It’s a fairly safe bet that a Venn diagram of Hackaday readers and those who closely follow the careers of YouTube megastars doesn’t have a whole lot of overlap, so you’re perhaps blissfully unaware of the man who calls himself PewDiePie. As such, you might not know that a battle between himself and another YouTube channel which uploads Bollywood music videos has reached such a fever pitch that his fans have resorted to guerrilla hacking to try to sway public opinion towards their side. It’s perhaps not the dystopian future we imagined, but it just might be the one we deserve.
To briefly summarize the situation, a hacker known only by the handle TheHackerGiraffe decided to help out Dear Leader by launching an automated attack against 50,000 Internet connected printers. When the hack was successful, the printer would spit out a page of digital propaganda (complete with fist ASCII art) that urged the recipient to go on YouTube and pledge their support for PewDiePie. There’s some debate about how many of the printers TheHackerGiraffe targeted actually delivered their payload, but judging by reactions throughout social media, it was enough to get the message out.
While the stunt itself may have come as a surprise, the methodology wasn’t. In fact, the only surprising element to the security researchers who’ve weighed in on the situation is that this hasn’t happened more often. It certainly isn’t the first time somebody’s done it, but the fact that this time its been connected to such a high profile Internet celebrity is putting more eyes on the problem then there have been in the past. Now that the proverbial cat is out of the bag, there are even websites springing up which claim to be purveyors of “Printer Advertising”. Odds are good this won’t be the last time somebody’s printer starts running off more than TPS reports.
We here at Hackaday don’t have much interest in the battle for YouTube supremacy. We’re just pulling for Dave Jones’s EEVBlog channel to join AvE in breaking a million subscribers. But we’re very interested in the technology which made this attack possible, how likely it is we’re going to see more people exploit it, and what are we supposed to do now that even our own printers can be turned against us?
Easier Than You Might Think
According to TheHackerGiraffe’s account, Shodan (known as “the world’s first search engine for Internet-connected devices”) was used to search for Internet-facing IP addresses which had open ports related to network printing protocols such as IPP, LPD, and JetDirect. The search revealed over 800,000 devices were listening for incoming print commands, of which the first 50,000 were selected to be targets in the attack and saved to a text file.
With a list of potential printers waiting for a command, the next step was figuring out how to talk to them. To this end, our intrepid Giraffe used the open source Printer Exploitation Toolkit (PRET). Consisting of a suite of Python scripts, PRET is intended for researchers performing security audits on networked printers and can perform a wide away of functions. Not limited to simply printing to the target, it can also access files on its internal storage, capture incoming print jobs, disable the printer, and even has a function which claims to cause permanent damage to the printer’s NVRAM.
With a list of targets and a tool suite that would command them, the final piece of the puzzle was a quick script to tie them both together. On Twitter TheHackerGiraffe posted a copy of the Bash script which supposedly caused all the ruckus, and it’s about as simple as it gets:
#!/bin/bash while read -r line; do ip="$line" torify ./PRET/pret.py $ip pjl -q -i ./commands.txt done < "./potential_bros.txt"
The script loads the list of potentially vulnerable printers from a file called “potential_bros.txt”, and for each IP address in the file runs the
pret.py command to deliver the payload. Each instance of PRET is run through the
torify tool, which wraps the command in a Tor session in an attempt to anonymize the activity. In terms of notoriety gained per line of code, this script has to rank fairly high up there.
All things considered, an unwanted print job that consisted of just a few lines of text was arguably the most innocuous outcome of this particular stunt, it didn’t even use that much ink. Indeed, TheHackerGiraffe now says showing support for PewDiePie was really a secondary objective; the true goal was to raise awareness of how vulnerable many Internet connected printers really are. Whether you believe the claim genuine or a case of creating an excuse after the fact, we can’t deny it has people talking.
Does This Fall Under Fax Machine Law?
One would think that connecting to thousands of printers and using them to send unsolicited messages must be illegal. But some have put forward that since these printers are accessible to the public, advertising a usable service, and imposing no authentication limits, it might fall into a legal gray area. One could make the case that connecting to an open printer isn’t much different than connecting to a public web server.
As TheHackerGiraffe didn’t do anything that would normally run afoul of laws like the Computer Fraud and Abuse Act in the United States (such as collecting data, knowingly damaging systems, or extorting victims) it’s not immediately clear if the laws on the books are really prepared to deal with this particular threat. Of course things are complicated by the fact that the targeted printers are presumably located all over the world, potentially putting them under varying hacking laws. In some countries, simply connecting to a network you know you aren’t supposed to have access to is illegal, even if you don’t cause any damage.
Ironically, the most applicable law on the books (at least in the US) may be 2005’s Junk Fax Prevention amendment to the Telephone Consumer Protection Act which prohibits, among other things, sending unsolicited faxes. The comparison here seems pretty clear: a fax machine waiting for an incoming transmission is fairly analogous to an unsecured printer on the Internet. A future amendment that also extends these protections to Internet connected printers seems something of a forgone conclusion at this point.
Where We Go From Here
For better or for worse, everyone in the world now knows how easy it is to force unwanted prints down the throats of hundreds of thousands of printers. Whatever TheHackerGiraffe’s actual goal was is really inconsequential at this point, the end result is the same. A security researcher by the name of Simon Smith has already launched PrinterAdvertising.com, which promises to develop their own in-house framework for pushing advertisements to printers all over the world if there’s commercial interest. Assuming it actually goes live, it’s not hard to imagine how such a system could easily be abused.
Just like the recent controversy over Internet-connected Octoprint servers potentially allowing malicious use of 3D printers demonstrated, the best course of action for protecting 2D printers seems to be the same: keep them off the Internet to begin with. The reality is that the vast majority of these printers were never meant to be accessed outside of their local network, but thanks to sloppy routing and incorrectly configured firewalls, they somehow managed to get on the wider Internet.
If this event accomplishes anything, beyond making sure PewDiePie continues to rake in that sweet YouTube money, hopefully it will lead to a reduction of erroneously configured printers and greater understanding of the inherent risks of the “Internet of Things”. But if history is any indication this likely won’t be the last time somebody spreads their message, innocent or otherwise, via those lowly network printers collecting dust in offices all over the globe.
[Main image from the film Office Space]