Teen Hacker Demonstrates Exactly Why IoT Printers Are Stupid
Ron Perillo / 6 years ago
What do you do when you are a bored, pissed off high-school student from the UK in front of his computer with rootkit coding skills and access to over hundreds of thousands of internet-connected “IoT” printers across the world? Well, overtake these printers to teach everyone a lesson on how stupid having everything connected to the internet is of course. This is what hacker “Stackoverflowin” did exactly in one Saturday night in February 2017. Within a matter of hours using a simple code written in C, over 150,000 IoT devices across the world printed out ASCII art and messages claiming that the machine is “now part of a flaming botnet”.
While many of these printers are used in offices and schools, they were also being used in restaurant point-of-sale systems so a slight panic ensued and left employees wondering what should be done regarding the message. There was of course nothing to do as the message from the hacker was just a simple cautionary tale told with a modern IoT twist and there was in fact no such thing as being part of a “flaming botnet” as technically, being an IoT device, they already were exposing themselves out in the open to attacks.
VICE magazine has reached out to Stockoverflowin via Richochet anonymous instant messaging app and he confirmed that he used a remote code execution to send raw print jobs exploiting Xerox’s web control panels. It was so easy, it barely even qualifies as a ‘hack’. As a safety suggestion, he adds that aside from taking printers out of the public internet, companies should be doing something as simple as whitelisting IPs/IP subnets if connecting to the internet is necessary. Although this specific attack was actually quite innocuous and harmless, other attacks just from 2017 are not quite so with IoT printers in University of California, Berkeley actually hacked to print anti-semitic fliers earlier last month. Other American universities such as Stanford and Vanderbult reported similar attacks to their printing services as well.
IoT itself has been pushed by many tech companies and has become quite a buzzword, with the last two Consumer Electronics Show, centered almost entirely around IoT technology. It has been a strong marketing tool but as hacker Stackoverflowing pointed out succintly, it is somewhat irresponsible to leave everything out in the open when it is unnecessary. While it is undeniable that IoT is the future, it behooves everyone involved to be much more security-aware due to the nature of IoT’s accessibility.