Almost 28,000 printer owners got a shock in late August after an independent cybersecurity news outlet hacked all their devices. The intent? To “raise awareness of security issues” – and publish it as a news story.
The outlet wanted to show that thousands of printers were unsecured on the internet, so it looked for them using the Shodan IoT search engine. It found over 800,000 printers that were accessible over the internet and had network printing features enabled. It chose 50,000 addresses and wrote a script to print out documents on them remotely, of which 27,944 worked.
This isn’t the first time people have pulled this stunt. Infosecurity reported on a printer spam campaign last year, and a white supremacist hacker sent hate mail en masse using this technique in 2016. At the end of 2018, TheHackerGiraffe did something similar to promote the YouTube celebrity PewDiePie.
These hacks cross the ethical line because they manipulate other people’s equipment in unsolicited ways. Exposing them once is an interesting, if illegal, exercise, but each time someone pulls the same stunt it gets older. The fact that printers, webcams and other devices remain exposed online doesn’t get any more surprising, but it still makes a good headline and drives some traffic.
That self-promotion exercise also used thousands of people’s devices without permission, wasting nearly 28,000 pages of paper, which according to the Sierra Club is about a tree and a half. We hope the victims of the hack recycle.
A saving grace is what was on the page. Rather than commercial or ideological spam, the reporters at least printed a useful message: a five-step guide to securing the devices.
This exercise might seem like a good way to bring ill-configured equipment to the attention of countless hapless admins, but it’s an ethical nightmare that falls into the same category as benevolent computer viruses like Wifiwatch. However well-meaning, it isn’t a good idea and might have unexpected side effects.
The perpetrators of this ‘awareness raising’ technique protested that they only accessed the printing function and didn’t inspect or tamper with the devices’ memory, as if that justified the intrusion somehow. I’ll remember that the next time I get caught short and climb through someone’s open window to use the loo.
