The page where you can upload a document to the printer on one of the exposed HP printers.
Google is exposing thousands of Hewlett-Packard printers that aren't password protected, allowing anyone to control and manage them remotely and print reams of documents.
Many of the printers are at universities, including a number in Australia.
All it takes is one malicious script written by a clever hacker and you'll be replacing the paper tray every five minutes.ZDNet's Zack Whittaker
British blogger Adam Howard first highlighted the exposure in a post titled “Google has indexed thousands of publicly accessible printers” on his Port3000 blog.
An exposed printer's usage page.
Mr Howard points out that a well-crafted Google search returns about 86,800 results for publicly accessible HP printers.
Surprisingly, many of the printers aren't protected by a password, meaning anyone can upload a document to them via a web interface and print it remotely.
When accessed remotely without a password, the printers display an array of information such as how much ink or toner they have left in them, how many pages they have printed in their lifetime and how many paper jams they have had. They also display the names of documents printed to them, which could potentially contain personally identifiable information.
The exposure mainly affects large organisations whose IT staff fail to enable a password on printers when telling their routers to allow inbound connections so that staff can print from one office to another.
Mr Howard wrote on Port3000: “There's something interesting about being able to print to a random location around the world, with no idea of the consequence.”
After revealing the exposed printers, he warned: “Lock down your printer :)."
Mr Howard added that there were other, more serious, security concerns with the printers being exposed, as many models “have known exploits which can be used as an entry point to a private network”.
A Fairfax Media Google search on Monday of exposed printers in Australia revealed that the University of Melbourne, University of New South Wales, University of Queensland, University of Wollongong, La Trobe University and the University of Sydney all had printers accessible remotely via the web that could be used by anyone.
The University of Melbourne appeared to have the most publicly accessible printers, with 26 able to be accessed without a password.
John DuBois, director of communications at the University of Melbourne, said the university was aware of access issues with some of its printers, which are locally and externally managed.
Mr DuBois said they were set-up incorrectly.
"We are already implementing substantial network improvements which should prevent any unauthorised external access," he said.
In total, about 44 HP printers in Australia (mostly at universities) were found using Google.
University of Wollongong's deputy director of Information Technology Services, Daniel Saffioti, thanked Fairfax for letting the university know about an unprotected printer it used.
"We have looked into the matter and are rectifying the issue as a matter of urgency," Mr Saffioti said.
Rob Moffatt, director Information Technology Services at the University of Queensland said an insecure printer on its network was located in an independently owned and operated child care centre within university grounds.
"While someone could possibly change settings remotely, causing the device to malfunction, only limited information can be extracted from the device," Mr Moffatt said.
"We will, however, recommend as an extra precaution that this device be password protected."
A University of New South Wales spokeswoman said three printers within its networks had been identified as being insecure.
"...Appropriate steps will be taken to ensure access is secure," the spokeswoman said.
"The university currently has a program in place to consolidate and secure UNSW printers."
Ged Doyle, chief information officer at La Trobe University, advised there were "several very old printers from years ago" on its network with no password. "These were rectified immediately," Mr Doyle said. "The standard process for network connected devices now deployed at La Trobe, which was not in place years ago when these old printers were installed, overcomes this type of issue."
Comment is being sought from the University of Sydney, as well as from Google.
Printers at the Massachusetts Institute of Technology, University of Gothenburg in Sweden and University of Freiburg in Germany were also found to be exposed.
Even the United Nations Development Programme had a vulnerable printer.
“All it takes is one malicious script written by a clever hacker and you'll be replacing the paper tray every five minutes, and using up the toner supplies faster than you've ever known,” wrote Zack Whittaker for tech website ZDNet's Zero Day blog.
“Perhaps more worryingly, many of these printers do not have passwords enabled and can be directly accessed from outside their company's firewall.”
Tech website Gizmodo said the unprotected printers could be used to play pranks on the organisations that used them, and added that it had conducted two pranks itself.
“Send the University of Cambridge a hard copy of a Rihanna cover. (We actually did this, and it worked),” wrote Gizmodo writer Leslie Horn. “Congrats, random Chinese IP address, you just got bombed with 50 copies of a report I once did on War and Peace.”
In a statement, HP said it encouraged customers to protect their printers with safeguards by placing them within a firewall and providing network credentials only to trusted parties.
"By following the HP recommended security features, printers should not be accessible to the public via the internet."
James Turner, an analyst at IBRS in Australia who specialises in information security, said the exposure of printers without passwords on the internet was “just one facet of where someone decided that it was better for the printers to be easily accessible, than to be secure”.
“This is the ongoing challenge of the internet. Devices that are intended for easy access on smaller networks can take on new dimensions when plugged into the internet,” he said.
“This issue with printers is similar, though on a much smaller scale, to the challenge that industry has had with [industrial control systems] being connected to the internet.”
Mr Turner suggested pranksters would be the main people taking advantage of the issue, but said more malicious uses of the security gap were no doubt being thought of.
“Passwords are a nuisance to usability, but we don't have better options that are less intrusive while also providing equivalent confidentiality,” Mr Turner said.
Paul Ducklin, of security firm Sophos in Australia, said: “You'd think we would have learnt by now. It was over 10 years ago that we first got a wake-up call about printers accessible on networks where they shouldn't be.”
Mr Ducklin was referring to the “Bugbear" virus, which was widespread at the end of 2002.
One of the things the virus would do was copy itself anywhere on a network it could find, including to printers, which resulted in them printing a lot of gobbledegook.
He said IT people learned quickly back then that they should put passwords on printers.
“Printing other people's viral garbage wasn't just a security risk, it cost real money in wasted paper and toner,” Mr Duckin said. “Coming in on Monday morning to an empty paper feed and 2000 pages of hexadecimal drivel in the output tray focused the mind of many a bean-counter.”
He added that there was a security risk implicit in letting untrusted outsiders connect to internal devices.
"Printers these days have their own [operating system], network stack and often rather powerful firmware,” he said. “A lot could go wrong. Secondly, it's resource mismanagement, plain and simple. You don't let outsiders randomly and remotely turn on taps in the bathroom to waste water they can't even see, let alone wash with. So why let them send print jobs they will never read or even collect?”
Read more: http://www.smh.com.au/it-pro/security-it/security-fears-over-exposure-of-webaccessible-printers-20130129-2dhxo.html#ixzz2JOFRSeor
No comments:
Post a Comment