• United States



Hacker stackoverflowin pwning printers, forcing rogue botnet warning print jobs

Feb 05, 20174 mins
Data and Information SecurityInternetInternet of Things

A hacker is forcing thousands of unsecured printers to print warnings about being part of a botnet and leaving port 9100 open to external connections

If your printer printed a “YOUR PRINTER HAS BEEN PWND’D” message from “stackoverflowin,” then it’s just one of more than 150,000 printers that has been pwned. Although the message likely referenced your printer being part of a botnet or “flaming botnet,” the hacker responsible says it’s not and that he is trying to raise awareness about the pitiful state of printer security.

One of the messages the hacker caused to print was:

stackoverflowin the hacker god has returned, your printer is part of a flaming botnet, operating on putin’s forehead utilising BTI’s (break the internet) complete infrastructure.

Another stated:

stackoverflowin has returned to his glory, your printer is part of a botnet, the god has returned, everyone likes a meme, fix your bullsh*t.

Yet another stated:

stackoverflowin/stack the almighty, hacker god has returned to his throne, as the greatest memegod. Your printer is part of a flaming botnet.

Over the past several days, a variety of popular printer brands have been affected, including HP, Epson, Canon, Brother and Samsung. Nexus Consultancy reported that Afico, Konica Minolta and Oki have also printed out warnings from stackoverflowin. If it happened to you, you might want to start by closing port 9100 on your router because that is how the hacker is connecting and then sending a print job to the printer. Next, add an admin password to your printer.

This is the latest in a series of recent warnings about what can happen if your printer is connected online without having the right security.

At the end of January, three security researchers—Jens Müller, Juraj Somorovsky and Vladislav Mladenov—described attack scenarios based on network printers and published their research paper “SoK: Exploiting Network Printers” (pdf). They talked about their Printer Exploitation Toolkit (PRET), a tool developed for their Master’s thesis at Ruhr University Bochum; it allows people to check if their printer is secure “before someone else does.”

They evaluated 20 different printer models and showed “that each of these is vulnerable to multiple attacks.”

Jens Müller, Vladislav Mladenov, Juraj Somorovsky

As seen in “SoK: Exploiting Network Printers” by Jens Müller, Vladislav Mladenov and Juraj Somorovsky

In addition, the researchers put together a Hacking Printers Wiki, which lists various attacks on network printers, such as denial of service, privilege escalation, information disclosure, code execution and print job access. One method of attack involves forcing a network printer to print via port 9100, and another involves cross-site printing.

Fast forward a few days, and there was a post by Kur0sec, “How to make 60,000 printers print whatever you want.” Although it got flamed on Reddit’s netsec, reports of printers printing stackoverflowin’s rogue messages about being part of a “flaming botnet” started to appear.

+ What do you think? Share your thoughts about the printer hack +

There are a variety of takes on the message, according to images posted on Twitter. Even if your printer coughed up such a warning, that does not mean it is part of a botnet. At least, that is what Stackoverflowin said before referencing Weev’s 2016 printer experiment, which forced printers to print “racist flyers.” He told Bleeping Computer that he’s not into that, as he is “about helping people to fix their problem” while also “having a bit of fun at the same time.”

Stackoverflowin told Bleeping Computer that his script targets printing devices that have Internet Printing Protocol (IPP) ports, Line Printer Daemon (LPD) ports, and port 9100 left open to external connections.

The script also includes an exploit that uses a remote code execution vulnerability to target Dell Xeon printers. “This allowed me to inject PostScript and invoke rouge jobs,” Stackoverflowin told Bleeping about the RCE vulnerability’s role.

You may not have been amused if this happened to you, but it should at least serve as a warning for you to take security more seriously. Printing a warning message is one of the least damaging attacks listed by the researchers, so why not lock it down now before a truly vicious attack knocks on your open printer door?

As the hacker said of port 9100, “For the love of God, please close this port, skid.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.