Idea for startup.<p>1. write a script to scrap google links to HP admin panel<p>2. filter out the IPs that are from US (given you want to work on US market)<p>3. assemble the list of printer types and current toner levels.<p>4. write a script that will print to each of those printers a one single page, stating your company "Cheapo Suppliers Inc" was notified that "your printer is low on toner. Call xxxxxx to re-fill. Lowest prices quaranteed within one day delivery!". You can add link to your shop page that already redirects user to specific type of printer they have, some type of one-click order (based on which toners are low).<p>5. daily rinse repeat.<p>6. sell your business to HP (at least try to).
Worse than printing somewhere remote, many of those are probably also scanners. If the original is left on the glass (I forget it all the time), an attacker could scan it remotely.
Some of the IPs are registered to large US universities, who list abuse/tech support email addresses in their records. I've already emailed several with a headsup and had a couple of "thank you!"s in reply.
So... Where's Ang Cui at?<p>In case you guys haven't seen it, Ang Cui is the guy who did the Cisco hack last month and he's also the guy with the coolest resume on the planet.<p>He actually found a way to compromise printers during the print process, so by printing his resume, he pwns your printer. This seems like a bull in the china shop situation for that code.
That's really nothing compared to searching for Canon ImageRunner admin pages (google lets you search for a URL by content/markers/text in the page info/name) - over on those imagerunner tech forums, people were able to bring up previous scans going back however far, and in minutes be looking at passports, medical records, college information, etc...<p>Maybe more disturbing is that as these things are decommissioned they are just 'junked'. Meaning sent over seas as is to be 'disposed' - anything ever copied, scanned, or sent on that thing is in there somewhere and some foreign nation is in control of MFDs that were in hospitals, law firms, architect/contractor office, police stations, and on and on and on.<p>The holes have been largely fixed through encryption and other techniques but only very recently - which I've been able to work around myself with forensic tools. I won't provide the link here, but if you google around you can find discussion on this topic pretty easily.
This is actually one of the earliest searches that was used on the Shodan search engine! Shodan specializes in finding all devices connected to the Internet (including Telnet, SSH, FTP, SNMP etc.):<p><a href="http://www.shodanhq.com/search?q=hp+jetdirect" rel="nofollow">http://www.shodanhq.com/search?q=hp+jetdirect</a>
<a href="http://www.shodanhq.com/search?q=laserjet" rel="nofollow">http://www.shodanhq.com/search?q=laserjet</a>
<a href="http://www.shodanhq.com/search?q=HP-ChaiSOE" rel="nofollow">http://www.shodanhq.com/search?q=HP-ChaiSOE</a>
I wrote a scriptable "chooser" when I was at Apple -- it let you programmatically find and select a printer to print to.<p>I enumerated every printer on campus (about 900 of them at the time, I think), and came /this close/ to printing a snarky page -- a fake version of the "Five Star News" internal company news -- on each one of them. Decided not to; probably a good career move that I resisted that urge.
I've written about this before.[1] Many network-connected printers simply assume that the local network they connect to will be securely protected from external threats, so they're not configured to withstand even the simplest of attacks. This is exactly the opposite of what many security experts recommend: devices should be secure regardless of whether the network they're on is secure or not.<p>Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[2]<p>I'm waiting for the great network printer security apocalypse...<p>--<p>I ran a quick nmap command (nmap -T4 -A -v -PE [IP address]) on a few of the many printers indexed by Google, and here's a typical result, showing tons of open ports and passwordless login options (I've deleted the hostname and IP address to protect the innocent):<p><pre><code> Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 12:15 EST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 12:15
Scanning XXX.XXX.XXX.XXX [1 port]
Completed Ping Scan at 12:15, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:15
Completed Parallel DNS resolution of 1 host. at 12:15, 0.14s elapsed
Initiating Connect Scan at 12:15
Scanning [HOSTNAME] (XXX.XXX.XXX.XXX) [1000 ports]
Discovered open port 23/tcp on XXX.XXX.XXX.XXX
Discovered open port 21/tcp on XXX.XXX.XXX.XXX
Discovered open port 443/tcp on XXX.XXX.XXX.XXX
Discovered open port 80/tcp on XXX.XXX.XXX.XXX
Increasing send delay for XXX.XXX.XXX.XXX from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for XXX.XXX.XXX.XXX from 5 to 10 due to max_successful_tryno increase to 6
Warning: XXX.XXX.XXX.XXX giving up on port because retransmission cap hit (6).
Discovered open port 14000/tcp on XXX.XXX.XXX.XXX
Discovered open port 631/tcp on XXX.XXX.XXX.XXX
Discovered open port 280/tcp on XXX.XXX.XXX.XXX
Completed Connect Scan at 12:15, 37.26s elapsed (1000 total ports)
Initiating Service scan at 12:15
Scanning 7 services on [HOSTNAME] (XXX.XXX.XXX.XXX)
Completed Service scan at 12:16, 13.09s elapsed (7 services on 1 host)
NSE: Script scanning XXX.XXX.XXX.XXX.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:16
Completed NSE at 12:16, 3.57s elapsed
NSE: Script Scanning completed.
