In an effort to demonstrate the dangers of disregarding the sad state of printer security, a hacker, known as Stackoverflowin, claims to have hacked 150,000 printers. The hacker, who says he has a background in cybersecurity, claims he had nothing but good intentions.
“Obviously there’s no botnet,” said Stackoverflowin. “People have done this in the past and sent racist flyers etc. I’m not about that, I’m about helping people to fix their problem, but having a bit of fun at the same time ; ) Everyone’s been cool about it and thanked me to be honest.”
While it is a bit of fun and pretty cool that this hacker is using his abilities to send out a friendly warning, it will be neither fun nor cool if no one acts quickly to address it.
“I’m about helping people to fix their problem, but having a bit of fun at the same time ; )”
Stackoverflowin – Hacker
Automated Script Responsible For Exposing Lack of Printer Security
Stackoverflowin wrote an automated script, which, in his words, “targets printing devices that have IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections.” The script was indiscriminate, hitting everything from high-end, multi-functional printers at corporate headquarters to receipt printers at small restaurants. As it turns out, a number of companies have manufactured insecure printers including: HP, Brother, Epson, Canon, Konica Minolta and Samsung.
Once hacked, Stackoverflowin instructed the devices to print rogue documents alerting victims of the hack and advising owners to disable remote access to prevent the printers from being used in botnets. The victims quickly began posting photos of their often entertaining messages to Twitter and Reddit:
“hacked / hacked / lol just, / kidding
For the love of God, please close this port, skid.”
Stackoverflowin – Hacker, on a note sent to a hijacked printer.
And if the hacker had malicious intentions?
While victims of this attack were thankful and amused, a hacker with less honorable intentions could have exploited this vulnerability to force a rogue software update onto insecure devices. These devices could then be conscripted into a giant botnet, turning the printers into weapons for use in future DDoS attacks (much like the one that crippled internet access across the East Coast in October 2016).
Additionally, a malicious hacker could have used this opportunity to view any documents stored in an infected printer’s memory. This could include confidential data such as company details, financial information, patient information or even passwords, which would further compromise an organization’s network.
Researchers demonstrated that a hacker could gain entry to a printer’s NVRM (non-volatile memory) and steal data such as confidential documents and passwords.
Printer Hack Shouldn’t Come As A Surprise
A recent report published by three academics in Germany paints a bleak picture when it comes to the sad sate of printer security. In their analysis, the team examined different brands of printers such as HP, Brother, Lexmark, Dell, Samsung, Konica, OKI, and Kyocera.
According to bleepingcomputer.com, the team used a custom-made tool called PRET (Printer Exploitation Toolkit). This was used to automate local (USB), network (LAN), or remote (Internet) attacks on printers by exploiting old and new security flaws. In fact, some of these flaws have been known publicly for years, but few manufacturers had bothered to patch them. In particular, the academics used attack vectors via PostScript and Printer Job Language (PJL), two languages used by most major printer manufacturers.
By doing this, the researchers demonstrated that a hacker could gain entry to a printer’s NVRM (non-volatile memory) and steal data such as confidential documents and passwords. Additionally, other bugs that the researches uncovered enabled them to crash printers or cause physical damage to the printers.
For this study, the academics also examined services such as Google Cloud Print and found vulnerabilities. This lead them to warn that it is possible that similar services offered by Epson or Apple’s AirPrint, could also be at risk.
“The highly networked nature of IoT creates a large number of attack surfaces that can be exploited; some IoT device makers have not followed established cybersecurity best practices…”
US Department of Commerce
What can be done?
Hiding the device online is one option. In order to do this, the printer’s web server and remote functionality must be disabled. Another option, the default printing port, 9100 can be blocked from a router’s settings pages.
However, the best option would be for manufactures to build devices with security already baked into them. The United States government is already weighing in on the shambolic state of IoT security.
The US Department of Commerce issued The Fostering the Advancement of the Internet of Things report and recommends policies be developed as a collaborative effort between government, civil society, academia, the technical community, and the private sector, both globally and domestically, with areas such as cybersecurity and privacy considered particularly important.
“The highly networked nature of IoT creates a large number of attack surfaces that can be exploited; some IoT device makers have not followed established cybersecurity best practices used in other information security contexts; and some connected devices will collect vast amounts of personal information, enabling high impact attacks,” the report stated.