Hacker pwns 150,000 printers to issue a security warning

If your printer unexpectedly output a strange message over the weekend in the IBM Courier typeface complete with an ASCII-generated image of a robot, then you weren’t alone.

It seems that the owners of up to 150,000 printers around the world received the same message:

Stackoverflowin has returned to his glory,  your printer is part of a botnet, the god has returned, everyone likes a meme, fix your bulls***… For the love of God, please close this port, skid.

Over a period of 24 hours, slightly different versions of the same message emerged from printers made by manufacturers including HP, Brother, Dell, Canon, Samsung, Epson, Lexmark, Oki and Ricoh.

The culprit, Stackoverflowin, wasn’t exactly trying to hide himself, helpfully signing off the document with contact email and Twitter handles (the latter now suspended).

The issue of printer security – or the lack of it – has been bubbling under for years. Only days ago, as reported in Naked Security, German researchers published the results of tests they had carried out to assess security on a cross-section of office networked printers.

Among a clutch of security problems they uncovered were several ways to exploit access to networked printers through what is termed RAW printing on port 9100.

Popularised by HP’s JetDirect in the 1990s, port 9100 was configured for remote maintenance by admins, although it can also be used to print.  Other examples of direct access include the Internet Printing Protocol on port 631, and the old Unix Line Printer Daemon (LDP) on port 515.

Why so many confusing ways to connect to printers? Mostly, it’s to do with history and manufacturers coming up with their own way to do things which have accumulated over time. It’s easy to forget that printers have been around for decades.

In an email interview, Stackoverflowin said the attack was executed using scripts targeting these direct ports, while Dell printers were hit with an exploit for a remote code execution vulnerability.

Obviously there’s no botnet. People have done this in the past and sent racist flyers etc. I’m not about that, I’m about helping people to fix their problem, but having a bit of fun at the same time ; ) Everyone’s been cool about it and thanked me to be honest.

The “racist flyers” incident refers to an attack last March in which printers at US universities spewed Nazi propaganda after infamous hacker Weev researched easy targets on Shodan.

Given this history of incidents, what can be done to defend networked printers?

A target list of 150,000 is small compared to the world population of printers, which must run to a billion or more. The attacks are warnings, but still quite small ones.

Nevertheless, a troubling minority of internet-accessible and networked printers clearly haven’t been secured via their management interfaces, possibly because they are not seen as vulnerable. For an external attacker to reach a networked printer on port 9100, 631 or 515, something has also gone skew-whiff at the firewall level.

Meanwhile, is your printer potentially vulnerable? Every printer is different, so do check your specific model, but

  • The affected printers are all networked models – and that could well include wireless printers
  • If your printer has built-in management, make sure you’ve properly secured it from remote access – starting with changing the default password
  • Make sure your firewall is properly configured
  • Don’t leave your printer switched on if you’re not using it

It does serve as a reminder that the old box in the corner is not just another harmless printing workhorse. Poorly configured, a printer can be an inky route into anyone’s home or business.