Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
HP Network Networking Security

Exposed HP LaserJet Printers Offer Anonymous FTP To the Public (csoonline.com) 74

itwbennett writes: In a blog post on Monday, security researcher Chris Vickery outlined the risks associated with networked HP LaserJet printers, which have been made available to the public by the organizations hosting them. 'There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by ... any web browser... It doesn't take much creativity to realize that even highly illegal materials could be stored this way,' Vickery wrote. CSO's Steve Ragan picked up the thread: A quick search on Shodan to confirm Vickery's findings returned thousands of results.
This discussion has been archived. No new comments can be posted.

Exposed HP LaserJet Printers Offer Anonymous FTP To the Public

Comments Filter:
  • by belthize ( 990217 ) on Tuesday January 26, 2016 @11:15AM (#51374139)

    They want there bugs back. This issue has been haunting HP printers for decades.

    ftp://ftp.hp.com/pub/networkin... [hp.com]
    https://www.google.com/search?... [google.com]

    • (@*&#$(*&@#$(78 there ^H^H^H^H^H^H their.

      Stupid non-editing system and proof reading poster gahhh

    • 1995 called. It just wanted to remind you that abusing a printer in this way was actually a minor plot point of Johhny Mnemonic [imdb.com].

      Yes, the problem is so old that Hollywood actually -- and surely accidentally -- got it right.

      • by TWX ( 665546 )
        William Gibson is a fairly smart guy, if he wrote stuff into the screenplay that was inspired by real stuff, even if carried to borderline-insane extremes.

        Had they not had that ridiculous, poorly-animated dolphin swimming through the mind thing I might consider it halfway decent movie, at least up there with the original Total Recall. That dolphin thing though, just too much.
      • Laser printers were infecting and reinfecting 68K macintoshes over the network when I was in college in 1990.

        • No, you must be mistaken... Apple products are not vulnerable to malware, anyone on /. can tell you that...

  • by Anonymous Coward

    People have been doing this shit for years. People doing shit like printing out all sorts of crap etc to run the printers out of toner, paper etc. I wouldn't be surprised with some crappy printers out there that you wouldn't be able to start a fire with some.

    Printer related bullshit like this was the IoT hacking of the 1990s :P

    • by arth1 ( 260657 )

      Indeed. I used to change the LCD panels on the HP printers to say "Insert Coin".

      • by TWX ( 665546 )
        I can't deny a certain amount of sophormoric enjoyment changing the screen to identify that a particular color cartride is out, on a black and white printer...
      • Indeed. I used to change the LCD panels on the HP printers to say "Insert Coin".

        Better than "PC Load Letter" - what the fuck does that mean? [ My Office Space reference for the day. ]

        • by Stavr0 ( 35032 )

          "PLAID CARTRIDGE LOW"

          [And *that* is my Spaceballs reference for the day.]

        • by arth1 ( 260657 )

          Better than "PC Load Letter" - what the fuck does that mean?

          Speaking of inappropriate error messages:
          Symantec Backup Exec System Recovery, when encountering a backup destination that can't hold the backup, will report:

          Error EBAB03F1: The printer is out of paper.

          How... useful!

    • People doing shit like printing out all sorts of crap etc to run the printers out of toner, paper etc.

      I personally draw the line at using hpsetdisp.pl to make the printer display a friendly "Insert Coin" or "Out Of Cheese" message.

    • by Myrrh ( 53301 )

      Hence the old UNIX error "/dev/lp0: on fire" ...

  • by Anonymous Coward

    This is just another "look at what i found with [product][signup]" marketing bullshit, i'am not signing up for anything at shodan, a "search" behind a paywall/freemium says everything about the operation.

    • Yeah what's up with his search engine? After the first page you need to register? Fuck that.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Quite the opposite, I suspect the recent influx of news about Shodan is a concerted effort to get it shut down.

      A couple weeks ago we had stories about this search engine let me find Hello Kitty's database full of children. Over the weekend we saw hit pieces about this search engine lets people spy on your sleeping kids. Today we have this search engine exposes FTP servers where people can store "highly illegal materials" (he isn't talking about your MP3 collection). Insecure webcams, insecure FTP servers, i

  • Does anyone seriously have an IP protocol printer that isn't behind a NAT and a firewall to boot? Is this really a thing? Listening printer IP ports sitting out in the DMZ? (*boggle*)

    (I guess, or he wouldn't have written the blog.) :/

    • Re:NAT, firewall (Score:5, Insightful)

      by gstoddart ( 321705 ) on Tuesday January 26, 2016 @12:05PM (#51374477) Homepage

      Honestly, never underestimate just how terrible security is or can be ... between vendors which leave stuff vulnerable for years, or mis-configurations, things which have never been patched, or things which seemed like a good idea at the time ... the internet is a hideous mess of things which are appalling but nonetheless happen every day.

