Hey guys! I thought I’d kick off the year 2014 with a fun blog about taking advantage of people’s tech ignorance when it comes to using IP printers, particularly those which are configured using a web interface and controlled using (default) admin credentials.
If you haven’t read the post CNN did about Shodan (scary search engine) which searches the deep web for fun things like SIP systems and IP-controlled devices then you should seriously give it a read. I was reading the article when I looked to my left and saw the delicious Kodak hero 7.1 network printer on the table next to my iMac and realised “there must be printers like these which have their own DNS entry or IP address”.
Logically the next thing to think about is that almost all of these will be setup by people who are largely tech illiterate or sysadmins who aren’t doing their job properly. So I set about searching for printers as my curiosity gets the better of me…
I got a boatload of results but if you aren’t signed in then you can only view the first page. I’ve blocked out the DNS entries and IP addresses of the first “results” so I don’t get a lawsuit.
So I start clicking through the results and on the first hit I find a web-controlled HP Color LaserJet 3800.
The person who setup this printer did it correctly and didn’t leave the default admin password in place but there is still some information exposed such as the printer serial number and the firmware date code visible, I’ve blocked both of these out. The red box at the top of the page covers the device’s IP address.
I scrolled down the page and found this:
I’ve never heard of this make of printer before so I give it a click…
This is the front page for (what looks like an older model) Ricoh printer device. You’ll notice in the top left corner is a button which takes you to a login form.
Could it really be that simple?
Well shit! Naturally I HAVE to go clicking around to see what mischief (potentially) I can cause…
The information on the front page immediately available allows for the resetting of the device which can be pretty catastrophic in itself. I click into printer status and the controls and information available is pretty basic such as selecting printer cartridges and manipulating loader trays (you can change the language to really screw up someone’s day if you wanted to) but the control further down is the most interesting labelled “document server”. Clicking on that is the screen capture you see above, this printer isn’t being used as a file server but if it was then I’d have access to ALL of the documents inside the printer.
Clicking on Job > Printer > Job History brings up the next panel listing the latest print jobs sent to this printer along with the user, the date/time, where the job originates from and the file name. The file itself isn’t downloadable, I’ve blocked out the more sensitive information.
The screen capture above is for the Fax Machine on the printer. Viewable to the administrator is the date/time and destination of the fax as well as how the transmission turned out. I didn’t think Facsimile was still in use but clearly it is where in the world this printer is from. There is even a button to download the transmission list for the printer which would give a complete listing of all of the transmissions sent from this Fax (I didn’t download it before you ask).
The “Reception” option has the same controls but in reverse such as all Faxes received and the option to download a list of all received Faxes (but not the faxes themselves).
The “Address Book” actually seems to be the user directory for the Printer/Fax Machine. An Administrator can easily create a new user with full access privileges to the device. It is also possible to download then wipe the entire user directory. Each user entry contains personal information such as phone numbers and email addresses as well as where and when they last logged in.
The “Enquiry” contains information on the servicing of the device such as serial number and sales rep information.
The configuration panel is where it gets really interesting. As you can see there are a lot of configurable options as well as the security (lol). There is even the option to pull in information from an LDAP server. This particular printer doesn’t access an LDAP directory but if it did then I’d be able to copy the login credentials and gain complete access to a computer network’s LDAP directory of users, devices, documents, and other sensitive information.
The administrator of this machine hasn’t even entered his or her email address to get notifications when something is wrong with the machine! BAD FORM!
On closer inspection I realise that error reports aren’t being generated, auto logout isn’t configured, the printer hasn’t been cleaned since it was first setup, and the printhead alignment is completely screwed. Basically whoever set this thing up just took it out of its box, plugged it in, and turned it on!
To do the “good guy” thing I corrected all of the things above. If the admin had bothered to add his/her email to her contact card in the Address Book then I would have informed them of my discovery. Sadly, they haven’t.
A lookup of the IP address turned up no information so there is nothing else I can do from this point without sabotaging the machine, moving on…
I typed in the printer’s make to discover that there are thousands of these devices visible to the internet. Clicking on the first dozen reveals that most of them suffer from the same ill-management as the one I showed you above.
Yes it really is that simple to fuck with someone’s printer.
I opened up another administration panel and found that email addresses are actually visible in the Address Book of this particular printer. I copied one and pasted it into the search field on Facebook and found the owner. Now the question is “Do I inform this person of what I have found?” which could possibly save them a lot of heartache and upset in the future if a less friendly hacker should find it (I don’t even consider this hacking) or do I just turn a blind eye?
So I’ve decided that I AM going to be reporting this shit to the owners of the printers. I called up one company & she said to call back on monday to “talk to someone upstairs” I’m guessing they have no clue about this shit.
Vulnerable Printers Discovered
– 2 independent businesses in the USA (among a fuckton of others)
– University of Washington
– Southeast Missouri State University
YES! The NH fucking S! Not only that it is for “HR Pay Services” which means sensitive information is definitely being printed out on this device. I’ll definitely be getting in touch tomorrow about this.