Forgot your password?
typodupeerror
Google HP Printer Security Technology

Thousands of Publicly Accessible Printers Searchable On Google 192

Posted by Soulskill
from the message-in-a-bottle-on-the-digital-ocean dept.
Jeremiah Cornelius writes "Blogger Adam Howard at Port3000 has a post about Google's exposure of thousands of publicly accessible printers. 'A quick, well crafted Google search returns "About 86,800 results" for publicly accessible HP printers.' He continues, 'There's something interesting about being able to print to a random location around the world, with no idea of the consequence.' He also warns about these printers as a possible beachhead for deeper network intrusion and exploitation. With many of the HP printers in question containing a web listener and a highly vulnerable and unpatched JVM, I agree that this is not an exotic idea. In the meanwhile? I have an important memo for all Starbucks employees."
This discussion has been archived. No new comments can be posted.

Thousands of Publicly Accessible Printers Searchable On Google

Comments Filter:
  • by WaffleMonster (969671) on Friday January 25, 2013 @05:03PM (#42695297)

    User-agent: *
    Disallow: /

  • by Arancaytar (966377) <arancaytar.ilyaran@gmail.com> on Friday January 25, 2013 @05:03PM (#42695311) Homepage

    As soon as a spammer figures out how to abuse it.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      This may fall under the junk fax laws, USCC 18 paragraph 2701. Unlike that nightmare of deliberately overriding state law with federal law that planted "SPAM ME" on the backside of every email user in the US, the old junk fax law actually had teeth in it because it was costing every fax-owning *business* money and time as their fax machines were run out of paper and toner constantly with all the junk fax. So it's a fairly robust law which might include this as electronic communicaitons to a fax/printer/copi

    • kinda like how quickly fax machine spam stopped?
      • Hey, did you get that great vacation opportunity, too? Only $99* for a week in Fiji!

        *Airfare, hotel, food, and transportation extra.

  • Imagine... (Score:4, Insightful)

    by inode_buddha (576844) on Friday January 25, 2013 @05:04PM (#42695317) Journal

    A little bit of scripting and you can goatse thousands all around the world...

    • by h4rr4r (612664)

      I was just considering that.
      Anyone know if there are laws against it?

      • Re: (Score:3, Informative)

        by t3hfr3ak (2429946)
        Well, some states persecute for sharing offensive material over the internet. I'm sure the courts will say this falls into the category.
      • by Splab (574204) on Friday January 25, 2013 @05:16PM (#42695495)

        Since you are abusing their equipment, you are probably going to be up for all sorts of fun unlawful computer acts.

        And if you are going to prank them, send the "You're fired" from back to the future...

      • Probably the same laws that say you can't use someone else's computer without their permission. Just because it's unsecured doesn't mean you're allowed to walk in.

        • by Kaenneth (82978)

          So, you only visit website for which you have a written invitation?

          As a business, if your front door is open, it's an invitation to come in and browse.

          • Websites are intended to face the general public, this is implicitly understood. A better analogy is there's an unmarked door on the side of the store and when you peak in, you see it's an office or some other place the public obviously doesn't belong even if it's still wide open.

      • Aren't there laws in the US against sending spam faxes because it uses the paper up? That might be used against the sender of the print job.

        If the printers are simple JetDirect boxes, there will probably be no logging of where the jobs came from. If they're bigger multifunction machines with hard drives, you'll be logged.

        • by volkerdi (9854)

          There should be a law, and if this becomes a problem there will be one. However, the existing laws almost certainly concern sending faxes and are unlikely to apply.

        • by dbIII (701233)

          If the printers are simple JetDirect boxes

          That reminds me of the time I found out a simple nmap portscan kills one model of JetDirect network to parallel boxes. Not just factory reset button dead, but replace an eprom or something similar at a HP repair centre dead. Since those things are so fragile and so wide open that you can actually kill them over a network without even trying I'm not surpised that other HP crap has no consideration of security.

        • by BitZtream (692029)

          JetDirect boxes log to loghost.assignedomain. by default, have for 15 years. If you use DHCP with syslog set there, they automatically log to that log host.

          If you're JetDirect boxes aren't logging automatically when you plug them in your network is configured wrong.

      • How about just printing this article?

        White hat warning, and all.

        So what if it's 15 pages long.

      • Re:Imagine... (Score:4, Informative)

        by BitZtream (692029) on Saturday January 26, 2013 @03:25AM (#42699073)

        Yes, unauthorized access of pretty much anything is illegal, WTF makes you think it wouldn't be anyway?

