Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've written about this before.[1] Many network-connected printers simply assume that the local network they connect to will be securely protected from external threats, so they're not configured to withstand even the simplest of attacks. This is exactly the opposite of what many security experts recommend: devices should be secure regardless of whether the network they're on is secure or not.

Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[2]

I'm waiting for the great network printer security apocalypse...

--

I ran a quick nmap command (nmap -T4 -A -v -PE [IP address]) on a few of the many printers indexed by Google, and here's a typical result, showing tons of open ports and passwordless login options (I've deleted the hostname and IP address to protect the innocent):

  Starting Nmap 5.21 ( http://nmap.org ) at 2013-01-25 12:15 EST
  NSE: Loaded 36 scripts for scanning.
  Initiating Ping Scan at 12:15
  Scanning XXX.XXX.XXX.XXX [1 port]
  Completed Ping Scan at 12:15, 0.10s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 12:15
  Completed Parallel DNS resolution of 1 host. at 12:15, 0.14s elapsed
  Initiating Connect Scan at 12:15
  Scanning [HOSTNAME] (XXX.XXX.XXX.XXX) [1000 ports]
  Discovered open port 23/tcp on XXX.XXX.XXX.XXX
  Discovered open port 21/tcp on XXX.XXX.XXX.XXX
  Discovered open port 443/tcp on XXX.XXX.XXX.XXX
  Discovered open port 80/tcp on XXX.XXX.XXX.XXX
  Increasing send delay for XXX.XXX.XXX.XXX from 0 to 5 due to max_successful_tryno increase to 5
  Increasing send delay for XXX.XXX.XXX.XXX from 5 to 10 due to max_successful_tryno increase to 6
  Warning: XXX.XXX.XXX.XXX giving up on port because retransmission cap hit (6).
  Discovered open port 14000/tcp on XXX.XXX.XXX.XXX
  Discovered open port 631/tcp on XXX.XXX.XXX.XXX
  Discovered open port 280/tcp on XXX.XXX.XXX.XXX
  Completed Connect Scan at 12:15, 37.26s elapsed (1000 total ports)
  Initiating Service scan at 12:15
  Scanning 7 services on [HOSTNAME] (XXX.XXX.XXX.XXX)
  Completed Service scan at 12:16, 13.09s elapsed (7 services on 1 host)
  NSE: Script scanning XXX.XXX.XXX.XXX.
  NSE: Starting runlevel 1 (of 1) scan.
  Initiating NSE at 12:16
  Completed NSE at 12:16, 3.57s elapsed
  NSE: Script Scanning completed.
  Nmap scan report for [HOSTNAME] (XXX.XXX.XXX.XXX)
  Host is up (0.11s latency).
  Not shown: 978 closed ports
  PORT      STATE    SERVICE      VERSION
  21/tcp    open     ftp          HP LaserJet P4014 printer ftpd
  |_ftp-anon: Anonymous FTP login allowed
  23/tcp    open     telnet       HP JetDirect telnetd
  25/tcp    filtered smtp
  80/tcp    open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  111/tcp   filtered rpcbind
  135/tcp   filtered msrpc
  139/tcp   filtered netbios-ssn
  280/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  443/tcp   open     ssl/http     HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  445/tcp   filtered microsoft-ds
  515/tcp   filtered printer
  631/tcp   open     http         HP-ChaiSOE 1.0 (HP LaserJet http config)
  | html-title: hp LaserJet 9050
  |_Requested resource was http://XXX.XXX.XXX.XXX/hp/device/this.LCDispatcher
  1433/tcp  filtered ms-sql-s
  1720/tcp  filtered H.323/Q.931
  3168/tcp  filtered unknown
  4550/tcp  filtered unknown
  6000/tcp  filtered X11
  6112/tcp  filtered dtspc
  8654/tcp  filtered unknown
  9100/tcp  filtered jetdirect
  14000/tcp open     tcpwrapped
  19315/tcp filtered unknown
  Service Info: Device: printer
--

[1] http://news.ycombinator.com/item?id=4412714

[2] http://www.schneier.com/blog/archives/2008/01/my_open_wirele...



A few months ago I erroneously port scanned our office HP networked printers (I meant to scan our internal servers but a typo meant I selected the wrong IP range). As soon as nmap encountered the JetDirect ports every single printer spewed out a dozen pages of total gibberish. Put it this way - I bet the owners of the printers you just scanned are slightly puzzled why their printer kicked into life.

More worryingly is that on many unpatched HP printers[1] it is entirely possible to push an unauthorised firmware update through port 9100.[2]

--

[1] Enabling OS updates is one thing but I wonder how many businesses actively update their printers to the latest firmware versions?

[2] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.js...


mattkirman: nothing happened to the owners of those printers, because I didn't run nmap with the "--allports" option. As the man page explains, by default nmap doesn't send anything to port 9100 precisely to avoid running into this issue:

  --allports (Don't exclude any ports from version detection).
      By default, Nmap version detection skips TCP port 9100 because some
      printers simply print anything sent to that port, leading to dozens
      of pages of HTTP GET requests, binary SSL session requests, etc.
      This behavior can be changed by modifying or removing the Exclude
      directive in nmap-service-probes, or you can specify --allports to
      scan all ports regardless of any Exclude directive.


The same goes for smart tvs. Most of them you can push stuff to via dnla without a password. Much amusement to be had.


I think the Sony TV's offer an onscreen pop-up before accepting commands from unregistered DLNA controllers although maybe that can be faked (and maybe there is a flaw, I've never explored it deeply).


This is correct, though you could cause a flood of requests that block input from the real user (each has to be dismissed in order).


Mine doesn't. Bravia EX series.


If you want to tell me model numbers I'll have a think about why that may be. Used to work in Prduct Planning for them although didn't have any role specifying this feature I was aware of it.


IMO Bruce Schneider should be more careful because lots of routers are very capable general-purpose computers and he's definitely responsible for what goes out of his IP address.


Just because his WiFi is open doesn't necessarily mean that you'll be able to access his router configuration. And as he says, having an open network means that you have an excuse if someone does use your internet for something illegal...

And it's Schneier.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: