Monday, March 16, 2015

Tales Of The Unsecured Wireless Printer

    The story I am about to tell emphasizes the dangers of having an unsecured wireless printer, with a little fun in the process.  Before I go any further, the disclaimer.  The story I am about to tell was done in a test lab and not in a restaurant down the street from my house.  I photoshoped ever image you are about to see. I am superman.  This is a story about playfully teaching people the dangers of not password protecting your network devices.  That statement also applies to not changing your default login credentials.  Call me paranoid but I recommend changing the defaults even on devices that give you a secure random password.  As an example a local ISP near my home town began giving out devices that came with a random password and WPA key.  Someone discovered that they used the serial numbers as the seed for the password and key generator.  They then  reverse engineered the algorithm for generating the info and created a tool that would give you the password and WPA key for any gateway from this provider given the serial.  This story was just me having fun but I am sure you will see the potential for much more damage.
    Last weekend a friend and I were having lunch at a restaurant a few miles from my house.  We sat down, browsed over the menu and ordered just like a normal Saturday lunch.  After a few minutes my friend alerts me that they have an open wireless signal in the building.  I pulled out my phone and fired up my wifi.  Sure enough there were two open wireless signals.  One was the guest network the other was an HP printer.  Now I know that there is all sorts of fun you can have on a guest wireless network equipped with just an Android phone but, I was a bit more interested in the printer. I find wireless printers that have been setup by techs who have no security awareness can be a ton of fun. This is where the story begins.
    I connect to the printer and let DHCP hand me an address.  I opened up my settings and took a look at my IP.  I was given 192.168.223.x, leading me to assume the printer is on 192.168.223.1.  Maybe 192.168.223.10 or .100 but I generally start at .1 when looking for the address of a piece of hardware handling DHCP.  Sure enough 192.168.223.1 gives me an HP admin page.  At this point we are going to need to check that we can actually change settings. Over the years I have seen many network devices have an open admin panel that requires authentication as soon as you try to modify anything or print.  I went into the settings to change the admin password and sure enough there was no password currently set.  I changed the password to 'fuckyou'(I know, I'm a man child).  In the image below you can see a screenshot I took of the network settings panel.

 
    Now that we have control of the printer the question is how do we let them know they need to secure the device?  We print out multiple copies of our favorite nerd image for the day, that's how!  First we must send them another hint though.  Changing the SSID!  In the image below if you take a close look you can see I changed the SSID to "pwn3d".  That's right I went there.  At this point I pushed down my laughter and kept clicking through the assorted tabs while brainstorming on how much ink I want to waste in the process of teaching this lesson.  I stumbled on a page going over the direct wireless printing settings.


  This page lead me to close my browser and head straight for the play store.  I searched HP and the top app was the HP direct print app.  I clicked install and spent a few more minutes doing burger in face things.  Once the app installed I fired it up and it picked right up on the printer.  Now all there base are already belong to us so, its time to queue up a print job.  At the very bottom of the post I have put the image I printed and the image of the print settings screen.  I decided to print ten copies of the image.   Full disclosure, the app maxed me at ten and I didn't feel like sitting around once the print job started to fire up multiple jobs so I left it at ten.  I payed my tab, fired up the print job and walked on out as soon as my print job told me it was successfully printed.





  As a final note, this was all done in good fun.  It is my hope that somebody got as good of a laugh out of this as I did and then proceeded to call and have someone come secure that printer.  They most likely didn't notice my changes.  I would say the most likely situation is someone saw the prints threw them away and moved on.  They most likely still have the password 'fuckyou' set as there printers admin password.  At least I had fun.

  If you want to know more about me or you are looking for someone with my skill set my contact info can be found at atarimaster.us

No comments:

Post a Comment