A grey-hat hacker going by the name of Stackoverflowin says he's pwned over 150,000 printers that have been left accessible online.
Speaking to Bleeping Computer, the hacker says he wanted to raise everyone's awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled.
For the past 24 hours, Stackoverflowin has been running an automated script that he wrote himself, which searches for open printer ports and sends a rogue print job to the target's device.
From high-end multi-functional printers at corporate headquarters to lowly receipt printers in small town restaurants, all have been affected.
Users reported multiple printer models as affected. The list includes brands such as Afico, Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki, and Samsung.
Stackoverflowin told Bleeping Computer that his script targets printing devices that have IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections.
The script also includes an exploit that uses a remote code execution vulnerability to target Dell Xeon printers. "This allowed me to inject PostScript and invoke rouge[sic] jobs," Stackoverflowin told Bleeping about the RCE vulnerability's role.
(Score: 2) by ikanreed on Monday February 06 2017, @04:29PM
I mean, obviously compared to anything I, personally, have ever done, it's extraordinary, but botnets routinely number in the tens of millions, a couple hundred thousand devices is just another drop in the spambot/DDOS bucket.
The real news is that anyone is using the word "pwned" in 2017.
(Score: 3, Touché) by DannyB on Monday February 06 2017, @04:43PM
A few hundred thousand of these. A couple hundred thousand of those. Pretty soon you're talking about a botnet to be taken quite seriousfully.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by ledow on Monday February 06 2017, @04:56PM
It's an indication of something far more nefarious.
Hundreds of thousands of people have installed a printer which has ports open to the Internet - through conscious port-forwarding or complete lack of firewall.
What else are they exposing, and if these are people who are forwarding, why was this allowed? How much other stuff is on those same IPs that allows a lot worse than printing off a piece of rude paper? Printers normally have everything from FTP to SMB to SMTP.
And those THOUSANDS of devices from all kinds of manufacturers - why are they sold in insecure default configurations that allowed this? Why is this stuff even turned on? Why is it not limited to local subnet by default? Why does it not have authentication of the most basic kind?
And we're putting lightbulbs on the Internet still, made by some of these same people.
Security should not be a bolt-on, when lax security is this prevalent in devices, manufacturers and their default configurations.
(Score: 1, Insightful) by Anonymous Coward on Monday February 06 2017, @05:09PM
why are they sold in insecure default configurations that allowed this?
Because it makes their gee-whiz iThingie cloudy-printy Chromy features "easy." That's why. "Easy."
It will continue to be that way until an alternative is easier.
(Score: 2) by ikanreed on Monday February 06 2017, @05:12PM
Yeah, I guess, but can we also report on the serious cringe flaw of a person using the word "pwned"?
It's indicative of something far more nefarious: an entire generation not realizing that their slang is completely out of date and kinda uncomfortable to read.
(Score: 2) by shipofgold on Monday February 06 2017, @05:46PM
OK, I'll bite...what's a better word?
For me, 'pwned' gave the right connotation of the incident.
(Score: 0) by Anonymous Coward on Monday February 06 2017, @10:42PM
p0wned.
(Score: 2) by art guerrilla on Monday February 06 2017, @11:26PM
after pwned would come pawned...
(Score: 2) by Thexalon on Monday February 06 2017, @05:12PM
Yeah, but security is so darned *inconvenient*, you know? Having to type in passwords, firewall configurations, how the heck do you expect a beleagured office assistant to pull it off? We want something they can just plug in and turn on, dammit!
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by Scruffy Beard 2 on Monday February 06 2017, @06:33PM
About half the tweets from the TFA featured print-outs in a fast-food restaurant environment.
At minimum wage, I am not sure you will care that the printer you are not allowed to mess with is pwned. I personally would probably report it to management.
(Score: 0) by Anonymous Coward on Monday February 06 2017, @05:10PM
the real news is that there are people putting their printers on the internet.
The idea never occured to me. WHy would I do this?
Then it dawned on me that the cloud, and the lack of end user control, is probably to blame.
It is hard to allow for one to print to ones printer on the network using conventional methods now -- everything has to be on the internet as opposed to being local to the LAN.
Try to get a tablet to print a pdf to a printer without jumping through hoops, or your default gateway.
(Score: 3, Insightful) by ikanreed on Monday February 06 2017, @05:19PM
The reason my printer is on the internet is obvious to me:
It's on my wifi subnet so I don't have to hook it up to any given computer I want to print from. Because that subnet is also on the internet, so is the printer. I could go through the obnoxious process of creating a outbound DMZ with the ability to access the internet at large, and a separate division that can only access devices on the same physical subnet, but that's a pain in the ass just for a printer.
(Score: 3, Insightful) by EvilSS on Monday February 06 2017, @05:41PM
(Score: 2) by ikanreed on Monday February 06 2017, @06:12PM
It's not by default, but routers are imperfect creatures, and you shouldn't trust that they work as they say on the tin.
