back to article Oh Brother: Hackers can crash your unpatched printers – researchers

Security researchers have said they've uncovered a new way for hackers to crash Brother printers. More specifically, they've put out an advisory saying a vulnerability in the web front-end of Brother printers (the Debut embedded http server) allows an attacker to launch a Denial of Service attack. The attack might be carried …

  1. LewisRage

    2 things

    First off, who the fuck puts a printer on the open internet? And if you do why do you leave the web interface open?

    Secondly, I've got a couple of brother printers here. I find the best method to perform a denial of service is to try to get one of them to print something.

    1. wolfetone Silver badge

      Re: 2 things

      "First off, who the fuck puts a printer on the open internet?"

      People who believe the internet can be contained within a black box with a red flashing light.

      "And if you do why do you leave the web interface open?"

      See above.

    2. Eddy Ito Silver badge

      Re: 2 things

      ... who the fuck puts a printer on the open internet? And if you do why do you leave the web interface open?

      The answer to both is everyone who mistakenly relies on puffy printers.

      1. Anonymous Coward
        Go

        Re: 2 things

        Be honest, doesn't the phrase "I'll make a cloud-print." sound edgy? I can just see those words drifting across meeting spaces everywhere.

        And don't forget, the next step has to be linkage of all your friends/coworkers/lovers accounts.

        One cloud to print them all!

    3. WolfFan Silver badge

      Re: 2 things

      First off, who the fuck puts a printer on the open internet? And if you do why do you leave the web interface open?

      Not I, to either.

      Secondly, I've got a couple of brother printers here. I find the best method to perform a denial of service is to try to get one of them to print something.

      Hmm... I have multiple Brother printers, ranging back to ancient HL-2070s (more than 12 years old) all of which give excellent service. One of the HL-2070s has just reported its fourth paper jam. Ever. Since 2005. I used to have HP printers. I got rid of the last one when it had its fourth paper jam in eight hours.

      1. inmypjs Silver badge

        Re: 2 things

        "I have multiple Brother printers"

        I had a Brother MFC mono laser, replaced this year because of a great deal on a colour version with faster duplex scanner. When I checked the old one had been on 24/7 for 13 years. The only hassle being if needing occasional cleaning of the document feeder separator pad to avoid scanner feed jams.

        I gave the old one to a mate and as far as I know it is still in use.

      2. Roland6 Silver badge

        Re: 2 things

        I've got a couple of brother printers here. I find the best method to perform a denial of service is to try to get one of them to print something.

        The easiest way I've found is to send a large Airprint document to the Brother printer from an iPad and whilst it is printing switch to another application on the iPad. Once the printer is stuck in the "receiving data" process the only way to fix things is to remove the iPad from the network and pull the power lead out of the printer.

      3. Captain Scarlet Silver badge
        Stop

        Re: 2 things

        "I got rid of the last one when it had its fourth paper jam in eight hours"

        Just change the paper pickup rollers in the paper tray area when they are worn, newer HP's eat through them and you can tell they need replacing when the roller is smoooooooooooooooooooooooooth.

    4. Anonymous Coward
      Anonymous Coward

      Re: 2 things

      "First off, who the fuck puts a printer on the open internet?"

      https://www.shodan.io/report/JDXKGwoK

      Quite a few people it would seem.

      “Stupidity is not the lack of knowledge, but the illusion of having it.” - Grigore Iulian

    5. pixl97

      Re: 2 things

      >First off, who the fuck puts a printer on the open internet?

      Why would I need the open internet when I could just put a post link on a website you visit that tries to send an HTTP POST to 192.168.0.2-192.168.1.254, where about 90% of the population has their private IPs, when you click an action on the site.

      1. CrazyOldCatMan Silver badge

        Re: 2 things

        192.168.0.2-192.168.1.254, where about 90% of the population has their private IPs

        I knew there was a reason why my home range wasn't in the 192.168 range.. (other than the fact that a previous orkplace did and I it made VPN attempts somewhat challenging..)

    6. Roland6 Silver badge

      Re: 2 things

      >First off, who the fuck puts a printer on the open internet? And if you do why do you leave the web interface open?

      I wonder if this is yet another example of having UPnP enabled on the router.

  2. Anonymous Coward
    Anonymous Coward

    Fully agree about placing a printer (any printer) on the big bad internet. I tend to place them behind a simple ip-based firewall even on an intranet: this saves an enormous amount of time trying to diagnose the problems cased by Jack, Jim, and Jill trying to bypass the official print servers and go directly to the printer with some random drivers they got god knows where.

    Completely disagree with your opinion on the printers themselves - for SOHO with low to moderate printing needs, brother printers are my first choice, both for reliability and for cost-effectiveness.

    1. Doctor Syntax Silver badge

      "Completely disagree with your opinion on the printers themselves - for SOHO with low to moderate printing needs, brother printers are my first choice, both for reliability and for cost-effectiveness."

      I have one and whilst it's a good printer it does seem to get lost from the network from time to time.

    2. ckm5

      I agree. Having been through several brands, Brother is on the better side. Epson is the worst, in the 'kill it with fire' category.

      And I'm with @lewisrage - if you are stupid/clueless enough to put a printer on the internets, you'll get what you deserve.

    3. Paul Crawford Silver badge

      +1 up-vote for the AC

      Always treat your printers as vulnerable devices to be kept on their own little subnet without external internet access and unable to initiate attacks upon traffic to your main machines.

  3. Mark 85 Silver badge

    Tip of the iceburg...perhaps.

    I know of several 3D printers that require internet access to phone home where the file is processed and sent back to the printer for printing. Yeah... it's stupidity at it's finest but hey... Internet of Shit gets buyers attention. So it's probable that other printers do it for automatically ordering supplies, sending data back to the mothership on usage, etc.

    1. Paul Crawford Silver badge
      Facepalm

      Re: Tip of the iceburg...perhaps.

      So 3D printer on internet, shit security, what do you do expect those discovering it to do:

      1) Try to inform the owner/supplier of the problems?

      2) Use said device to attack others within the company network?

      3) Send it files of 3D penises to print out?

      1. bombastic bob Silver badge
        Devil

        Re: Tip of the iceburg...perhaps.

        "3) Send it files of 3D penises to print out?"

        many decades ago, at a university, they had a teleray graphics terminal (vector graphics) with a printer connected to it. It was possible to a) open the TTY device if nobody was logged into it, and b) remotely draw something and send a control character to print the screen afterwards.

        Occasionally I would do so. It was a particular mathematical function [that I can't remember the details of at the moment] that printed something that looked like a "thigh gap"

        so I'd rather send 3D "thigh gap" images for it to print out. heh.

    2. ckm5

      Re: Tip of the iceburg...perhaps.

      That doesn't mean they are 'on the internet'. Pretty much anything on most internal networks can get out to the internet, that's vastly different than having a public IP. There is (usually) at least a NAT firewall between the requesting device and the public internet.

      In the scenario you describe, it's pretty much the same as requesting a web page - you send some data and get more data back, typically processed for you in some fashion. That doesn't mean the contents you get back are necessarily safe, but that's pretty much the case anytime you request data from a remote server.

    3. inmypjs Silver badge

      Re: Tip of the iceburg...perhaps.

      "I know of several 3D printers that require internet access"

      A printer having internet access is not the same as a printer being accessible from the internet.

  4. herman Silver badge
    Thumb Up

    Well, crashing a printer isn't exactly a bad thing.

  5. CommodorePet

    Sloppy or Oddness:

    The timing between "attempt to contact vendor" and exposure as zero day is pretty short. Exactly 3 months from creation of proof of concept - file created in August: 1 month from "chat" to publish.

    https://gist.github.com/tipilu/53f142466507b2ef4c8ceb08d22d1278

    Is "online chat with customer support" a reasonable attempt to get the vendor to realize what the problem is?

    #09/11/2017 - Attempt to contact vendor

    #10/03/2017 - Live chat communications with vendor regarding no reply

    #10/25/2017 - Attempt to contact vendor

    #11/02/2017 - Advisory published

    Web searches for "Debut Embedded HTTP server" don't turn up any open source, and I can't find any mention on Brother's page that their HTTP server is called "Debut". That name only occurs in the reports about this problem.

    CVE-2017-16249 doesn't exist yet. CVE-2017-12568 does contain the same info.

    1. CommodorePet

      Re: Sloppy or Oddness:

      September 10th:

      https://twitter.com/0xz00n/status/906908617919647744

      Not sure if @0xz00n found it first, given that CVE-2017-12568 was created on August 5th

      1. z00n

        Re: Sloppy or Oddness:

        Hey there,

        CVE-2017-12568 is a separate issue based on the specific wording "... large amount of HTTP packets."

        An example of this PoC working can be seen here:

        i.imgur.com/ondA5jf.jpg

  6. Anonymous Coward
    Terminator

    Sixteen thousand Brother printers accessible from the Internet

    "Enterprise sysadmins were advised by the researchers to restrict web access to Brother printers using a firewall or similar device."

    It doesn't take an enterprise sysadmin to tell them that, a ten year old could have figured this out.

  7. Missing Semicolon
    Devil

    Brother firmware age

    I wonder if they'll finally get round to fixing the crap cloud print client?

    Every time I reboot my router, or the printer, I have to register is again on Google Cloud Print as a new device

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019