        However, specifically, unauthorized access of a computer or telecommunications equipment is most certainly covered under several federal laws.

        Unauthorized access means 'doing anything they didn't want you to do, specifically stated in advance or otherwise.', so pretty much anytime you touch any computer without permission in any way, its covered.

        That doesn't consider any pornography or offensive content standards and a crapton of other laws.

        I'm just curious as to why you wouldn't instinctively know this is covered in about a billion different ways. Are you 12? Do you still think some silly little 'well they didn't say THAT' kind of thing is a legal loophole?

    • Re:Imagine... (Score:5, Interesting)

      by black3d (1648913) on Friday January 25, 2013 @06:00PM (#42695997)
      Back in the early days of the web when I used to port-sniff for fun, I discovered an FTP enabled printer with an upload to print function so threw "The Complete Works of William Shakespeare" up into it to see what happened. Of course, the file disappeared after a few minutes so I really have no idea, but to this day I wonder if I perhaps unfortunately used up someone's paper. :\
      • by Anonymous Coward on Friday January 25, 2013 @06:45PM (#42696421)

        You Sir are a knave; a rascal; an eater of broken meats; base, proud, shallow, beggarly, three-suited, hundred-pound, filthy, worsted-stocking knave; a lily-livered, action-taking knave, a whoreson, glass-gazing, super-serviceable finical rogue; one-trunk-inheriting slave; one that wouldst be a bawd, in way of good service, and art nothing but the composition of a knave, beggar, coward, pandar, and the son and heir of a mongrel bitch: one whom I will beat into clamorous whining, if thou deniest the least syllable of thy addition.

    • the key here is to find a publicly accessible printer, in a location with a publicly accessible security/web camera, so you can witness the revulsion crossing their bewildered faces first hand.
      • Many of these printers also have some built in speaker to play stupid sounds and warnings. Imagine the fun you could have if you somehow managed to upload the voice of HAL saying "I'm afraid I can't let you do that Dave!". Bonus points if you make it say that when the printer runs out of paper.
  • by fluffy99 (870997) on Friday January 25, 2013 @05:06PM (#42695357)

    I wonder if any of them are the older HP LaserJets where you could change the display to read funny things like "Insert Cheese" or "Low on Mayo"?
    http://community.spiceworks.com/scripts/show/1184-change-a-networked-hp-laserjet-ready-message [spiceworks.com]
    http://miscellany.kovaya.com/2007/10/insert-coin.html [kovaya.com]

  • by girlintraining (1395911) on Friday January 25, 2013 @05:07PM (#42695363)

    "Error: Out of Paper on Drive D:"

  • Very useful (Score:5, Funny)

    by scotts13 (1371443) on Friday January 25, 2013 @05:09PM (#42695389)

    (GRIN) At one time, I had dial-in access to the Apple corporate network; back then AppleTalk and PAP were still supported. When I was having trouble getting an employee to answer his email, I'd just print the message to the printer in his office. That would usually get his or her attention.

  • by Anonymous Coward on Friday January 25, 2013 @05:09PM (#42695399)

    I saw a story not too long ago about someone accessing their neighbor's printer to print out messages to the neighbor, pretending the printer was somehow alive; starting with some gibberish it became words and then paragraphs of text.

    But you wouldn't do that to any of these printers because (pulls down microphone hidden in lamp suspended from ceiling) that would be wrong!

  • ...if these printers were somewhere they could reasonably replace a fax machine. But then, even fax machines are abused/spammed.

    And it doesn't have to be deliberate. I supplied the department with a year's worth of scrap paper when I tried to print a postscript file to a laser printer. Something in the Windows-to-Appletalk software got munged and the text of the file got printed instead of the document.

  • by jfdavis668 (1414919) on Friday January 25, 2013 @05:18PM (#42695541)
    I pity the people who's printers show up on the first page of Google results.
    • What would be great for the /. clout or any enterprising business looking to get good PR (and the possible follow up stories) is to actually send a helpful fax to those that are open, start with the first page, with instructions how to "fix" it and why it needs to be done and a contact email. Alas, I am not that versed in any related field but would be surprised if a security company didn't take advantage of it.
      • by PRMan (959735)

        with instructions how to "fix" it and why it needs to be done and a contact email

        I see you working. Trying to get those spammers busted...

    • by antdude (79039)

      Mr. T, is that you?

  • How did this happen? (Score:5, Interesting)

    by countach (534280) on Friday January 25, 2013 @05:19PM (#42695549)

    Excuse my ignorance, but how does this happen? Big companies have firewalls and NAT, and everyday people have wi-fi routers and NAT. What sort of people have big swarths of IP address space, but no clue how to manage it?

