Are Hackers Keeping a Hidden Stash on Your HP Printer’s Hard Drive?

Share this…

Unprotected HP printer HDDs can be abused if not protected. Security researcher Chris Vickery has discovered that HP LaserJet printers may be abused as an anonymous data storage unit by malicious actors, thanks mainly to a default setting that sets up an FTP server via port 9100.

The feature in question has its place in HP’s LaserJet business-grade series of laser printers. It allows a company’s employees to host large troves of data on the device while it’s being printed.

Files uploaded to the printer using this method can usually be accessed at https:// [Printer_IP_Address] /hp/device/ [File_Name]. All upload and download operations from this anonymous FTP are handled via port 9100.

Since these devices are usually placed on corporate networks, if sysadmins forget to protect this equipment behind a firewall or the device has a public accessible IP, an unknown attacker could access the HP printer via port 9100 and use it as a secret storage device to host malicious files.

These can be anything from malicious scripts to illegal or copyrighted material, all saved and accessed from the device with no alarms bells ringing on the printer.

Are Hackers Keeping a Hidden Stash on Your HP Printer's Hard Drive?

Hackers have a high chance of remaining anonymous

The only evidence left is in network logs, but very few admins scan for traffic in and out of a printer.

“This kind of printer is usually powered up and online twenty-four hours a day. Even in sleep mode it will still host files,” Vickery explained. “And who checks the contents of their printer’s hard drive? What are the odds of this hacker’s secret stash ever being discovered? Pretty low if you ask me.”

As Vickery recommended, the only way to protect from involuntarily being part of cyber-crime is to put the printer behind a firewall, or tweak its settings and disable the FTP storage if not used.

A quick Shodan search for LaserJet and port 9100 (you’ll need to be logged in on Shodan) shows around 20,000 exposed printers accessible right now.