Weaponized Networked Printing is Now a Thing

It’s a fairly safe bet that a Venn diagram of Hackaday readers and those who closely follow the careers of YouTube megastars doesn’t have a whole lot of overlap, so you’re perhaps blissfully unaware of the man who calls himself PewDiePie. As such, you might not know that a battle between himself and another YouTube channel which uploads Bollywood music videos has reached such a fever pitch that his fans have resorted to guerrilla hacking to try to sway public opinion towards their side. It’s perhaps not the dystopian future we imagined, but it just might be the one we deserve.

To briefly summarize the situation, a hacker known only by the handle TheHackerGiraffe decided to help out Dear Leader by launching an automated attack against 50,000 Internet connected printers. When the hack was successful, the printer would spit out a page of digital propaganda (complete with fist ASCII art) that urged the recipient to go on YouTube and pledge their support for PewDiePie. There’s some debate about how many of the printers TheHackerGiraffe targeted actually delivered their payload, but judging by reactions throughout social media, it was enough to get the message out.

While the stunt itself may have come as a surprise, the methodology wasn’t. In fact, the only surprising element to the security researchers who’ve weighed in on the situation is that this hasn’t happened more often. It certainly isn’t the first time somebody’s done it, but the fact that this time its been connected to such a high profile Internet celebrity is putting more eyes on the problem then there have been in the past. Now that the proverbial cat is out of the bag, there are even websites springing up which claim to be purveyors of “Printer Advertising”. Odds are good this won’t be the last time somebody’s printer starts running off more than TPS reports.

We here at Hackaday don’t have much interest in the battle for YouTube supremacy. We’re just pulling for Dave Jones’s EEVBlog channel to join AvE in breaking a million subscribers. But we’re very interested in the technology which made this attack possible, how likely it is we’re going to see more people exploit it, and what are we supposed to do now that even our own printers can be turned against us?

Easier Than You Might Think

According to TheHackerGiraffe’s account, Shodan (known as “the world’s first search engine for Internet-connected devices”) was used to search for Internet-facing IP addresses which had open ports related to network printing protocols such as IPP, LPD, and JetDirect. The search revealed over 800,000 devices were listening for incoming print commands, of which the first 50,000 were selected to be targets in the attack and saved to a text file.

With a list of potential printers waiting for a command, the next step was figuring out how to talk to them. To this end, our intrepid Giraffe used the open source Printer Exploitation Toolkit (PRET). Consisting of a suite of Python scripts, PRET is intended for researchers performing security audits on networked printers and can perform a wide away of functions. Not limited to simply printing to the target, it can also access files on its internal storage, capture incoming print jobs, disable the printer, and even has a function which claims to cause permanent damage to the printer’s NVRAM.

With a list of targets and a tool suite that would command them, the final piece of the puzzle was a quick script to tie them both together. On Twitter TheHackerGiraffe posted a copy of the Bash script which supposedly caused all the ruckus, and it’s about as simple as it gets:

#!/bin/bash
while read -r line; do
    ip="$line"
    torify ./PRET/pret.py $ip pjl -q -i ./commands.txt
done < "./potential_bros.txt"

The script loads the list of potentially vulnerable printers from a file called “potential_bros.txt”, and for each IP address in the file runs the pret.py command to deliver the payload. Each instance of PRET is run through the torify tool, which wraps the command in a Tor session in an attempt to anonymize the activity. In terms of notoriety gained per line of code, this script has to rank fairly high up there.

All things considered, an unwanted print job that consisted of just a few lines of text was arguably the most innocuous outcome of this particular stunt, it didn’t even use that much ink. Indeed, TheHackerGiraffe now says showing support for PewDiePie was really a secondary objective; the true goal was to raise awareness of how vulnerable many Internet connected printers really are. Whether you believe the claim genuine or a case of creating an excuse after the fact, we can’t deny it has people talking.

Does This Fall Under Fax Machine Law?

One would think that connecting to thousands of printers and using them to send unsolicited messages must be illegal. But some have put forward that since these printers are accessible to the public, advertising a usable service, and imposing no authentication limits, it might fall into a legal gray area. One could make the case that connecting to an open printer isn’t much different than connecting to a public web server.

As TheHackerGiraffe didn’t do anything that would normally run afoul of laws like the Computer Fraud and Abuse Act in the United States (such as collecting data, knowingly damaging systems, or extorting victims) it’s not immediately clear if the laws on the books are really prepared to deal with this particular threat. Of course things are complicated by the fact that the targeted printers are presumably located all over the world, potentially putting them under varying hacking laws. In some countries, simply connecting to a network you know you aren’t supposed to have access to is illegal, even if you don’t cause any damage.

Ironically, the most applicable law on the books (at least in the US) may be 2005’s Junk Fax Prevention amendment to the Telephone Consumer Protection Act which prohibits, among other things, sending unsolicited faxes. The comparison here seems pretty clear: a fax machine waiting for an incoming transmission is fairly analogous to an unsecured printer on the Internet. A future amendment that also extends these protections to Internet connected printers seems something of a forgone conclusion at this point.

Where We Go From Here

For better or for worse, everyone in the world now knows how easy it is to force unwanted prints down the throats of hundreds of thousands of printers. Whatever TheHackerGiraffe’s actual goal was is really inconsequential at this point, the end result is the same. A security researcher by the name of Simon Smith has already launched PrinterAdvertising.com, which promises to develop their own in-house framework for pushing advertisements to printers all over the world if there’s commercial interest. Assuming it actually goes live, it’s not hard to imagine how such a system could easily be abused.

Just like the recent controversy over Internet-connected Octoprint servers potentially allowing malicious use of 3D printers demonstrated, the best course of action for protecting 2D printers seems to be the same: keep them off the Internet to begin with. The reality is that the vast majority of these printers were never meant to be accessed outside of their local network, but thanks to sloppy routing and incorrectly configured firewalls, they somehow managed to get on the wider Internet.

If this event accomplishes anything, beyond making sure PewDiePie continues to rake in that sweet YouTube money, hopefully it will lead to a reduction of erroneously configured printers and greater understanding of the inherent risks of the “Internet of Things”. But if history is any indication this likely won’t be the last time somebody spreads their message, innocent or otherwise, via those lowly network printers collecting dust in offices all over the globe.

[Main image from the film Office Space]

35 thoughts on “Weaponized Networked Printing is Now a Thing

  1. I actually do hope that printeradvertising.whatever does go live. It will, as the FAX abuse did, let me know what companies to never do business with. Ever.

    I used to have two FAX machines…. one an old PC that didn’t print but was a honeypot, the other the actual FAX machine on a separate line. WATS was wonderful for things like that. Now, I have zero FAX machines, and zero internet-connected printers or IOT devices.

    1. the guy probably found the printers using shodan.io, I use it all the time and you will not belive how many I have found.
      the funny thing is, you can also see who else is connected to the office printers on the network

  2. “But some have put forward that since these printers are accessible to the public, advertising a usable service, and imposing no authentication limits, it might fall into a legal gray area. One could make the case that connecting to an open printer isn’t much different than connecting to a public web server.”

    People are creative in justifying things they know they shouldn’t. How about the golden rule being applied here?

      1. Ok, spent a little time looking at Chromebooks today. Obviously not for me as the Chrome OS pretty much expects your live on the web. As one article put it: “The only true apps installed on the machine are the Chrome web browser, as well as offline versions of Docs, Sheets, and Google’s PowerPoint competitor, Slides”. Ie. All the available ‘apps’ are web based. Apps are limited. Local disk space limited. Data is expected to be saved to the cloud. Nope, not for me. The web is a tool for me to hop on/hop off as needed, but certainly not mandatory for running my favorite apps. All my work is done locally and saved locally. This is is one bandwagon I won’t get on.

    1. Lots of plug and play printers come configured dangerously from the factory. How many people are going to blame xerox for getting a spam print vs how many will scream at tech support when they can’t print because they have no idea how to configure the settings.

      1. I mean, you’d have to still manually connect it to your network at least. I don’t think it’s really possible to “accidentally” connect it to the network, but somebody higher up the chain in charge of routing and that sort of thing could screw up their side of the equation.

  3. I don’t get why so many youtubers want you to subscribe to their channel. Subscribing should be a service to serve you, not the person asking for it. They shouldn’t take it personal whether you are subscribe to them or not. If all these youtubers would just ditch the whole “don’t forget to like, comment, and subscribe” shtick(I’m not that old to forget… yet 8’D), giving them a rating wouldn’t feel so much like a chore, but that may just be me.

    That being said, I think I’m going to subscribe to both Pewdiepie and T-Series via RSS, just like the good old days, only this time Google Reader is gone.

    1. Because the youtube algo gods rank engagement above all, and like/comment/subscribe is the highest form of engagement.

      The truth is Pewdiepie doesn’t really care, it’s just a bit of fun. He’s been on top for years and suddenly becoming number 2 isn’t going to make him any less of a millionaire.

  4. « It’s a fairly safe bet that a Venn diagram of Hackaday readers and those who closely follow the careers of YouTube megastars doesn’t have a whole lot of overlap »

    Well, ok, I’ll hide in a corner then …

  5. TL;DR – Script kiddie uses scripts to advertise execrable kiddies’ favourite Swedish dickhead, because he thinks things like that matter.

    And Bollywood hasn’t even STARTED invading the Internet yet. There’s a lot of Indians around the world. Get used to it, if you for some reason give a shit.

  6. Everyones missing the point. While you have been playing Tick for Tack. The big boys have stepped in, re-arranged All printers, Names to mention (FACTUAL) Brother , HP, Canon, (PROVEN), have changed their format of letting you print. Wheather you have signed in Yes or No , you are signed into the new ((Overide Program)) 1) ALLOWS ALL PROGRAMS TO BE READ (2) ALL CONTACTS TO BE RECORDED. (3) Download without additional permission any and all files, Also can change same and contact your contact list.(4)Freely log onto any device associated with the printer, this includes, notepad,phone,mobile phone,Smart Tv, any and all devices. – this also gives them the ability to use those devices to associate and use the same of the people you contact!
    (5) Phone turned off ,Printer turned off, sound turned off ,all other devices turned of?
    (6) They! The above and other can now turn on all the above without your permission or knowledge.
    To qualify myself have worked on electrical ,electronic,digital, computerized printer in all formats for 50 years, redesigned second sourced HP,Canon, products to overcome design flaws to increase reliabilties.
    If you are an American you have several of your BILL of RIGHTS dragged away,
    If you are of English Decent- Law – Intrusion and RIGHT to PRIVACY= Broken.
    Instead of fighting amoungst yourselves, take the fight to those who have just STOLEN- FROM YOU!!

      1. Your doctor contacted me to say -you missed your appointment..
        (Comment for the day )-
        If a Lie is sold as the truth for nothing, and the Truth has already cost you without knowing , ignorance becomes- bliss!
        Happy Navarna!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.