ports)
  Initiating Service scan at 12:15
  Scanning 7 services on [HOSTNAME] (XXX.XXX.XXX.XXX)
  Completed Service scan at 12:16, 13.09s elapsed (7 services on 1 host)
  NSE: Script scanning XXX.XXX.XXX.XXX.
  NSE: Starting runlevel 1 (of 1) scan.
  Initiating NSE at 12:16
  Completed NSE at 12:16, 3.57s elapsed
  NSE: Script Scanning completed.
  Nmap scan report for [HOSTNAME] (XXX.XXX.XXX.XXX)
  Host is up (0.11s latency).
  Not shown: 978 closed ports
  PORT      STATE    SERVICE      VERSION
  21/tcp    open     ftp          HP LaserJet P4014 printer ftpd
  |_ftp-anon: Anonymous FTP login allowed
  23/tcp    open     telnet       HP JetDirect telnetd
  25/tcp    filtered smtp
  80/tcp    open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  111/tcp   filtered rpcbind
  135/tcp   filtered msrpc
  139/tcp   filtered netbios-ssn
  280/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  443/tcp   open     ssl/http     HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  445/tcp   filtered microsoft-ds
  515/tcp   filtered printer
  631/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  1433/tcp  filtered ms-sql-s
  1720/tcp  filtered H.323/Q.931
  3168/tcp  filtered unknown
  4550/tcp  filtered unknown
  6000/tcp  filtered X11
  6112/tcp  filtered dtspc
  8654/tcp  filtered unknown
  9100/tcp  filtered jetdirect
  14000/tcp open     tcpwrapped
  19315/tcp filtered unknown
  Service Info: Device: printer

--

[1] http://news.ycombinator.com/item?id=4412714

[2] http://www.schneier.com/blog/archives/2008/01/my_open_wirele...


A few months ago I erroneously port scanned our office HP networked printers (I meant to scan our internal servers but a typo meant I selected the wrong IP range). As soon as nmap encountered the JetDirect ports every single printer spewed out a dozen pages of total gibberish. Put it this way - I bet the owners of the printers you just scanned are slightly puzzled why their printer kicked into life.

More worryingly is that on many unpatched HP printers[1] it is entirely possible to push an unauthorised firmware update through port 9100.[2]

--

[1] Enabling OS updates is one thing but I wonder how many businesses actively update their printers to the latest firmware versions?

[2] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.js...


mattkirman: nothing happened to the owners of those printers, because I didn't run nmap with the "--allports" option. As the man page explains, by default nmap doesn't send anything to port 9100 precisely to avoid running into this issue:

  --allports (Don't exclude any ports from version detection).
      By default, Nmap version detection skips TCP port 9100 because some
      printers simply print anything sent to that port, leading to dozens
      of pages of HTTP GET requests, binary SSL session requests, etc.
      This behavior can be changed by modifying or removing the Exclude
      directive in nmap-service-probes, or you can specify --allports to
      scan all ports regardless of any Exclude directive.


The same goes for smart tvs. Most of them you can push stuff to via dnla without a password. Much amusement to be had.


I think the Sony TV's offer an onscreen pop-up before accepting commands from unregistered DLNA controllers although maybe that can be faked (and maybe there is a flaw, I've never explored it deeply).


This is correct, though you could cause a flood of requests that block input from the real user (each has to be dismissed in order).


Mine doesn't. Bravia EX series.


If you want to tell me model numbers I'll have a think about why that may be. Used to work in Prduct Planning for them although didn't have any role specifying this feature I was aware of it.


IMO Bruce Schneider should be more careful because lots of routers are very capable general-purpose computers and he's definitely responsible for what goes out of his IP address.


Just because his WiFi is open doesn't necessarily mean that you'll be able to access his router configuration. And as he says, having an open network means that you have an excuse if someone does use your internet for something illegal...

And it's Schneier.


Interestingly, if you try to browse far into the results, Google decided it actually only has 73 to display (after telling it to include ommitted similar results).


Google makes only a rough estimate of the total number of results. Try it on any query that returns a relatively small number of results.


