That's not my printer! Accidentally finding unsecured HP printers in the wild


The other day, my HP M140w printer stopped working. The day before, it printed fine. This time, nothing. I rebooted, reset, updated, and performed all the modern rituals associated with uncooperative hardware.

I logged into to the printer's webserver and clicked around the admin panel. On one page, I found an error message. So, like any self-respecting geek, I ignored what it said and Googled the text.

The first result on Google looked hopeful. I clicked on it and, somehow, ended up back on my printer. D'oh! Fat fingers. I must have hit some esoteric button combination. So I clicked back and tried again. Nope. Still my printer. WT... F...?

Oh... OH! This was not my printer. A fact I could tell from the subtly different model number, the public IP address, and that the user interface was in Cyrillic.

Screenshot of an HP printer's internal setting screen with everything written in Russian.

Ah.

Now, at this point I had two options:

  1. Break both domestic and foreign law by printing out a page on someone else's printer saying "Secure your network, yo!"
  2. Be a responsible adult and report it to the appropriate person.

A quick whois of the IP address showed that it was located in Alaska, USA. A very reliable source tells me you can see Russia from Alaska - but I didn't realise the denizens spoke the language. Nevertheless, I decided not to risk extradition. No illegal printing for me.

The owner of the IP address was listed as GCI an Alaskan ISP. They have no published security contact. So I tried customer service. I spent a frustrating 45 minutes trying to explain that, although I wasn't their customer, I would very much like to report a problem which affected one of their customers. And, no, I didn't have an account number. And, yes, they could try phoning me if they really wanted.

In the end, they didn't seem to understand what an IP address was nor how to find the customer responsible. So I dropped an email to the ISP contact listed in whois which promptly bounced.

Perhaps it doesn't matter. It seems that the default protection is relatively good. You can't reconfigure the devices without having the password which is printed on them. As far as I can tell, the password is not based on the MAC or any other public details.

Pop up showing where the password can be found.

Similarly, I don't think it is actually possible to print from them. But you can find their internal IP address, amount of ink left, details of number of prints, the entire error log etc.

By searching for specific strings present on my printer's webserver, I've since managed to find dozens of public HP printers in Hawaii, Ukraine, Poland, Russia, and the Netherlands.

Is HP's security good enough to prevent a determined hacker compromising these machine? That remains to be seen.

In the meantime, be careful about letting your printer roam free on the Internet. It's a scary world out there.


Share this post on…

5 thoughts on “That's not my printer! Accidentally finding unsecured HP printers in the wild”

  1. mike says:

    There are HP printers with their web interfaces exposed to the internet and no credentials set on the administrative part. Some of them allow you someone with access to the administrative part of the web interface to install new firmware. So I've heard. https://www.shodan.io/

    Reply
  2. says:

    You can probably find thousands of printers and all kinds of devices using the Shodan search engine, in case you don't know about it yet.

    Reply
  3. I'm sure you can print to it over the lpd or JetDirect TCP ports. These printers are not designed to make basic printing difficult, otherwise the cost of serving the tech support call would eat into what little profit there is on the hardware.

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">