Thousands of Publicly Accessible Printers Searchable On Google

Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."

First rule of embedded web servers

[WaffleMonster]

User-agent: *
Disallow: /

This will stop quickly

[Arancaytar]

As soon as a spammer figures out how to abuse it.

Imagine...

[inode_buddha]

A little bit of scripting and you can goatse thousands all around the world...

Re:First rule of embedded web servers

[countach]

I think the point is, at least it wouldn't be advertised on Google.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Imagine...

[tripleevenfall]

You'd be in heap big trouble if a child picked up the printout, I think.

Re:This will stop quickly

[Anonymous Coward]

This may fall under the junk fax laws, USCC 18 paragraph 2701. Unlike that nightmare of deliberately overriding state law with federal law that planted "SPAM ME" on the backside of every email user in the US, the old junk fax law actually had teeth in it because it was costing every fax-owning *business* money and time as their fax machines were run out of paper and toner constantly with all the junk fax. So it's a fairly robust law which might include this as electronic communicaitons to a fax/printer/copier machine in most offices.

Re:How did this happen?

[black3d]

Worse, the "cheap" guys frequently intentionally disable router-based firewalls and DMZ the entire internal network so they can "troubleshoot" remotely having to use only RDP, because they have no experience or knowledge of appropriate secure methods of remote troubleshooting.

Did anyone bother to click through?

[jabberwock]

Yes, the search page say 86,700 results, or whatever. But you only get 13 results, and then the:

"In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed. If you like, you can repeat the search with the omitted results included."

Asking for omitted results gives you a grand total of 73 results, no matter WHAT the top of the results page says ...

So ... nothing to see here, at all. Bullsh*t.

Re:How did this happen?

[profplump]

My DHCP is configured to hand out "public" addresses. Even over WiFi. Is there some reason it shouldn't be?

The idea that NAT is the way things should work is ridiculous -- it makes networking harder in about 25 different ways, makes the Internet a provider-consumer system instead of a peer-to-peer system, and it provides no "protection" beyond what you'd get from any other stateful firewall.