Exposed HP LaserJet Printers Offer Anonymous FTP To the Public (csoonline.com) 74
itwbennett writes: In a blog post on Monday, security researcher Chris Vickery outlined the risks associated with networked HP LaserJet printers, which have been made available to the public by the organizations hosting them. 'There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by ... any web browser... It doesn't take much creativity to realize that even highly illegal materials could be stored this way,' Vickery wrote. CSO's Steve Ragan picked up the thread: A quick search on Shodan to confirm Vickery's findings returned thousands of results.
Re: (Score:3)
You have no excuse to have a printer exposed to the greater web.
Root cause my friend...HP has no excuse for running an FTP server on a printer.
Re: (Score:3)
IoT (Score:5, Insightful)
(*sarcasm*) No. Everything must be internet enabled! We are in the age of the Internet of Things. You probably don't even use "apps," do you? I bet you compile your own code, too. You are a Luddite. Get off my lawn! (*sarcasm*)
Re: (Score:3, Informative)
You have no excuse to have a printer exposed to the greater web.
As a UMN (note how high they are on the list counting the exposed printers) alumni, I probably know more about their network setup than most. The default stance there has always been that every device on the network is given an IP (either dynamically or statically) that is fully resolvable to the world. They started with all of 128.101.*.* and then added 134.84.*.* and something else as well. It didn't seem like they would run out of addresses any time soon so they just kept handing them out; students, s
Re: (Score:3)
It's been quite some time since I played heavily with the settings on network printers, but there were a lot of options for how the network configuration could be set up. There were multiple protocols and options within each protocol inclu
Re: (Score:3)
TL;DR - NAT can suck it. :P
Re: (Score:2)
Part of the 192.168 address range is routeable (class b) in case you didn't know.
1998 called (Score:3)
They want there bugs back. This issue has been haunting HP printers for decades.
ftp://ftp.hp.com/pub/networkin... [hp.com]
https://www.google.com/search?... [google.com]
Re: (Score:2)
(@*&#$(*&@#$(78 there ^H^H^H^H^H^H their.
Stupid non-editing system and proof reading poster gahhh
Re: (Score:2)
Probably best if I'm just taken out back and lethally shot. It's the only way I'll learn.
Re: (Score:2)
As long as it's temporary I don't mind to much.
Re: (Score:3)
Oh fuck me .... to ^H^H too. Really just go ahead and put me out of everyone's misery.
Re: (Score:3)
Re: (Score:2)
As we used to say in the ER... All bleeding stops... eventually.
Re: (Score:3)
1995 called. It just wanted to remind you that abusing a printer in this way was actually a minor plot point of Johhny Mnemonic [imdb.com].
Yes, the problem is so old that Hollywood actually -- and surely accidentally -- got it right.
Re: (Score:3)
Had they not had that ridiculous, poorly-animated dolphin swimming through the mind thing I might consider it halfway decent movie, at least up there with the original Total Recall. That dolphin thing though, just too much.
Re: (Score:2)
Laser printers were infecting and reinfecting 68K macintoshes over the network when I was in college in 1990.
Re: (Score:2)
No, you must be mistaken... Apple products are not vulnerable to malware, anyone on /. can tell you that...
Re: (Score:1)
What I want to know is how did he have that many Macs networked in 1990??? ;-)
old news (Score:1)
People have been doing this shit for years. People doing shit like printing out all sorts of crap etc to run the printers out of toner, paper etc. I wouldn't be surprised with some crappy printers out there that you wouldn't be able to start a fire with some.
Printer related bullshit like this was the IoT hacking of the 1990s :P
Re: (Score:2)
Indeed. I used to change the LCD panels on the HP printers to say "Insert Coin".
Re: (Score:1)
Re: (Score:2)
Indeed. I used to change the LCD panels on the HP printers to say "Insert Coin".
Better than "PC Load Letter" - what the fuck does that mean? [ My Office Space reference for the day. ]
Re: (Score:1)
"PLAID CARTRIDGE LOW"
[And *that* is my Spaceballs reference for the day.]
Re: (Score:2)
Better than "PC Load Letter" - what the fuck does that mean?
Speaking of inappropriate error messages:
Symantec Backup Exec System Recovery, when encountering a backup destination that can't hold the backup, will report:
Error EBAB03F1: The printer is out of paper.
How... useful!
Re: (Score:2)
I personally draw the line at using hpsetdisp.pl to make the printer display a friendly "Insert Coin" or "Out Of Cheese" message.
Re: (Score:2)
Hence the old UNIX error "/dev/lp0: on fire" ...
Shodan marketing (Score:1)
This is just another "look at what i found with [product][signup]" marketing bullshit, i'am not signing up for anything at shodan, a "search" behind a paywall/freemium says everything about the operation.
Re: (Score:3)
Yeah what's up with his search engine? After the first page you need to register? Fuck that.
Re: (Score:2, Interesting)
Quite the opposite, I suspect the recent influx of news about Shodan is a concerted effort to get it shut down.
A couple weeks ago we had stories about this search engine let me find Hello Kitty's database full of children. Over the weekend we saw hit pieces about this search engine lets people spy on your sleeping kids. Today we have this search engine exposes FTP servers where people can store "highly illegal materials" (he isn't talking about your MP3 collection). Insecure webcams, insecure FTP servers, i
NAT, firewall (Score:2)
Does anyone seriously have an IP protocol printer that isn't behind a NAT and a firewall to boot? Is this really a thing? Listening printer IP ports sitting out in the DMZ? (*boggle*)
(I guess, or he wouldn't have written the blog.) :/
Re:NAT, firewall (Score:5, Insightful)
Honestly, never underestimate just how terrible security is or can be ... between vendors which leave stuff vulnerable for years, or mis-configurations, things which have never been patched, or things which seemed like a good idea at the time ... the internet is a hideous mess of things which are appalling but nonetheless happen every day.