I do because I'm lazy.
(Score: 2) by EvilSS on Monday February 06 2017, @09:28PM
(Score: 4, Insightful) by bob_super on Monday February 06 2017, @06:27PM
Oh oh, I know why! Pick me, pick me!
That's because the printer asks for an SSID and optionally a password, after which it open whatever ports its designers thought would be cool for all kinds of "cloud" features hardly any end-user will use, plus any ports required to phone home usage patterns and whatever else the designers though would be marketable information.
And less than 5% of the population would know how to stop that. And I'd be surprised if 50% of those who know bothered to do anything about it.
I just turn the thing off (switch on extension cord: no vampiric current drain) unless I'm actively printing. You have less than 5 minutes to "pwn" it, good luck using it for a botnet.
(Score: 2) by Grishnakh on Monday February 06 2017, @07:48PM
Printers cannot "open ports" on a NAT router all by themselves. They can make outbound connections, through which the system on the other end could then communicate back, but we're not talking about HP, Brother, Canon, etc. having "pwned" servers here, we're talking about someone connecting directly to printers from the internet. That is not possible with a consumer NAT router unless you have specifically set it up to do that. The printer can't do it on its own.
(Score: 1, Funny) by Anonymous Coward on Monday February 06 2017, @08:34PM
I had a Samsung color laser that gladly opened ports using UPnP. Being at University at the time, my neighbors quickly (less than an hour of plugging it in) printed a page to let me know I was an idiot for leaving it exposed and then used the remote interface to turn it off. Suffice to say, one of the first things I do with a router anymore is make sure UPnP is turned off.
(Score: 2) by jmorris on Monday February 06 2017, @08:40PM
You haven't heard of UPnP in $current_year? Yup, we hide everything behind NAT because we know it is all a roach motel, then we invented UPnP to expose it automagically. Genius!
(Score: 2) by Grishnakh on Monday February 06 2017, @09:21PM
Sure enough, you're right [wikipedia.org].
Holy crap, what moron thought this would be a good idea??
The other stuff in uPnP makes some sense when confined to an internal network, because DHCP and all makes it a bit of a pain to configure your devices to see each other. But there's absolutely no reason devices should be allowed to make themselves visible to the outside, except maybe for idiots who want to run peer-to-peer software and don't want to figure out how to do port forwarding themselves, but that's no reason to enable them.
I wonder if there's a list of printers and other such devices (devices that have no business having forwarded ports) that use this "feature" of uPnP.
(Score: 2) by Scruffy Beard 2 on Monday February 06 2017, @09:34PM
UPnP is part of a DRM stack called DLNA [dlna.org].
No user is going to configure their router to let the manufacturer pwn their machine.
(Score: 0) by Anonymous Coward on Monday February 06 2017, @10:27PM
...we hide everything behind NAT...
With IPv6 we don't need to!
(Score: 2) by jmorris on Tuesday February 07 2017, @12:41AM
Sure we do. We don't hide everything behind a NAT because of IPv4 address exhaustion. Well not ONLY because of that, we hide behind NAT because we all know 95% of the hosts currently connected to the Internet wouldn't survive an hour directly connected. IPv6 makes this situation worse because:
1. Nobody seems to understand IPv6. Mostly because they don't care about IPv6 since NAT and http losing the one IP per virtual hostname requirement solved 99% of the problems it was intended to fix and Carrier Grade NAT solved the rest except for people who want to run a server at home and the ISPs don't want that anyway. A few mobile carriers do more than pay lip service to IPv6 but outside the 3rd world where IP exhaustion is dire, it is a dead end technology.
2. Ignorance breeds exploits. IPv6 is usually poorly configured, not consciously firewalled and yet enabled by default on a LOT of things.
3. IPv6 is not always NATted. Meaning an IPv6 enabled device connected to an IPv6 router plugged into an IPv6 enabled ISP is a menace. See above.
4. IPv6 has not had nearly the field testing and hardening as IPv4. This applies to the kernel layers AND the applications which can connect and be connected to over IPv6. This makes for a very large attack surface that has yet to see a lot of attention.
(Score: 1, Interesting) by Anonymous Coward on Tuesday February 07 2017, @02:54PM
We don't hide everything behind a NAT because of IPv4 address exhaustion.
Yes we do.
A stateless firewall requires less resources than a NAT router, and can thus be manufactured cheaper. A stateful firewall requires approximately the same resources as a NAT router and would cost the same to manufacture.
The reason you can't buy consumer versions of either is that the IP address shortage makes it necessary to buy NAT routers instead.
(Score: 2) by nobu_the_bard on Monday February 06 2017, @09:22PM
One of my former clients, they were only clients for VoIP phone service. They owned several entire C-class network subnets on the public internet (at the time, anyway)... they put entire internal networks to be routable on the public internet and relied on each device's own firewall to protect it from the internet. Most of their guys had learned their stuff loooong ago and adamantly refused to change their policies. I think part of it, was they wanted to keep ownership of their network subnets, and were worried it'd be a "use it or lose it" sort of situation.
They became former clients because they put their VoIP phones out there and they kept getting hacked... I know a few printers were on those subnets too...
(Score: 2) by Grishnakh on Monday February 06 2017, @09:30PM
Why would they be "former clients"? If your job is to fix things when they get hacked, this sounds like an ideal customer: one too stupid to fix the root problem and willing to hire you over and over to fix the damage. It's like a car driver who... sorry, I tried really hard to come up with a good car analogy but I just couldn't think of something equivalent to that level of stupidity. Anyway, it's a gold mine; why would you abandon it? "A fool and his money are soon parted."
(Score: 2) by mcgrew on Monday February 06 2017, @09:09PM
My printer's setup, a Canon imageCLASS, only had you press the button on the router, which shuts off the firewall for thirty seconds. I've forgotten what it said if there's no button, bought it last fall.
But yes, it's only on when I'm printing. No sense wasting electricity.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 0) by Anonymous Coward on Monday February 06 2017, @09:27PM
Do printers normally just open ports up? How does this work with NAT? Are people configuring their printers with admin rights to their firewall/router devices?
I am not really sure how this is working, unless they run the install CD and just let the wizard do everything.
I had to type in my initial settings into the front panel, and then later update them from an internal web server on the printer... I guess DHCP would have worked, but the disk only had drivers and firmware and advertisements for printer add-ons and toner...
I remember HP printers updating their own firmware, but that was via a wget or ftp process, not opening ports on a firewall. Someone has to give the printer the power to do this to their network hardware, or run software that does it for them. I wouldn't have thought standards between consumer devices were so similar that a printer setup wizard could do this across a swath of consumer devices. I guess then that the difference is in the packaging and they all suck the same way, but the the cosmetics differ and what you pay for based on its looks differ?
(Score: 2) by EvilSS on Monday February 06 2017, @09:31PM
(Score: 3, Interesting) by Grishnakh on Monday February 06 2017, @07:45PM
You don't need to "learn how to do it correctly". That simply should not be necessary.
With any off-the-shelf router, you should be able to plug your printer into it (or set up the WiFi on the printer to connect to it), and you should be able to print to it, while outsiders on the internet should not. This is the normal state of things: NAT routers, by default, do not allow access from outside unless the TCP connection was initiated from the inside, or if a specific TCP/UDP port was configured to be forwarded to a particular device.
In other words, users need to take extra, advanced steps to allow nefarious people on the internet to use their printers. It's not going to happen by just plugging it in or connecting to the WiFi. Printers are supposed to be receive-only devices, so unless you've figured out how to forward ports to the printer, you can't print to it from the internet.
This whole incident reeks of "the cloud" as another poster commented here.
(Score: 2) by EvilSS on Monday February 06 2017, @09:15PM
With any off-the-shelf router, you should be able to plug your printer into it (or set up the WiFi on the printer to connect to it), and you should be able to print to it, while outsiders on the internet should not.
You can, and that is the default way they work. In the case of the article what is happening is the users have bypassed this and are hanging printers directly on the internet, either with public IP's, setting them as the DMZ host (which most consumer routers support), or port forwarding to them.
(Score: 2) by Grishnakh on Monday February 06 2017, @09:25PM
Why would someone intentionally port-forward to a printer, or put it in the DMZ? This isn't something an idiot, non-techie user would do; a typical consumer has absolutely no idea what DMZ is (outside of the reference to Korea), or what "port forwarding" is, or even what a "port" in TCP/UDP is. This requires more advanced knowledge.
The other poster's contention about uPnP sounds more likely, except with that I'd expect to see far more than a few hundred thousand vulnerable printers out there, because I think it's safe to assume that the vast majority of consumers would not know about this and would just plug things in, so if printers were all doing automatic uPnP port forwarding by default, we'd see many, many millions of such devices vulnerable.
(Score: 2) by EvilSS on Monday February 06 2017, @09:34PM
They found laser printers and mopiers when they were doing their scans. Those certainly do not use uPnP. Hell I used to do the same kind of port scanning for the same reason years ago, well before uPnP existed. Or, you know, I "theoretically" printed out scribbled out dongs. Theoretically.
(Score: 2) by fliptop on Monday February 06 2017, @09:39PM
Because it's easier than setting up a VPN? That is, if you don't really know what you're doing.
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
(Score: 2) by EvilSS on Monday February 06 2017, @09:48PM
(Score: 2) by FatPhil on Tuesday February 07 2017, @12:57AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves