For the second time in two weeks, printers across the world have been highjacked, rolling out page after page of odd propaganda.
Starting around November 28, a hacker using the handle @HackerGiraffe on Twitter ordered 50,000 printers to produce a five-point plan that asked readers to unsubscribe from T-Series. The Indian YouTube channel is locked in a race with the controversial Swedish YouTuber PewDiePie – real name Felix Kjellberg – for the prize of the site’s most subscribed channel.
The printed missive asked people to subscribe to PewDiePie and concluded with by saying they should fist pump a piece of paper.
Last weekend, a separate American hacktivist duo, using the Twitter account @j3ws3r, went one further, getting a further 80,000 printers to print out five copies of a differently-worded message with the same intent: subscribe to PewDiePie; unsubscribe from T-Series. (They also asked people to delete TikTok, a video app popular with teens, and to “hit that dab like Wiz Khalifa”.)
They didn’t stop there, though: they claim to have taken down the official website of T-Series.
According to @j3ws3r the stunt hacking is about more than a YouTube spat of which account has the most followers. “We hope that we can raise proper awareness of ports open to the public internet and servers running Apache,” one of the people behind @j3ws3r says.
While @TheHackerGiraffe used Shodan – a search engine for Internet of Things products – to find their targets, the duo decided to cast their net wider. Using a freely available penetration testing kit called Masscan, they scanned the entire IPv4 address space for port 9100 – which is used to send print commands.
Over the course of 20 hours scanning the internet, they found 82,000 open printers. They then sent a command to each of the printers they could access, printing out five copies using a script that utilises PRET, a Python tool. Five commands were sent to each printer “Because connections get closed and stuff happens behind the scenes and the printers decide no.t to print,” @j3ws3r explains.
“That port 9100 is something that is normally closed on a router,” says Dan Turner of Nexus Consultancy, an IT expert. “That open port is like having an open door to printers. Anyone on the internet can access that internet to print anything. It's something that by default should be closed,” Turner adds. He advises that people who have had unwanted items printed should close the port.
In all, sending the individual commands took @j3ws3r 48 hours. “Universities, tech companies – you name it, it printed,” they say. The duo refused to reveal their identities, ages or locations to WIRED, fearing legal repercussions.
Bringing down T-Series’ website was the second stage of the plan, plotted as a way to fill the time while the script they set running on 80,000 printers finished. “I found a huge vulnerability in the T-Series website,” the hacker claims – a weakness to slow HTTP denial of service. “A slow HTTP denial of service I can practically run from my iPod 2G and still take the site down – it’s dangerous.”
The unnamed hacker claims that they spent three days trying to contact T-Series to warn them of the vulnerability. “[I] emailed whoever I could, and went as far as to call the numbers listed on the website,” he says. (@j3ws3r declined to provide evidence of this, saying it could compromise their identity.)
“I ended up saying, ‘Screw this. Might as well show them the vulnerability if they won’t even spend the time to listen’.” Using Git, a version control system that runs on Linux and a low-bandwidth denial of service repository called Slowloris, @j3ws3r took down the site. The hacker says that it also served another purpose: around a fifth of traffic to the T-Series website then goes to the group’s YouTube channel, benefiting them in the race against PewDiePie.
Both @j3ws3r and @TheHackerGiraffe have said the purpose of exploiting the printers has been to raise awareness of the amount of unsecured devices. However, @j3ws3r doesn’t deny they are also happy to bring 82,000 printers to the help of PewDiePie. “I love the man,” they say. “He’s hilarious. And him slowly being taken over by some company just hurts. It shows how YouTube is being taken over and controlled by large corporations.”
PewDiePie joined YouTube in April 2010 and focusses on playing games, amassing more than 76 million subscribers in the process. However in recent years Kjellberg's behaviour has become troubling. In February 2017, Disney and YouTube cut ties with him after a Wall Street Journal investigation found anti-Semitic jokes and Nazi imagery in some of his videos. On December 8, 2018, PewDiePie was found to be promoting a YouTube channel with anti-Semitic links.
Read more: The unbelievable tale of a fake hitman, a kill list, a darknet vigilante... and a murder
This isn't the first time that printers have been hijacked by internet users. In February 2017, a British teenager going by the name of Stackoverflowin made 150,000 printers spew out messages. The month before, US universities were targeted with anti-Semitic fliers being printed.
“In my eyes those ‘public printers used to print stuff’ stories that pop up once a year are no real hacks,” says Jens Mueller, the researcher who initially found the port 9100 vulnerability. “Someone uses a publicly reachable device for what it's made for: printing. The guy could have done much more evil things.”
But the hacktivists defend their acts. @j3ws3r says: “From our perspective, how else were we supposed to warn people about this?” They also point out they could have used their access to the printers to destroy them, by writing to the device’s non-volatile random-access memory (NVRAM) which can only handle so many reads and writes before it breaks. “Assuming these printers each had the low number of 50Mbit/s connection, that means if someone wanted to they could have a botnet that is 512.5 GBps,” says @j3ws3r – around half the size of the largest botnet ever created.
It’s not the only exploit the pair intend to highlight. “There’s more planned,” they say. “Lots more.”
They’re intending to highlight the issue of vulnerable routers that rely on default usernames and passwords. “Ever thought of how people like us can write a script to find all of them and just change the Wi-Fi name (SSID) to anything we want? Like (PEWDIEPIE)? It’s scary out there.”
They’re also scanning open Minecraft ports using accounts donated to their cause, with the plan of warning about the risks of the massive game. On Twitter @HackerGiraffe said it was pairing up with @j3ws3r to target Minecraft. “There’s a lot to come but what we’ve done so far, in the time we had, definitely lit a match,” they say. “Open ports on the internet are not good.”
This article was originally published by WIRED UK
