On Saturday, February 4, 2017, a self-described "pissed off high school student" in the United Kingdom sat in front of his computer, listening to Bones and Yung Lean, coding a rootkit, a set of software tools that allows an unauthorized user to control a computer system. He got to thinking about recent news reports about printer hacking and shifted gears, instead building a short program in C.
Within hours, roughly 150,000 internet-connected printers across the world began spitting out ASCII art and messages informing their owners that their machines were "part of a flaming botnet." The hacker signed his work as "Stackoverflowin."
Throughout the evening and into Sunday, people across the web reported finding the mysterious printouts. Many of the affected printers were connected to restaurant POS systems, leaving confused employees to find ASCII robots pouring out of their receipt printers.
It has already been a banner year for printer hacking. Internet-connected printers of at least three American universities—Stanford, Vanderbilt, and the University of California and Berkeley—were hijacked and used to print anti-Semitic flyers. In the same week, researchers at Ruhr-University Bochum in Germany published a paper on security vulnerabilities in printers, as well as setting up a wiki to catalogue related exploits. Just days later, Stackoverflowin made his move in an attempt to draw increased attention to the problem.
Intrigued, I contacted Stackoverflowin over Ricochet, an anonymous instant messaging app. We chatted about Internet of Things security, backdoors in Chinese manufactured goods, and his undying distaste for "skids", or script kiddies, unskilled people who use scripts or programs to attack computers but lack the knowledge to write their own.
Motherboard: You've said before that you were doing this to call attention to the security flaw—how'd you do it, and how can end users protect themselves?
Stackoverflowin: I did it by sending jobs to printers using the LPD protocol (port 515), IPP (port 631), and raw print jobs on port 9100. Along with this, I used an RCE [remote code execution, an exploit allowing the hacker to run arbitrary code on the target computer] which affected Xerox's web control panels. I could create jobs and use my own PostScript to my liking. People need to take their printer out of the public internet unless it's needed, to be honest. And if it's needed, they should be whitelisting IPs/IP subnets [approving connections from specific IP addresses while blocking all others] or using a VPN to access the local network. And you automated the process of sending the requests, I take it?
Yes, I created a small program in C to do so.
In the printouts you told people their machines were a part of a botnet, even though they actually weren't. Why that choice?
It's the first thing that came to my mind, and with growing concerns about IoT security I thought it would be appropriate. The printouts said you "utilised BTI's (break the internet) complex infrastructure, operating on Putin's forehead?"
If you're wondering what BTI is, it was a group of a few friends of mine. Lots of forehead jokes go around, mainly involving security researchers, which inspired me about the Putin joke. It was more to stun than anything. People automatically think "lol Rusisa [ sic], w0w."
Why the printers specifically? Did the Ruhr-University Bochum paper or something call it to your attention, or do you just have a general interest in Internet of Things issues?
Yeah, I do. I've looked at printers once before (like a few months ago) and poked around, then I came back to it when I saw a few articles about them. I've been trying to clean up the IoT mess since like early 2015. I've run honeypots on the scale of fingerprinting every major IoT bot.
Stuff got real interesting when [the IoT malware] Mirai came around though, and people started to really notice the problem. But people were already ahead of the game when it came to threat intelligence and the whole thing became a bit corporate as everyone was now interested in it, so I didn't bother. In terms of this type of IoT, I'm not sure if it's the type of IoT that spurts into a consumer's mind when they think of IoT. It's moreso DVRs/routers/printers in the case of the IoT security problem. I think the media blows it out of proportion a bit. People are thinking their toasters and shit are getting rooted on a daily basis.
Right, that someone's going to mess with your smart fridge and your milk will go bad.
It's got a massive potential for fucking up. Most of the devices that are used in attacks are sold by one company but manufactured by another—often by sketchy Chinese developers. No racism intended here. Their code is shocking and there are multiple backdoors in a load of internet enabled devices.
"I never meant for it to get this big, to be honest."
