Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
This Teen Hacked 150,000 Printers to Show How the Internet of Things Is Shit
#1
This just goes to show how insecure the IoT is, and these devices are going to become much more popular in the next few years.

Quote:On Saturday, February 4, 2017, a self-described "pissed off high school student" in the United Kingdom sat in front of his computer, listening to Bones and Yung Lean, coding a rootkit, a set of software tools that allows an unauthorized user to control a computer system. He got to thinking about recent news reports about printer hacking and shifted gears, instead building a short program in C.

Within hours, roughly 150,000 internet-connected printers across the world began spitting out ASCII art and messages informing their owners that their machines were "part of a flaming botnet." The hacker signed his work as "Stackoverflowin."

Throughout the evening and into Sunday, people across the web reported finding the mysterious printouts. Many of the affected printers were connected to restaurant POS systems, leaving confused employees to find ASCII robots pouring out of their receipt printers.

[Image: 1486587116339-Screen-Shot-2017-02-08-at-...size=956:*] 

It has already been a banner year for printer hacking. Internet-connected printers of at least three American universities—Stanford, Vanderbilt, and the University of California and Berkeley—were hijacked and used to print anti-Semitic flyers. In the same week, researchers at Ruhr-University Bochum in Germany published a paper on security vulnerabilities in printers, as well as setting up a wiki to catalogue related exploits. Just days later, Stackoverflowin made his move in an attempt to draw increased attention to the problem.

Intrigued, I contacted Stackoverflowin over Ricochet, an anonymous instant messaging app. We chatted about Internet of Things security, backdoors in Chinese manufactured goods, and his undying distaste for "skids", or script kiddies, unskilled people who use scripts or programs to attack computers but lack the knowledge to write their own. 

Motherboard: You've said before that you were doing this to call attention to the security flaw—how'd you do it, and how can end users protect themselves?
Stackoverflowin: I did it by sending jobs to printers using the LPD protocol (port 515), IPP (port 631), and raw print jobs on port 9100. Along with this, I used an RCE [remote code execution, an exploit allowing the hacker to run arbitrary code on the target computer] which affected Xerox's web control panels. I could create jobs and use my own PostScript to my liking. People need to take their printer out of the public internet unless it's needed, to be honest. And if it's needed, they should be whitelisting IPs/IP subnets [approving connections from specific IP addresses while blocking all others] or using a VPN to access the local network.

And you automated the process of sending the requests, I take it?
Yes, I created a small program in C to do so.

[Image: 1486587736933-stackoverflowin-ascii.jpeg?resize=667:*] 

In the printouts you told people their machines were a part of a botnet, even though they actually weren't. Why that choice?
It's the first thing that came to my mind, and with growing concerns about IoT security I thought it would be appropriate.

The printouts said you "utilised BTI's (break the internet) complex infrastructure, operating on Putin's forehead?"
If you're wondering what BTI is, it was a group of a few friends of mine. Lots of forehead jokes go around, mainly involving security researchers, which inspired me about the Putin joke. It was more to stun than anything. People automatically think "lol Rusisa [ sic], w0w."

More here
https://motherboard.vice.com/en_us/artic...gs-is-shit
#2
The young get smarter and smarter where electronics are concerned.

Welcome to the New Age (of electronics).



Forum Jump:


Users browsing this thread: 1 Guest(s)