Recently a group of researchers from the University Alliance Ruhr has found a cross-site printing bug in the old PostScript language. Popular printer models manufactured by Dell, Brother, Konica, Samsung, HP, and Lexmark are affected by security vulnerabilities that could be exploited by hackers to steal passwords, steal information from the print jobs, and shut down the devices.
Following the above research, a hacker with the online moniker Stackoverflowin decided to hack thousands of publicly exposed printers and to print rogue messages, including ASCII art depicting robots and warned that the printers had been hacked and they were part of a botnet.
The hacker said he wants to raise awareness about the risks of cyber attacks on printers exposed to the internet.
“A grey-hat hacker going by the name of Stackoverflowin says he’s pwned over 150,000 printers that have been left accessible online.” reads a blog post published by Bleeping Computer.
“Speaking to Bleeping Computer, the hacker says he wanted to raise everyone’s awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled”
Stackoverflowin claims to be a British high-school student who is a passionate security researcher, he explained that he simply sent print jobs using the Line Printer Daemon (LPD), the Internet Printing Protocol (IPP) and the RAW protocol on communications port 9100 to printer models that were exposed on the internet without any authentication.
Stackoverflowin did much more, he also exploited an undisclosed remote command execution (RCE) vulnerability in the web management interface of Xerox devices.
The young hacker estimated that he compromised up to 150,000 printers, but he also added to have access to more RCE vulnerabilities which would have allowed him to access more than 300,000 printers.
Stackoverflowin wrote an automated script which scans the Internet for open printer ports and sends a rogue print job to the device.
— Remigio Isla (@lttle_wolf) February 4, 2017
Below the latest version of the message sent to the printers:
stackoverflowin the hacker god has returned, your printer is part of a flaming botnet, operating on putin's forehead utilising BTI's (break the internet) complex infrastructure. [ASCII ART HERE] For the love of God, please close this port, skid. ------- Questions? Twitter: https://twitter.com/lmaostack -------
Many users on Twitter shared images of the rogue messages sent on Friday to their printers.
The case demonstrates the importance to adopt necessary measures to protect devices exposed online, for example enforcing access rules in the routers, setting up a VPN or allowing the access from certain IPaddresses.
(Security Affairs – hacking, security)