      Either because nobody cares, or nobody has the money to care, or management comes down on the side of "easy" instead of "correct".

      I think most of us would be shocked/depressed/angry to realize just how much stuff is hanging outside of any firewall or NAT whatsoever.

      The people are likely to be secure are paranoid, diligent, a little crazed, and likely have others telling them to "relax, it's not a big deal". Never underestimate how often someone says "dear god, we can't do this" only to be overruled by someone who doesn't see it as a threat ... it happens all the damned time.

      The people who get overruled just need to cover their asses so if it happens they can say "told you so". This has been true for years.

      I'm betting tons of people around here can give you horror stories about loudly warning about this kind of stuff only to be told to shut up and do it.

    • by Anonymous Coward

      Yes it is, in the early days of the internet the norm was for everything to be publically accessible, some places (especially universities) haven't moved away from this or have only partially done so (i.e. there is a campus firewall but it's default-allow and is not a NAT). I expect there would be strong resistance from academics to a move to a more locked down model which gives more power to central IT.

      The university I am at usually allocates private addresses when installing new printers (we have paralell

    • by Bert64 ( 520050 )

      NAT isn't used for security, in fact it's a major inconvenience and things work better on routable addresses...
      People only use NAT because they don't have enough addresses to do things properly.

    • Does anyone seriously have an IP protocol printer that isn't behind a NAT and a firewall to boot? Is this really a thing? Listening printer IP ports sitting out in the DMZ? (*boggle*)

      (I guess, or he wouldn't have written the blog.) :/

      Doesn't matter. Seems printers these days all have Bluetooth and wireless printing as features and turned on by default with things like Bonjour happily asking outsiders to come in.

  • HP printers used to also have a built-in web-server. You could access printer functions from the page. I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.

    I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank, but now that printers have storage, yep, it's a bigger problem that HP, all these years later, has nev

    • I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.

      I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank...

      Here's a hypothetical scenario for you:

      I'm walking through a public parking lot looking at all the cars to see if any are left unlocked. Either by ignorance or oversight you've left your car unlocked. I decide to open your door and take a piss on your seat. Would you consider that an "amusing prank"?

      I mean, after all, you deserve it. You should have known better than to leave your vehicle unlocked.

      • There's a big difference between a car that's not yours and is well understood to be someone else's private property and an open web server on the open internet, voluntarily offering up pages to passers-by. It's more like you're wandering through a locker room and one of the lockers is open. You notice there's a box of chocolates saying "take one", so you do. Of course the box could've been intended for someone else, but with the locker door open who is to know? The missing access control is what made it am

        • By printing "1000 copies" in 50-point typeface, the self-professed "hacker" wasn't just harmlessly drawing attention to the exposure. He was deliberately using up a significant amount of consumables and causing unnecessary wear on limited-lifespan parts such as the fuser unit. This is not akin to eating a piece of chocolate from a box left lying around. There is nothing "ambiguous" about it. Anyone with an ounce of common sense should understand that the printer exposure is not a "voluntary offering" for "a

  • Get out of jail free card and IP6 will just make it even easier to clam by ISP modem just auto put it on the net.

  • A quick search on Shodan to confirm Vickery's findings returned thousands of results.

    The quote implies that the link would go to Shodan, but instead it points to another article.

  • It isn't just the LaserJets, the OfficeJets, etc all have this issue, and there is one right now within range of my home wi-fi network (and of course my other wireless devices) that helpfully tells me that it is offering an open wi-fi network (while every single wireless router within signal range is password protected). Yes, I have seriously been considering sending the owners a message over their own printer.

    • One thing I forgot to mention - yes, I can use HP printer management tools to do silly things like read what is queued in their print spool and how much toner is left in the device.

  • The reported "thousands of results" are thousands of exposed printers, not necessarily thousands of files so hosted.

  • by Anonymous Coward

    It's called FTP printing. It was a thing. It can only be accomplished by having the service running and the port open on the printer. Presumably you want your fucking printer to work as advertised. So, HP enabled the service and port, so you can fucking print and FTP print if you want to.

    That you plugged these old printers into the internet, rather than behind a firewall is not HP's problem. It is an ID10T or PEBCAK issue.

    Now, if you want to blame HP et al for stupid lack of security then look no further th

  • If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you [slashdot.org].
  • What is this useless advice doing on slashdot. Now if he only told us how this free, open source software got onto the printer in the first place and why only HP network printers.
  • Your HP printers are my cloudserver. I back up all my data in PAR files to them. All your printers are belong to us.

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...