Either because nobody cares, or nobody has the money to care, or management comes down on the side of "easy" instead of "correct".
I think most of us would be shocked/depressed/angry to realize just how much stuff is hanging outside of any firewall or NAT whatsoever.
The people are likely to be secure are paranoid, diligent, a little crazed, and likely have others telling them to "relax, it's not a big deal". Never underestimate how often someone says "dear god, we can't do this" only to be overruled by someone who doesn't see it as a threat ... it happens all the damned time.
The people who get overruled just need to cover their asses so if it happens they can say "told you so". This has been true for years.
I'm betting tons of people around here can give you horror stories about loudly warning about this kind of stuff only to be told to shut up and do it.
Re: (Score:1)
Yes it is, in the early days of the internet the norm was for everything to be publically accessible, some places (especially universities) haven't moved away from this or have only partially done so (i.e. there is a campus firewall but it's default-allow and is not a NAT). I expect there would be strong resistance from academics to a move to a more locked down model which gives more power to central IT.
The university I am at usually allocates private addresses when installing new printers (we have paralell
Re: (Score:2)
NAT isn't used for security, in fact it's a major inconvenience and things work better on routable addresses...
People only use NAT because they don't have enough addresses to do things properly.
Re: (Score:2)
Does anyone seriously have an IP protocol printer that isn't behind a NAT and a firewall to boot? Is this really a thing? Listening printer IP ports sitting out in the DMZ? (*boggle*)
(I guess, or he wouldn't have written the blog.) :/
Doesn't matter. Seems printers these days all have Bluetooth and wireless printing as features and turned on by default with things like Bonjour happily asking outsiders to come in.
This has been going on for decades (Score:2, Informative)
HP printers used to also have a built-in web-server. You could access printer functions from the page. I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.
I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank, but now that printers have storage, yep, it's a bigger problem that HP, all these years later, has nev
Re: (Score:2)
Re: (Score:2)
I used to use Alta-Vista (which shows you how far back this goes) to search for the welcome text of the page -- and found hundreds of exposed printers.
I'd open the webpage and instruct the printer to print 1000 copies of a page that says "you've been hacked!" in 50-point typeface. It was an amusing prank...
Here's a hypothetical scenario for you:
I'm walking through a public parking lot looking at all the cars to see if any are left unlocked. Either by ignorance or oversight you've left your car unlocked. I decide to open your door and take a piss on your seat. Would you consider that an "amusing prank"?
I mean, after all, you deserve it. You should have known better than to leave your vehicle unlocked.
Re: (Score:2)
There's a big difference between a car that's not yours and is well understood to be someone else's private property and an open web server on the open internet, voluntarily offering up pages to passers-by. It's more like you're wandering through a locker room and one of the lockers is open. You notice there's a box of chocolates saying "take one", so you do. Of course the box could've been intended for someone else, but with the locker door open who is to know? The missing access control is what made it am
Re: (Score:2)
By printing "1000 copies" in 50-point typeface, the self-professed "hacker" wasn't just harmlessly drawing attention to the exposure. He was deliberately using up a significant amount of consumables and causing unnecessary wear on limited-lifespan parts such as the fuser unit. This is not akin to eating a piece of chocolate from a box left lying around. There is nothing "ambiguous" about it. Anyone with an ounce of common sense should understand that the printer exposure is not a "voluntary offering" for "a
Get out of jail free card and IP6 will just make i (Score:2)
Get out of jail free card and IP6 will just make it even easier to clam by ISP modem just auto put it on the net.
What? (Score:2)
The quote implies that the link would go to Shodan, but instead it points to another article.
Wi-fi printers, ugh. (Score:1)
It isn't just the LaserJets, the OfficeJets, etc all have this issue, and there is one right now within range of my home wi-fi network (and of course my other wireless devices) that helpfully tells me that it is offering an open wi-fi network (while every single wireless router within signal range is password protected). Yes, I have seriously been considering sending the owners a message over their own printer.
Re: (Score:1)
One thing I forgot to mention - yes, I can use HP printer management tools to do silly things like read what is queued in their print spool and how much toner is left in the device.
To be clear... (Score:2)
The reported "thousands of results" are thousands of exposed printers, not necessarily thousands of files so hosted.
By Design You Moron! (Score:1)
It's called FTP printing. It was a thing. It can only be accomplished by having the service running and the port open on the printer. Presumably you want your fucking printer to work as advertised. So, HP enabled the service and port, so you can fucking print and FTP print if you want to.
That you plugged these old printers into the internet, rather than behind a firewall is not HP's problem. It is an ID10T or PEBCAK issue.
Now, if you want to blame HP et al for stupid lack of security then look no further th
illegal storage (Score:2)
Re:illegal storage (Score:4, Informative)
If you are thinking of storing illegal things this way, remember that the FBI can take over the server, keep it running, and then track it back to you [slashdot.org].
The "server" will be someone ELSE's laser printer, and you'll probably be accessing it via a VPN, or Tails and Tor, so it's not a problem (for you).
Risks associated with networked HP printers .. (Score:1)
Your HP printers... (Score:2)