86000 is certainly a _rough_ estimate of, um, 17.


I think Google is cleaning it up. (shows only 13 results for me)


That's with similar entries omitted. You need to go to the second page and have it repeat the search with those entries included.


ah my bad. Thanks for pointing out.


add a number to the search term, e.g. "123"...


A friendly thing to do would be develop a script that took the google results, checked with whois for abuse address and sent emails. Of course that could also end up with one being sent to jail for a long time.


Isn't it required that there's an abuse@ address to comply with RFCs. So take Google link list, do a reverse domain lookup, uniq, and email abuse@$(those domains).


Why would anyone go to jail for this?


The nail that sticks up gets hammered.

If someone else later does something bad with the publicly accessible printer and there's a witch hunt for the responsible party, and the only lead they have is that you emailed them about the possibility in advance...then they'll go after you, even though you were just trying to do a good thing.

And if you're expecting the victim / police / legal system to understand that, technically speaking, it could have literally been anyone with an Internet connection...Or if you think that your good intentions and lack of criminal record mean that the most you'll get is a slap on the wrist even if they think your email "proves" that you did it...you're quite naive, especially given all the recent coverage of Aaron Swartz.


I should note that this isn't unique to computers, by the way. You should also never leave a note on an unlocked car saying "hey, noticed your car was unlocked --signed XYZ".


Also, if someone really wanted to do something bad at least they would do it from Tor or a shadowy proxy from eastern Europe...


Yes, but a Good Samaritan probably wouldn't go to such lengths to hide their identity.


Ok, but IP logs would throw down their assumptions. They wouldn't be able to prove a thing.


> The nail that sticks up gets hammered.

Thank you.


How can I tell if my home printer is securely protected? Is there a good web page or text book anyone can recommend that will teach me more details about this? Thanks.


In a home network you typically have a router that separates your LAN (local area network) from the internet and shares one public IP among the devices in your network; in that case you have little to worry about. You can tell by the kinds of IP addresses your devices have: if it starts with 192.168.x.y, 172.x.y.z, or 10.x.y.z, then it's not reachable from the internet. The problem with these printers is that on their network there's no such separation and they are listening on a publicly routed IP address, but they've been designed with the tacit assumption that they will be used on a secured network.


Unless you have IPv6 turned on ... in which case many of these printers will automatically grab an IPv6 and be publicly accessible.


Depends. Some builds of Tomato (Toastman's for sure) put a firewall up on IPv6 by default. Asus's firmware does NOT firewall IPv6 at all. If you have shell access to your router, I suggest putting up a firewall on IPv6. The following should work (change br0 to the bridged LAN interface and eth0 to the WAN interface, sometimes it's a vlan):

  ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  ip6tables -A FORWARD -i eth0 -o br0 -p all -j DROP
  ip6tables -A FORWARD -i br0 -j ACCEPT
  ip6tables -A FORWARD -o br0 -j ACCEPT
  ip6tables -A FORWARD -j DROP
Of course insert whatever open ports you want after the first line.


Should we now all print documents to those printers with warnings saying that they are publicly accessible?


I'm assuming that it is just the setup/status/diagnostics control panel so you'll not be able to print anything arbitrary (shame, it could be a fun game!). If you are of a mind to wind someone up you might be able to kick out a pile of test pages and reconfigure the thing so it is no use until someone does a factory reset.

A similar but worse case was some years ago when a range of consumer router+firewall boxes had a fault which made them present their control interface on the WAN interface and had no password set by default. A large number of those somehow got into a search index (it may have also been Google, I can't rightly remember), and from there you can probably do more harm than you can from a printer.


I've looked at two and both had the option to print a file that you uploaded. Of course I didn't actually try to print anything, but it looks like you probably could.


I may or may not have just printed out some random messages for people to find.

There is something strangely compelling about sending thoughts out into the ether with no chance of feedback. Fax pranks are before my time, but I totally get it. I hope I made somebody smile today.


I already tried and printed PDF file, it works.


Either that or freak people out by printing messages from ghosts stuck in their printer.