    • Re: (Score:2, Insightful)

      by QuadEddie (459328)
      The number of small companies dwarf big companies. While a big company could potentially have a few of these in the open, they're much more likely to have the resources to have someone competent running the network. A typical small business (under 20 employees) will not have the resources to secure their network and will likely be oblivious to the exposure.
      • *nods* Unfortunately most of the small businesses hire someone cheap claiming to know about computers but has no real clue about securing a network or setting it up right.
        The lucky ones come into contact with a company like mine before disaster strikes... :-/
    • by jdastrup (1075795)
      Schools and some government branches often have devices, esp. printers, on public IP addresses. Several good reasons for it, but of course it can get abused
    • by Charliemopps (1157495) on Friday January 25, 2013 @05:40PM (#42695799)

      Jimmy: So hows the new real estate agency dad said you started?
      Uncle Jim: The whole office is a mess. We've got a bunch of computers, and we got one of those box things to connect them all together at walmart... But it only has 10 plugins and now we've got this new printer...
      Jimmy: Uh... I think we can just get a bunch of old network cards, put them in that computer in the basement and install linux on it...
      Uncle Jim: Is Linux secure?
      Jimmy: It's the best. I think Nasa uses it.
      Uncle Jim: Wow, this is great that was going to cost me Twenty...er... hey I'll give you $10 an hour to do it.
      Jimmy:Really? Awsome... *starts doing wikipedia searches for linux*

      • by houghi (78078)

        I remember how the first people in companies got into IT.
        CEO: We have gathered everybody here, because we are going to all have computers AND we will have dial-up connection to the internworldweb. It is the new rage,
        CEO: SO who owns his own computer?
        Group: ------
        CEO: OK. Who knows how to write internworldweb?
        Some smuck: Isn't it Internet?
        CEO: Congratulations, you are now responsible for all the computer related stuff for the who company and its 50 offices around the world.

    • I'm presuming these setups are accidental. Is the DHCP scope on their internal, physical network configured to hand out public IP addresses? My mind boggles wondering if that would even work, much less someone would make that decision. The alternative is someone who knows what they're doing intentionally NATs web traffic to the internal address. That raises the oxymoronic "knows what they're doing" and "NATs web traffic to a printer" quandary.
      • by profplump (309017) <zach-slashjunk@kotlarek.com> on Friday January 25, 2013 @06:53PM (#42696509)

        My DHCP is configured to hand out "public" addresses. Even over WiFi. Is there some reason it shouldn't be?

        The idea that NAT is the way things should work is ridiculous -- it makes networking harder in about 25 different ways, makes the Internet a provider-consumer system instead of a peer-to-peer system, and it provides no "protection" beyond what you'd get from any other stateful firewall.

        • it provides no "protection" beyond what you'd get from any other stateful firewall.

          Yes, because no stateful firewalls have had any vulnerabilities in them ever.

          I agree with all your other points, and think it's high time for NAT to just die already, for a whole host of reasons - but let's be honest, one thing it does do is indeed add one small layer of extra security ... "NAT plus stateful firewall" cannot be less secure than "same stateful firewall on its own".

    • by guacamole (24270)

      Most large universities in the US are wide open. It's a wild zoo out there. I used to work as a system administrator at a large public university, and most department managers and users were against using a central firewall. The only way around this was to configure a firewall on each individual machine.

    • by liquidsin (398151)

      when i worked hp printer support, it was generally people with a hub connected to a cable/dsl modem and sharing the connection to all the devices. this was around 2006 and a number of providers would supply separate ip addresses to each machine connected to the hub in this way. whenever troubleshooting setups, if i noticed a publicly addressable ip on a printer, i'd send it a page just to demonstrate to the customer why they needed a router instead of a hub. most of them would run out to best buy and call b

    • Many companies don't secure their networks well. Although oddly, accessing them could (legally) be regarded as an intrusion nonetheless - just a thought on the legalities here, if you or I had (similarly to Google) searched for and published a list of accidentally openly accessible printers and dumped it on something like Pastebin, I suspect we'd probably be prosecuted by someone like Carmen Ortiz and convicted on some trumped up felony hacking charge with a possible 30 year sentence. Apparently Google gets
  • by CanHasDIY (1672858) on Friday January 25, 2013 @05:26PM (#42695639) Homepage Journal
    Gotta love unsecured, web-facing peripherals.


    Personally, I prefer searching for IP cameras [slashdot.org]
    • Yes, now imagine if they were things like coffee makers, toasters, and other small appliances, Java enabled, left open on the Internet.

