That's not my printer! Accidentally finding unsecured HP printers in the wild
By @edent
· CyberSecurity printer · 5 comments · 500 words · read ~218 times.
The other day, my HP M140w printer stopped working. The day before, it printed fine. This time, nothing. I rebooted, reset, updated, and performed all the modern rituals associated with uncooperative hardware.
I logged into to the printer's webserver and clicked around the admin panel. On one page, I found an error message. So, like any self-respecting geek, I ignored what it said and Googled the text.
The first result on Google looked hopeful. I clicked on it and, somehow, ended up back on my printer. D'oh! Fat fingers. I must have hit some esoteric button combination. So I clicked back and tried again. Nope. Still my printer. WT... F...?
Oh... OH! This was not my printer. A fact I could tell from the subtly different model number, the public IP address, and that the user interface was in Cyrillic.
Ah.
Now, at this point I had two options:
- Break both domestic and foreign law by printing out a page on someone else's printer saying "Secure your network, yo!"
- Be a responsible adult and report it to the appropriate person.
A quick whois of the IP address showed that it was located in Alaska, USA. A very reliable source tells me you can see Russia from Alaska - but I didn't realise the denizens spoke the language. Nevertheless, I decided not to risk extradition. No illegal printing for me.
The owner of the IP address was listed as GCI an Alaskan ISP. They have no published security contact. So I tried customer service. I spent a frustrating 45 minutes trying to explain that, although I wasn't their customer, I would very much like to report a problem which affected one of their customers. And, no, I didn't have an account number. And, yes, they could try phoning me if they really wanted.
In the end, they didn't seem to understand what an IP address was nor how to find the customer responsible. So I dropped an email to the ISP contact listed in whois which promptly bounced.
Perhaps it doesn't matter. It seems that the default protection is relatively good. You can't reconfigure the devices without having the password which is printed on them. As far as I can tell, the password is not based on the MAC or any other public details.
Similarly, I don't think it is actually possible to print from them. But you can find their internal IP address, amount of ink left, details of number of prints, the entire error log etc.
By searching for specific strings present on my printer's webserver, I've since managed to find dozens of public HP printers in Hawaii, Ukraine, Poland, Russia, and the Netherlands.
Is HP's security good enough to prevent a determined hacker compromising these machine? That remains to be seen.
In the meantime, be careful about letting your printer roam free on the Internet. It's a scary world out there.
@Edent oh the decadence… wasting an IPv4 to forward a gorram printer interface 😜
mike says:
There are HP printers with their web interfaces exposed to the internet and no credentials set on the administrative part. Some of them allow you someone with access to the administrative part of the web interface to install new firmware. So I've heard. https://www.shodan.io/
You can probably find thousands of printers and all kinds of devices using the Shodan search engine, in case you don't know about it yet.
I'm sure you can print to it over the lpd or JetDirect TCP ports. These printers are not designed to make basic printing difficult, otherwise the cost of serving the tech support call would eat into what little profit there is on the hardware.
Bsage says:
Perhaps you dont remember... In November 2018 the story of 50,000 printers exposed to the internet and the one who tried raising awareness of the issue. https://darknetdiaries.com/episode/31/
More comments on Mastodon.