Tell me about the actual moment of the hack. I'm trying to picture the scene. It's Saturday and what, you're bored at the desk with a coffee and decide to pull something off?
I never meant for it to get this big, to be honest. When it came back that like 158,000 hosts were replying, I was kinda stunned. I didn't think it'd get this much attention either. Yes, it was Saturday and I was sitting, listening to Yung Lean and drinking a coffee with two sugars. I think I was working on a sandbox to brush up my Linux kernel programming skills—thought it'd be interesting as I'd mucked about with user mode stuff for a while and was getting bored of it. Or that night I was working on my LD_PRELOAD kit [a type of rootkit]. It was just a night I was bored to be honest, doing random shit. You signed the name Michael Jensch on some of the printouts, and your Twitter account says you're a 23-year-old researcher in Germany. But you've told others you're a high school student in the UK.
Oh, that's my friend. He kinda asked me to do it. And yeah, I'm from the UK. I'm a high school student. A pissed off high school student who fucked his future in computing science. I doubt it sincerely, since nobody knows who you are anyway.
Nah, just in real life. I did not get the grades I wanted. I guess I'll be doing more of this shit for the rest of my life. What do you think has kept you from getting the grades you want? What would your teachers think if they knew what you got up to over the weekend?
An obsession with programming. I was doing about 14 hours a day at that time. So, yeah, pretty much fucked my grades. One problem I have is that I'm not noticed at all for my skills. Everyone I know who is this age and has the skillset I have are either blackhat or legit depressed. There's nothing for us at this age. What would the dream job be?
I hope to work for myself one day or another and do some type of startup. Most likely a head embedded systems programmer or even a security consultant possibly would be my dream job, something security and software development related.
Do you think university's in the cards?
Nah, I didn't get the grades to do what I want. Now I'll have to do some terrible course that I don't want to do. Well, it's still uni, just far from what I want to do. I honestly wish there was something for our age with this kind of skill. There's legit nothing, dude. In France they have coding colleges and shit (such as 42.fr, Epitech, etc). You don't have computer science programs in the UK?
No, yeah, we do, but they're terrible. For example, my class at this moment, which is "computer science"—not one my classmates can program or have any enthusiasm toward the subject. It's basically an exercise of who can copy out of the book the fastest in their case. And all find it quite challenging. Hackathons; conferences; CTFs [Capture the Flags]; that kind of stuff, more stuff in schools—there's nothing. My skills in terms of programming really aren't noticed either, or anything else regarding computer for that matter. And yeah, I'm just way ahead of my peers when it comes to it.
I get it. In my experience the feeling you're describing isn't uncommon among hackers—it's that natural curiosity and desire to be challenged that gets you to where you are, and not everyone shares it. What about starting the sort of thing you'd be into yourself?
I don't know enough people. I don't talk about any of this stuff with my friends. Nobody is interested in it. I've had my fair deal of shit from teachers when it comes to computing, too. Like?
Like reporting vulnerabilities responsibly then getting in a load of shit for it. It was to do with another organization though, but the school used it. And I got in LOT of shit for that. Even though I did the usual private disclosure, PoC [Proof of Concept], etc, all in private. I did the right thing but got shit on for it and they told me to "not go prodding around," even though that system had a lot of sensitive information about students and the like. That's just one of the examples, though. There's a load of shit. There's no way out of this.
And if you did have other outlets to satisfy your skill and curiosity, do you think you'd still be sending rogue print requests?
Nah, I wouldn't do it again. Or would I still do it? I don't really know. More personality based than anything. I think this will be the last time I'll do it. I want to move on from this type of stuff. It's received a lot of attention for the wrong reasons, too. To other high school hackers, I'd say surround yourself with like-minded people who share the same interests. It's the best way to grow as a person when it comes to this type of stuff as it can be so niche. Don't be arrogant about it. People hate that sort of stuff, but it's done easily enough. Don't do stupid shit, either. It never ends well. That includes exposing devices to the internet that don't need to be.