      Have a grudge against somebody? Make their toast extra dark and their coffee extra weak.

    • I tried this, and I must be honest, for the time investment required, I don't get the 'kicks' ... I spent about half a day looking at loads of publicly open cameras, and all I saw amounted to this:

      - Mostly a bunch of business/office cameras. Yawn, if I want to look at some desks inside a boring office building I can do that when I'm at work. If I want to look at the reception area of random business I can walk out into the real world and enter businesses just like those.
      - The odd control room of I don't k

      • I guess it's the bit same than when searching for "confidential filetype:pdf" and you realize that instead of spicy conspiracy secrets most of the stuff is actually quite boring.
  • by Mr. McGibby (41471) on Friday January 25, 2013 @05:38PM (#42695773) Homepage Journal

    Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

    • by Anonymous Coward on Friday January 25, 2013 @06:13PM (#42696141)

      Just because google says *about* 86,500 results, doesn't mean that it's going to *actually* have that. You'd think someone who can search google that well would know this. If you go to the end of the search query, it's 73 results.

      actually it is abut 86,500 - the 73 results are considered unique, but when you "repeat the search with the omitted results included" at the end, it includes many, many more nodes.

  • Considering how are going laws in US, you could end facing years of jail for each page you send to any of those printers. And you could be the one picked to serve as an example for others.
  • 3D (Score:4, Interesting)

    by WrecklessSandwich (1000139) on Friday January 25, 2013 @05:48PM (#42695871)
    I can't wait for networked 3D printers to become commonplace. See also: http://www.smbc-comics.com/index.php?db=comics&id=2851 [smbc-comics.com]
  • Yes, the search page say 86,700 results, or whatever. But you only get 13 results, and then the:

    "In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed. If you like, you can repeat the search with the omitted results included."

    Asking for omitted results gives you a grand total of 73 results, no matter WHAT the top of the results page says ...

    So ... nothing to see here, at all. Bullsh*t.
    • "Page 25 of about 2,590,000 results"

      I clicked the link in the article and there 2,590,000 results. I went to page 25 and they still look like valid results. Definitely more than 73 printers.

  • I don't know about current HP printers, I do remember using the nice ftp server on them in the past..

    Second rule of Internet Club, no connections directly from the Internet to your Intranet.

  • by Anonymous Coward

    And I use these open web interfaces all the time to help guide dumb ass engineers how to fix things over the phone.

    The first time I spotted an MFP on the internet I did send a print job letting them know that they should probably fix it (I did check the machine was in a English speaking country first!) But I no longer bother any more.

  • by technomom (444378) on Friday January 25, 2013 @07:05PM (#42696621)
    This seems more like HP's fault rather than Google's.
  • by cswiii (11061) on Friday January 25, 2013 @07:13PM (#42696671)

    Here's an article from as far back as 2007

    http://www.bloggingwv.com/print-around-the-world/ [bloggingwv.com]

  • Perhaps, these thousands of printers (thousands? thats it?) are out there on purpose because people WANT others to be able to send them printouts? Perhaps, they just want something like email, but that they can read offline?

    Perhaps its a way of collecting reading material? I think the smart thing to do is to go with that assumption and send them something to read.

  • by MythicalMan (261975) on Friday January 25, 2013 @08:58PM (#42697583)

    The article leads the reader to believe that the VM running on HP LaserJet printer is an old version of Sun's -- now Oracle -- JVM. That's no true. HP Printers run ChaiVM, a clean-room implementation written based on the published specification. Moreover HP has historically recommended their customers to NOT expose printers to the public Internet. The embedded web server is an administration tool, not a fully-fledged HTTP server, and was not designed to be used that way.

    Disclaimer: Even though I work for HP and had access to the LJ firmware internals in the recent past, I'm NOT speaking on behalf of HP.

  • If you click to the next page of results, google corrects its estimate to read

    " Page 2 of 13 results (0.13 seconds)"

    Alhough it does admit

    "In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed.
    If you like, you can repeat the search with the omitted results included."

    If you choose to show the omitted results, and click through the pages, you get to the 8th page, which indicates:

    "Page 8 of 72 results (0.12 seconds)"

    Still nowhere near 86,000

    And whi

  • I submitted this flaw to Slashdot in late 2011 (with a one word search term I believe!) and it never appeared in any story. I did post up [osnews.com] about the story rejection on OSNews a few months later.

    If I could find out how to search for old Slashdot submissions I would do, but I can't see anything in my Slashdot account settings/profile that lets me see all the atempted submissions I made.

Cobol programmers are down in the dumps.

Working...