A hacker claims to have commandeered 50,000 printers globally in order to print pamphlets promoting YouTube star “PewDiePie.” The alleged widespread hack sheds light on just how insecure printers are, and how precarious printer vulnerabilities could be when they offer an easy route into the enterprise network.
The hacker under the Twitter handle @HackerGiraffe said he hacked over 50,000 printers to promote Felix Kjellberg, also known as PewDiePie, a Swedish YouTuber, comedian and video game commentator.
The famed YouTuber is currently going head-to-head with T-Series, an Indian music record label and film company, for the top YouTube spot. Both YouTubers’ channels have at least 73 million subscribers, though PewDiePie, at the time of this writing, is currently leading by 300,000.
On Friday, @HackerGiraffe took to his Twitter account to explain how he carried out the hack.
https://twitter.com/HackerGiraffe/status/1068714506770149376
According to the hacker, he found vulnerable three different printing protocols on Shodan (IPP, LPD, and JetDirect) with up to 800,000 vulnerable printers in total.
“I was horrified to see over 800,000 results show up in total. I was baffled, but determined to try and fix this. So I picked the first 50,000 printers I found running on port 9100 and downloaded the list off Shodan,” he said in a tweet.
The hacker then used Printer Exploitation Toolkit on Github – which also gives hackers the ability to access files, damage the printer, or access the internal network.
However, @HackerGiraffe said that he merely wanted to use the kit to print out messages about PewDiePie, so that he could spread awareness.
“PRET [Printer Exploitation Toolkit] had the scariest of features. Ability to access files, damage the printer, access the internal network…things that could really cause damage. So I had to do this, to at least help organizations and people that can protect themselves,” he said in a Tweet.
The hacker typed up a bash script, which runs an exploit kit against the impacted IP with commands to print a message then quit. He then uploaded the script onto his server and left it running.
The printed message said: “PewDiePie is in trouble and he needs your help to defeat T-Series! PewDiePie, the currently most subscribed to channel on Youtube, is at stake of losing his position as the number one position by an Indian company called T-Series, that simply uploads videos of Bollywood trailers and songs.”
The message then urged readers to unsubscribe from T-Series and subscribe to PewDiePie, and concluded the message by telling readers to tell everyone they know.
Impacted printer users, for their part, took to social media to tweet at PewDiePie that they received the message. Those impacted ranged from students trying to print their college work, to those using work computers – even a ticket printer at a police station.
https://twitter.com/shonex112/status/1068893213530804225
@pewdiepie Some hacker is using unsecured work printers to print out this message pic.twitter.com/t701kfBwIP
— Shahmeer Khan (@shahmeer_khan16) November 30, 2018
https://twitter.com/TFGHighlights/status/1067472069850390529
PewDiePie for his part addressed the incident briefly on his Twitter account, saying “Desperate times calls for desperate measures..”
https://twitter.com/pewdiepie/status/1068628752173858817
Printers continue to pose a dangerous security target for companies – particularly when the printers are owned by enterprises that lack strict network device management.
An HP-sponsored study by the Ponemon Institute (PDF), found that, out of 2,000 IT security practitioners, up to 56 percent believe employees in their organizations do not see printers as an area of high security risk. Meanwhile, only 44 percent of those surveyed said their company security policies include security for network-connected printers.
That goes to show why printer-related security incidents are so widespread. Just this past summer, researchers at Check Point found a vulnerability enabling attackers to compromise printers with fax capabilities, merely by sending a fax. Meanwhile, in August, HP Inc. patched hundreds of inkjet models that were open to two different remote code execution flaws (CVE-2018-5924, CVE-2018-5925).