And risk five years in prison for unauthorized access of a computer? I think not.


Why do you think it is unauthorised?

The other question, which would be fascinating to see raised in court I feel, is whether a printer is a "computer" within the terms of the law (CFAA, CMA(UK) or whatever).

You'd probably be able to question the meaning of access too - for example if you find an IP on Google and simply send data to port 9100 that's not really access, accessing a computer is 2 ways. If the law judged spamming port 91 as "access" then sending faxes or texting someone would come under the such legal acts .. that can't be within the intent of the law surely.

If other laws are used - "you sent them a message they didn't want" - then that's the end of [legal] unsolicited mail [yay!].


So within 24 hours, lots of people are going to find out what a goatse is I reckon.

Even better, a lot of people in the UK have Thomson routers which have an easily calculable WPA default password. Most of these also have smart tvs these days too which will allow anything to be pushed to them.


>Even better, a lot of people in the UK have Thomson routers which have an easily calculable WPA default password. //

That rather looks to oversteps the legal line.


Probably yes, but there is no excuse for incompetence on the part of the ISPs when they ship routers to the customers.


So, next question is how much malware is hanging around for those printers? Are all / mostly / some / none compromised?


Those poor IT Support guys that get a call because their small business clients network is going down due to everyone hitting their printer(s) at once because they show up on the first page :-\


You did this from your house?

What are you, stoned or stupid?


You can find a lot of open machines and sensitive information using Google, this one for the HP printers was submitted to the Google Hacking Database[1] in 2004.

[1] http://www.exploit-db.com/google-dorks/


I did the Google search, and while the first page does indeed show 86K results, as soon as I navigate to the second, the number drops to 13...

Am I the only one with this problem, or did Google really not index "thousands of publicly accessible HP printers"?


If you recall from the early days of google, there are plenty of indexed dark data that Google actively scrubs out of the public results. For example it was trivial at one point to find credit card numbers and social security numbers.


One million trees just died. The problem with some of the earlier HP printers was that they would accept unsigned firmware updates, you could literally reflash the thing with an update instruction in postscript.

Some work was done at Columbia University with developing trojanised firmware, i recall a firmware that could transmit CC# over tcp when it saw then in the print stream.

Extreme care must be taken if connecting printers to the Internet. It's at best a horrible idea and I'd say that most of these are unknown to their owners. Hopefully this gets some MSM coverage and people address the connected printer problem forever. (not likely)


As far as I know this problem has been around for years. If you want to dive deeper into this, i recommend you visit Shodan (http://www.shodanhq.com/)



Make sure to watch Ang Cui's demonstration on printer malware at 28c3. http://www.youtube.com/watch?v=njVv7J2azY8


Use this only to test your own printers. http://cdn.memegenerator.net/instances/400x/33855503.jpg


I'd hate to be at the top of that google search result!!


I've a vague recollection that Google stepped in to prevent such searches working in the past?



The first thing I thought of was a course that I took decades ago that discussed using printers for covert channels to get data out of secure networks.

I wonder if any of those are honeypots. It may be interesting to see if any visitors do something clever or unexpected.


I'm surprised nobody mentioned PrintFS in this thread: http://www.remote-exploit.org/articles/printfs/index.html


Time for fun. Insert Coin, PC Load Letter, etc. Good times. http://miscellany.kovaya.com/2007/10/insert-coin.html


Wow. There is at least one printer on there in a US governmental department, and on one of the settings pages is a huge list of emails of employees. And now I'm probably on some kind of list.


>What happened to you today?

My printer got slashdotted :(

> Eh?


And again - so many wasted IPv4s...


yes why would a printer need to be externally addressable - the problem will only get worse if ipv6 (aka ipv4 with rivets as the sainted verity stobb calls it) takes off.


I used to do it so I could print stuff for consumption or filling out when I got home from the field... also, because I could (a good reason for anything). Now I use IPP for the same purpose, less security risk.


And bam, junk fax companies are back in business.


They never were out of business.


This is truly an old hack, from the days of Altavista, you can find all sorts of open devices and even file folders(I think they've censored those results now) on the internet.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: