Networked HP LaserJet printers, which have been made available to the public by the organizations hosting them, offer potential attackers a ready-made Anonymous FTP server. At present, there are thousands of these devices online.
The exposed printers were the focus of a new blog post by Chris Vickery. Vickery has previously worked with Salted Hash on a number of stories – including database leaks that exposed class records at SNHU, 3.3 million Hello Kitty fans, 191 million voter records, and an additional 18 million voter records with targeted data.
He was also the researcher that exposed the configuration issues with an HIV dating app (which led to the app maker threatening to infect the owner of Databreaches.net), and the researcher who discovered 13 million MacKeeper records.
These days, when he isn't doing security research, he's working for MacKeeper directly, as the parent company Kromtech offered him a job shortly after CES.
On Monday, Vickery outlined the risks associated with the exposed printers, calling them a soft target in an email to Salted Hash. A quick search on Shodan to confirm his findings returned thousands of results.
The exposed printers are located all over the world. A majority of the devices are in the United States. They're hosted on IPs associated with Comcast, Verizon, and AT&T, as well as universities in Minnesota, Pennsylvania, Maryland, Hawaii, and the University of Southern California.
There are also printers exposed in China, South Korea, Taiwan, Canada, Spain, Germany, Poland, Russia, and the U.K.
As one would expect, these printers are active 24/7, but even in sleep mode they'll host files. Moreover, the odds of an internal audit actually examining the contents of a printer's hard drive are slim.
By targeting the exposed printers, an attacker can use them as a staging point to host scripts or tools that can be downloaded when required. They can also use the printers as a means to host malicious websites and direct victims to them directly.
"There are a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100. After uploading to a printer, the file can be accessed by visiting
http://<Printer_IP_Address>/hp/device/<File_Name> with any web browser... It doesn’t take much creativity to realize that even highly illegal materials could be stored this way," Vickery wrote.
"Naturally, you may be wondering why I am highlighting this problem. Won’t it just help amateur hackers elevate their game? Disclosing vulnerabilities will always be a double-edged blade. Sure, some people will take advantage of the information, but it’s my sincere belief that anyone seeking tips on how to protect themselves should also be made aware," Vickery added.
Organizations that are concerned should ensure that access to port 9100 is restricted and that all networked printers are behind a firewall.
A Shodan report generated by Salted Hash on the exposed printers can be viewed here.