1. write a script to scrap google links to HP admin panel
2. filter out the IPs that are from US (given you want to work on US market)
3. assemble the list of printer types and current toner levels.
4. write a script that will print to each of those printers a one single page, stating your company "Cheapo Suppliers Inc" was notified that "your printer is low on toner. Call xxxxxx to re-fill. Lowest prices quaranteed within one day delivery!". You can add link to your shop page that already redirects user to specific type of printer they have, some type of one-click order (based on which toners are low).
Back in the late 90s there was a common scam run against big-ish offices.
A caller would call asking to talk to the person in charge of printers, typically either IT or Facilities.
Once connected they would say that they are sending out the recipients free gift, which was some lame piece of electronics - often a small television. They would get the work address and confirmation to ship the free gift. They would claim that along with the free gift - they would send a sample toner cartridge that had "super fine toner in it, certified by HP to last 3 times as long as other toner cartridges"
Then, along with the free gift, a PALLET of toner cartridges would be sent - along with an invoice for some ridiculous amount.
When I got my first call about these "super fine toner cartridges" - I got suspicious and contacted HP. They told me about the scam - but that it was hard to find the people. They asked me to get as much info as I could from them if they called again. I got a call again, got as much info as I could without accepting the offer for the free gift - but they wound up sending it to me, along with the pallet of cartridges as well.
HP came to my office and picked it all up after contacting them again.
Over the years - I received more of these calls - and as soon as they brought up toner and free gifts, I tol them I knew the scam they were running - and they would promptly hang up on me...
Yeah and then they retaliate by sending you two pallets of crap toner cartridges, had enough? No? Still not going to pay? Ok here are five pallets of crap toner cartridges sitting in your mail room. Call up the dump, "What? Toner? That probably a toxic waste, you'll have to make an appointment and pay the extortionate hazardous waste fee." Then the toner guy calls back "You either pay us or next time it will be 10 pallets."
Because it is a scam, the toner isn't viable toner. The SJ Mercury news had a story on this during the great re-inking (people refilling ink carts, HP retaliating) and this particular scam was tied to people getting 'scrap' toner (which is they offered to dispose of unused/old/not-to-spec toner, got paid to do so, took it and poured it into plastic toner holders and then tried to sell it as 'oem' or 'extra fine' toner etc) There were complaints that it clogged printers, had smearing issues, and cost money to throw away. So the scammers were getting it on both ends, money to dispose it, and money from people tricked into buying it. The key here is that if there were a legitimate way/value to selling this toner they wouldn't be using it in their scam, they would just be selling it.
At that point it's extortion and you can tell the police where the criminals are going to show up. No different than any other "We're going to keep dumping stuff on your lawn until you pay us protection money."
It's not a postal thing, I believe it's common law. If someone ships you something unsolicited, you are under no obligation to return the item or make payment.
Aha! "Unsolicited" was the missing piece in the Google puzzle. It's actually not common law. It's 39 USC § 3009: http://www.law.cornell.edu/uscode/text/39/3009, and was passed in the Postal Reorganization Act of 1970.
I believe this was originally in response to shoe manufacturers mailing people shoes and then invoicing for them if they weren't sent back.
As for whether it applies to non-USPS shipments, I have strong doubts. The law says "mail", and my understanding is that because the USPS is a protected monopoly, non-USPS carriers are explicitly not mail services.
Sending random invoices to companies hoping they'll just pay without thinking about it is a pretty common scam actually. Here in Germany for instance you start getting dozens of fake invoices via ordinary mail the exact second you register a new company, and I guess it's not very different in other countries.
They're scam is that when they invoice - they hope that the company is big enough to the point where A/P just pays it when they say "Yeah so-and-so in IT confirmed this order" -- they are hoping that the initial contact and the AP departments dont talk.
No nostalgia required ... they still call, even the small business I work for gets at least one or two calls for toner cartridges and we work for your printing company a month.
Yup. They are still around and pretty ruthless. They get the printer models on the first call from a receptionist or someone "I'm calling about fixing the printer... that's a... HP... right? No? Konica, yeah, that's right we have that change in our forms."
Then they call back again and ask for the person in charge of ordering toner and reference the exact model. Sigh. Almost as bad as the "yellow page" people.
In the US, this will get you arrested, you will have a huge fine and probation, and prison time is not off the table.
I'll refer you to the CAN-SPAM Act of 2003, which does not just govern unsolicited e-mail, but all commercial mail which the law defines as electronic communication (bulk faxes, etc.)
You had not done any crime by using Google to find them.
You obtained access to their open HP admin panel via public link with no password or credentials you had to pass.
You haven't stole any information and, furthermore, there is NO confidential information even to be stolen to start with.
On the top of that, you cannot even determine who they are (name, company, address, email, nothing?). They are totally undefinable sitting by a raw IP address. Sure you know someone is using HP printer. Can you get legally punished for that?
I don't think that taking advantage of a publicly accessible information is punishable by jail, especially since noone got hurt and no information were stolen, whether it is information someone made their living off of (Aaron case), or just totally worthless information as of what brand computer of printer is being used. It would be hard for a company to sue you -- (lack of merit)?
If Google got away with snooping private data from open Wifs (and I am sure they made some sort of use from all that gathered data, even if only internally), then I am pretty sure you wont get any heat for such a petite stretch of snooping people's printers.
another though: you may say that someone can sue you for printing a page using their material and toner, but thats too little of damage to even start with. However, arguendo, if you would get slammed with class action lawsuit, you are most likely a millionaire from your idea anyways :)
It's about time for all people to recognize that web server software is an unrestricted broadcasting system by default and that if users want some sort of security they should definitely get behind a firewall or restrict MAC addresses. If they fail to enforce security it should be their fault, not the person accessing them. Apache and other web server software vendors should put that in their license. If that clause had been there maybe Aaron Swartz would still be alive today. As things stand today it's just a lame way to enable irresponsible people to set up web servers and printers containing web servers to put their hands up and way "not my fault."
If people want to play geek they'd better learn geek, No excuses.
Who says I am not authorised? I can claim that public access is an implicit authorization, like any website! And there is no warning or message in the public control panels.
Is a printer publicly accessible over an IP network really so different from a fax machine publicly accessible over switched phone network? Hell, many times (probably always these days) the fax machine is a printer so if the printer is a "computer" the fax machine half of it surely should be as well.
I can see them getting you for spam, just as they can with unsolicited faxes I believe, but anything more than that? Seems a little silly.
To add to the printer/fax comparison, I have known people who used printers in different physical locations within an organization as a "fax machine" that was easier to use with a computer. Need to send some documents to the guys across the state? Print it to them.
There have been case(s) I think (in USA) concerning websites where it was argued successfully that placing an non-password protected page available on the public internet was implied consent to access/use that service.
That seems the right way to do it. You can't then, for example, put up a website which enables printing and then claim that people who use it are financially liable for using that service.
That would be like putting a bench on a busy street and then popping up and charging people if they happened to sit on it - if they sit down, you can tell them they're not authorised to sit without payment, or you can advertise lack of authorisation (eg with a price list) but otherwise you're implying consent.
Yeah, and there is a guy currently fighting in court because he changed some numbers in a URL and was able to get information on other customers from AT&T ... CFAA.
This is different in essential details. Google are indexing these pages. That means the pages are advertised as part of the public internet.
Now not every layman knows how to properly hook things up to the internet, but there is a definite implied consent in doing so. If the pages were restricted by password and we were bypassing it, or they were locked to an IP and we could spoof it, then there wouldn't be an implied consent to access the service being provided; but that's not the case here.
If you want to look at intent then it's notable that many listed are University addresses - people setting up those printers absolutely know what they're doing.
If you purposefully used excessive paper/ink or you kill the hardware with a broken firmware update then those things are definitely not authorised by the implied consent and would constitute vandalism.
Do you really believe that? That the owners of the printers on this public wire would appreciate, in fact deliberately encourage, anonymous users accessing them like that?
I don't see where the implied consent is unless they were advertising the availability of those addresses on the public internet, eg they were listed in Google. It's a small but crucial difference to the legal position IMO.
> The printers are on public wire.
> You had not done any crime by using Google to find them.
> You obtained access to their open HP admin panel via public link with no password or credentials you had to pass.
There's even less barrier to sending a junk fax, and that can get you fined and potentially jailed.
I will argue. Junk fax is a message send to a number for no reason. In my example I would only send messages (print) on the printers that would be low with toner. I would NOT print on every single printer just because I can. Huge difference.
What a great way to distribute malware. Host it on a server somewhere, encode the URL in a QR code, and print just the code, blown up large, with no descriptors to printers everywhere. People will be so intrigued they'll just scan it. Aaaaaaaaand infected.
Worse than printing somewhere remote, many of those are probably also scanners. If the original is left on the glass (I forget it all the time), an attacker could scan it remotely.
Some scanners (and printers, for that matter) store cached copies of recently scanned/printed items. Probably you could grab those if you knew what you were doing.