Nmap scan report for [HOSTNAME] (XXX.XXX.XXX.XXX)
Host is up (0.11s latency).
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp HP LaserJet P4014 printer ftpd
|_ftp-anon: Anonymous FTP login allowed
23/tcp open telnet HP JetDirect telnetd
25/tcp filtered smtp
80/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
111/tcp filtered rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
280/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
443/tcp open ssl/http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
445/tcp filtered microsoft-ds
515/tcp filtered printer
631/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
1433/tcp filtered ms-sql-s
1720/tcp filtered H.323/Q.931
3168/tcp filtered unknown
4550/tcp filtered unknown
6000/tcp filtered X11
6112/tcp filtered dtspc
8654/tcp filtered unknown
9100/tcp filtered jetdirect
14000/tcp open tcpwrapped
19315/tcp filtered unknown
Service Info: Device: printer
</code></pre>
--<p>[1] <a href="http://news.ycombinator.com/item?id=4412714" rel="nofollow">http://news.ycombinator.com/item?id=4412714</a><p>[2] <a href="http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html" rel="nofollow">http://www.schneier.com/blog/archives/2008/01/my_open_wirele...</a>
Interestingly, if you try to browse far into the results, Google decided it actually only has 73 to display (after telling it to include ommitted similar results).
A friendly thing to do would be develop a script that took the google results, checked with whois for abuse address and sent emails. Of course that could also end up with one being sent to jail for a long time.
How can I tell if my home printer is securely protected? Is there a good web page or text book anyone can recommend that will teach me more details about this? Thanks.
So within 24 hours, lots of people are going to find out what a goatse is I reckon.<p>Even better, a lot of people in the UK have Thomson routers which have an easily calculable WPA default password. Most of these also have smart tvs these days too which will allow anything to be pushed to them.
Those poor IT Support guys that get a call because their small business clients network is going down due to everyone hitting their printer(s) at once because they show up on the first page :-\
You can find a lot of open machines and sensitive information using Google, this one for the HP printers was submitted to the Google Hacking Database[1] in 2004.<p>[1] <a href="http://www.exploit-db.com/google-dorks/" rel="nofollow">http://www.exploit-db.com/google-dorks/</a>
I did the Google search, and while the first page does indeed show 86K results, as soon as I navigate to the second, the number drops to 13...<p>Am I the only one with this problem, or did Google really not index "thousands of publicly accessible HP printers"?
If you recall from the early days of google, there are plenty of indexed dark data that Google actively scrubs out of the public results. For example it was trivial at one point to find credit card numbers and social security numbers.
One million trees just died. The problem with some of the earlier HP printers was that they would accept unsigned firmware updates, you could literally reflash the thing with an update instruction in postscript.<p>Some work was done at Columbia University with developing trojanised firmware, i recall a firmware that could transmit CC# over tcp when it saw then in the print stream.<p>Extreme care must be taken if connecting printers to the Internet. It's at best a horrible idea and I'd say that most of these are unknown to their owners.
Hopefully this gets some MSM coverage and people address the connected printer problem forever. (not likely)
As far as I know this problem has been around for years. If you want to dive deeper into this, i recommend you visit Shodan (<a href="http://www.shodanhq.com/" rel="nofollow">http://www.shodanhq.com/</a>)
Direct link on Google.com: <a href="https://www.google.com/search?q=inurl%3Ahp%2Fdevice%2Fthis.LCDispatcher" rel="nofollow">https://www.google.com/search?q=inurl%3Ahp%2Fdevice%2Fthis.L...</a>
Make sure to watch Ang Cui's demonstration on printer malware at 28c3. <a href="http://www.youtube.com/watch?v=njVv7J2azY8" rel="nofollow">http://www.youtube.com/watch?v=njVv7J2azY8</a>
Use this only to test your own printers.
<a href="http://cdn.memegenerator.net/instances/400x/33855503.jpg" rel="nofollow">http://cdn.memegenerator.net/instances/400x/33855503.jpg</a>
The first thing I thought of was a course that I took decades ago that discussed using printers for covert channels to get data out of secure networks.<p>I wonder if any of those are honeypots. It may be interesting to see if any visitors do something clever or unexpected.
Time for fun. Insert Coin, PC Load Letter, etc. Good times.
<a href="http://miscellany.kovaya.com/2007/10/insert-coin.html" rel="nofollow">http://miscellany.kovaya.com/2007/10/insert-coin.html</a>
Wow. There is at least one printer on there in a US governmental department, and on one of the settings pages is a huge list of emails of employees. And now I'm probably on some kind of list.
This is truly an old hack, from the days of Altavista, you can find all sorts of open devices and even file folders(I think they've censored those results now) on the internet.