It has already been a banner year for printer hacking. Internet-connected printers of at least three American universities—Stanford, Vanderbilt, and the University of California and Berkeley—were hijacked and used to print anti-Semitic flyers. In the same week, researchers at Ruhr-University Bochum in Germany published a paper on security vulnerabilities in printers, as well as setting up a wiki to catalogue related exploits. Just days later, Stackoverflowin made his move in an attempt to draw increased attention to the problem.
Intrigued, I contacted Stackoverflowin over Ricochet, an anonymous instant messaging app. We chatted about Internet of Things security, backdoors in Chinese manufactured goods, and his undying distaste for "skids", or script kiddies, unskilled people who use scripts or programs to attack computers but lack the knowledge to write their own.
Motherboard: You've said before that you were doing this to call attention to the security flaw—how'd you do it, and how can end users protect themselves?
Stackoverflowin: I did it by sending jobs to printers using the LPD protocol (port 515), IPP (port 631), and raw print jobs on port 9100. Along with this, I used an RCE [remote code execution, an exploit allowing the hacker to run arbitrary code on the target computer] which affected Xerox's web control panels. I could create jobs and use my own PostScript to my liking. People need to take their printer out of the public internet unless it's needed, to be honest. And if it's needed, they should be whitelisting IPs/IP subnets [approving connections from specific IP addresses while blocking all others] or using a VPN to access the local network.
And you automated the process of sending the requests, I take it?
Yes, I created a small program in C to do so.
Some of the rogue messages Stackoverflowin sent to printers around the world.
In the printouts you told people their machines were a part of a botnet, even though they actually weren't. Why that choice?
It's the first thing that came to my mind, and with growing concerns about IoT security I thought it would be appropriate.
The printouts said you "utilised BTI's (break the internet) complex infrastructure, operating on Putin's forehead?"
If you're wondering what BTI is, it was a group of a few friends of mine. Lots of forehead jokes go around, mainly involving security researchers, which inspired me about the Putin joke. It was more to stun than anything. People automatically think "lol Rusisa [ sic], w0w."