That's a very bad idea, you should call your lawyer/a law firm to prepare for the impending deluge of threatening letters and lawsuits filed against you.
These sorts of interfaces are often connected to fileshares, so there's probably a route in there for a cracker. Also it may be possible to upload firmware - either corrupted firmware that bricks the printer or firmware that sends copies of all printed docs to a file store.
Some of the IPs are registered to large US universities, who list abuse/tech support email addresses in their records. I've already emailed several with a headsup and had a couple of "thank you!"s in reply.
In case you guys haven't seen it, Ang Cui is the guy who did the Cisco hack last month and he's also the guy with the coolest resume on the planet.
He actually found a way to compromise printers during the print process, so by printing his resume, he pwns your printer. This seems like a bull in the china shop situation for that code.
That's really nothing compared to searching for Canon ImageRunner admin pages (google lets you search for a URL by content/markers/text in the page info/name) - over on those imagerunner tech forums, people were able to bring up previous scans going back however far, and in minutes be looking at passports, medical records, college information, etc...
Maybe more disturbing is that as these things are decommissioned they are just 'junked'. Meaning sent over seas as is to be 'disposed' - anything ever copied, scanned, or sent on that thing is in there somewhere and some foreign nation is in control of MFDs that were in hospitals, law firms, architect/contractor office, police stations, and on and on and on.
The holes have been largely fixed through encryption and other techniques but only very recently - which I've been able to work around myself with forensic tools. I won't provide the link here, but if you google around you can find discussion on this topic pretty easily.
anything ever copied, scanned, or sent on that thing is in there somewhere
I wouldn't be terribly surprised to find out my MFD has more persisted and recoverable in it than my first guess of how much it has (nothing), but it certainly doesn't have every page that's ever gone in or out of it.
This is actually one of the earliest searches that was used on the Shodan search engine! Shodan specializes in finding all devices connected to the Internet (including Telnet, SSH, FTP, SNMP etc.):
I wrote a scriptable "chooser" when I was at Apple -- it let you programmatically find and select a printer to print to.
I enumerated every printer on campus (about 900 of them at the time, I think), and came /this close/ to printing a snarky page -- a fake version of the "Five Star News" internal company news -- on each one of them. Decided not to; probably a good career move that I resisted that urge.
Asking from ignorance here, is there a common protocol in use to communicate with printers e.g. find, interact with (print) and query (ask for toner level for instance) them?
Seems it would make a valuable tool for managing a larger number of printers, to know when to switch the toner for instance.
I've written about this before.[1] Many network-connected printers simply assume that the local network they connect to will be securely protected from external threats, so they're not configured to withstand even the simplest of attacks. This is exactly the opposite of what many security experts recommend: devices should be secure regardless of whether the network they're on is secure or not.
Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[2]
I'm waiting for the great network printer security apocalypse...
--
I ran a quick nmap command (nmap -T4 -A -v -PE [IP address]) on a few of the many printers indexed by Google, and here's a typical result, showing tons of open ports and passwordless login options (I've deleted the hostname and IP address to protect the innocent):
Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 12:15 EST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 12:15
Scanning XXX.XXX.XXX.XXX [1 port]
Completed Ping Scan at 12:15, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:15
Completed Parallel DNS resolution of 1 host. at 12:15, 0.14s elapsed
Initiating Connect Scan at 12:15
Scanning [HOSTNAME] (XXX.XXX.XXX.XXX) [1000 ports]
Discovered open port 23/tcp on XXX.XXX.XXX.XXX
Discovered open port 21/tcp on XXX.XXX.XXX.XXX
Discovered open port 443/tcp on XXX.XXX.XXX.XXX
Discovered open port 80/tcp on XXX.XXX.XXX.XXX
Increasing send delay for XXX.XXX.XXX.XXX from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for XXX.XXX.XXX.XXX from 5 to 10 due to max_successful_tryno increase to 6
Warning: XXX.XXX.XXX.XXX giving up on port because retransmission cap hit (6).
Discovered open port 14000/tcp on XXX.XXX.XXX.XXX
Discovered open port 631/tcp on XXX.XXX.XXX.XXX
Discovered open port 280/tcp on XXX.XXX.XXX.XXX
Completed Connect Scan at 12:15, 37.26s elapsed (1000 total ports)
Initiating Service scan at 12:15
Scanning 7 services on [HOSTNAME] (XXX.XXX.XXX.XXX)
Completed Service scan at 12:16, 13.09s elapsed (7 services on 1 host)
NSE: Script scanning XXX.XXX.XXX.XXX.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 12:16
Completed NSE at 12:16, 3.57s elapsed
NSE: Script Scanning completed.
Nmap scan report for [HOSTNAME] (XXX.XXX.XXX.XXX)
Host is up (0.11s latency).
Not shown: 978 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp HP LaserJet P4014 printer ftpd
|_ftp-anon: Anonymous FTP login allowed
23/tcp open telnet HP JetDirect telnetd
25/tcp filtered smtp
80/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
111/tcp filtered rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
280/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
443/tcp open ssl/http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
445/tcp filtered microsoft-ds
515/tcp filtered printer
631/tcp open http HP-ChaiSOE 1.0 (HP LaserJet http config)
| html-title: hp LaserJet 9050
|_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
1433/tcp filtered ms-sql-s
1720/tcp filtered H.323/Q.931
3168/tcp filtered unknown
4550/tcp filtered unknown
6000/tcp filtered X11
6112/tcp filtered dtspc
8654/tcp filtered unknown
9100/tcp filtered jetdirect
14000/tcp open tcpwrapped
19315/tcp filtered unknown
Service Info: Device: printer
A few months ago I erroneously port scanned our office HP networked printers (I meant to scan our internal servers but a typo meant I selected the wrong IP range). As soon as nmap encountered the JetDirect ports every single printer spewed out a dozen pages of total gibberish. Put it this way - I bet the owners of the printers you just scanned are slightly puzzled why their printer kicked into life.
More worryingly is that on many unpatched HP printers[1] it is entirely possible to push an unauthorised firmware update through port 9100.[2]
--
[1] Enabling OS updates is one thing but I wonder how many businesses actively update their printers to the latest firmware versions?
mattkirman: nothing happened to the owners of those printers, because I didn't run nmap with the "--allports" option. As the man page explains, by default nmap doesn't send anything to port 9100 precisely to avoid running into this issue:
--allports (Don't exclude any ports from version detection).
By default, Nmap version detection skips TCP port 9100 because some
printers simply print anything sent to that port, leading to dozens
of pages of HTTP GET requests, binary SSL session requests, etc.
This behavior can be changed by modifying or removing the Exclude
directive in nmap-service-probes, or you can specify --allports to
scan all ports regardless of any Exclude directive.
I think the Sony TV's offer an onscreen pop-up before accepting commands from unregistered DLNA controllers although maybe that can be faked (and maybe there is a flaw, I've never explored it deeply).
If you want to tell me model numbers I'll have a think about why that may be. Used to work in Prduct Planning for them although didn't have any role specifying this feature I was aware of it.
IMO Bruce Schneider should be more careful because lots of routers are very capable general-purpose computers and he's definitely responsible for what goes out of his IP address.
Just because his WiFi is open doesn't necessarily mean that you'll be able to access his router configuration. And as he says, having an open network means that you have an excuse if someone does use your internet for something illegal...
Interestingly, if you try to browse far into the results, Google decided it actually only has 73 to display (after telling it to include ommitted similar results).
A friendly thing to do would be develop a script that took the google results, checked with whois for abuse address and sent emails. Of course that could also end up with one being sent to jail for a long time.
Isn't it required that there's an abuse@ address to comply with RFCs. So take Google link list, do a reverse domain lookup, uniq, and email abuse@$(those domains).
If someone else later does something bad with the publicly accessible printer and there's a witch hunt for the responsible party, and the only lead they have is that you emailed them about the possibility in advance...then they'll go after you, even though you were just trying to do a good thing.
And if you're expecting the victim / police / legal system to understand that, technically speaking, it could have literally been anyone with an Internet connection...Or if you think that your good intentions and lack of criminal record mean that the most you'll get is a slap on the wrist even if they think your email "proves" that you did it...you're quite naive, especially given all the recent coverage of Aaron Swartz.
I should note that this isn't unique to computers, by the way. You should also never leave a note on an unlocked car saying "hey, noticed your car was unlocked --signed XYZ".
How can I tell if my home printer is securely protected? Is there a good web page or text book anyone can recommend that will teach me more details about this? Thanks.
In a home network you typically have a router that separates your LAN (local area network) from the internet and shares one public IP among the devices in your network; in that case you have little to worry about. You can tell by the kinds of IP addresses your devices have: if it starts with 192.168.x.y, 172.x.y.z, or 10.x.y.z, then it's not reachable from the internet. The problem with these printers is that on their network there's no such separation and they are listening on a publicly routed IP address, but they've been designed with the tacit assumption that they will be used on a secured network.
Depends. Some builds of Tomato (Toastman's for sure) put a firewall up on IPv6 by default. Asus's firmware does NOT firewall IPv6 at all. If you have shell access to your router, I suggest putting up a firewall on IPv6. The following should work (change br0 to the bridged LAN interface and eth0 to the WAN interface, sometimes it's a vlan):
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i eth0 -o br0 -p all -j DROP
ip6tables -A FORWARD -i br0 -j ACCEPT
ip6tables -A FORWARD -o br0 -j ACCEPT
ip6tables -A FORWARD -j DROP
Of course insert whatever open ports you want after the first line.
I'm assuming that it is just the setup/status/diagnostics control panel so you'll not be able to print anything arbitrary (shame, it could be a fun game!). If you are of a mind to wind someone up you might be able to kick out a pile of test pages and reconfigure the thing so it is no use until someone does a factory reset.
A similar but worse case was some years ago when a range of consumer router+firewall boxes had a fault which made them present their control interface on the WAN interface and had no password set by default. A large number of those somehow got into a search index (it may have also been Google, I can't rightly remember), and from there you can probably do more harm than you can from a printer.
I've looked at two and both had the option to print a file that you uploaded. Of course I didn't actually try to print anything, but it looks like you probably could.
I may or may not have just printed out some random messages for people to find.
There is something strangely compelling about sending thoughts out into the ether with no chance of feedback. Fax pranks are before my time, but I totally get it. I hope I made somebody smile today.
The other question, which would be fascinating to see raised in court I feel, is whether a printer is a "computer" within the terms of the law (CFAA, CMA(UK) or whatever).
You'd probably be able to question the meaning of access too - for example if you find an IP on Google and simply send data to port 9100 that's not really access, accessing a computer is 2 ways. If the law judged spamming port 91 as "access" then sending faxes or texting someone would come under the such legal acts .. that can't be within the intent of the law surely.
If other laws are used - "you sent them a message they didn't want" - then that's the end of [legal] unsolicited mail [yay!].
So within 24 hours, lots of people are going to find out what a goatse is I reckon.
Even better, a lot of people in the UK have Thomson routers which have an easily calculable WPA default password. Most of these also have smart tvs these days too which will allow anything to be pushed to them.
Those poor IT Support guys that get a call because their small business clients network is going down due to everyone hitting their printer(s) at once because they show up on the first page :-\
You can find a lot of open machines and sensitive information using Google, this one for the HP printers was submitted to the Google Hacking Database[1] in 2004.
If you recall from the early days of google, there are plenty of indexed dark data that Google actively scrubs out of the public results. For example it was trivial at one point to find credit card numbers and social security numbers.
One million trees just died. The problem with some of the earlier HP printers was that they would accept unsigned firmware updates, you could literally reflash the thing with an update instruction in postscript.
Some work was done at Columbia University with developing trojanised firmware, i recall a firmware that could transmit CC# over tcp when it saw then in the print stream.
Extreme care must be taken if connecting printers to the Internet. It's at best a horrible idea and I'd say that most of these are unknown to their owners.
Hopefully this gets some MSM coverage and people address the connected printer problem forever. (not likely)
The first thing I thought of was a course that I took decades ago that discussed using printers for covert channels to get data out of secure networks.
I wonder if any of those are honeypots. It may be interesting to see if any visitors do something clever or unexpected.
Wow. There is at least one printer on there in a US governmental department, and on one of the settings pages is a huge list of emails of employees. And now I'm probably on some kind of list.
yes why would a printer need to be externally addressable - the problem will only get worse if ipv6 (aka ipv4 with rivets as the sainted verity stobb calls it) takes off.
I used to do it so I could print stuff for consumption or filling out when I got home from the field... also, because I could (a good reason for anything). Now I use IPP for the same purpose, less security risk.
This is truly an old hack, from the days of Altavista, you can find all sorts of open devices and even file folders(I think they've censored those results now) on the internet.
1. write a script to scrap google links to HP admin panel
2. filter out the IPs that are from US (given you want to work on US market)
3. assemble the list of printer types and current toner levels.
4. write a script that will print to each of those printers a one single page, stating your company "Cheapo Suppliers Inc" was notified that "your printer is low on toner. Call xxxxxx to re-fill. Lowest prices quaranteed within one day delivery!". You can add link to your shop page that already redirects user to specific type of printer they have, some type of one-click order (based on which toners are low).
5. daily rinse repeat.
6. sell your business to HP (at least try to).