In-brief: Andrew Auernheimer, an online provocateur who uses the handle “Weev,” has taken credit for causing 30,000 Internet connected printers to spew out antisemitic statements. Many of the connected printers were on the campuses of colleges and universities.
Andrew Auernheimer, an online provocateur who uses the handle “Weev,” has taken credit for a massive hack of 30,000 Internet connected printers that saw anti semitic literature print out on college and university campuses across the U.S.
In a blog post on the site Storify, Auernheimer said that the stunt was meant to demonstrate to an audience of fellow white supremacists the possibilities created by a world of Internet connected devices, in which a single activist can command a global network of connected systems, using them to promote a message or cause a disruption.
In a conversation with Security Ledger via chat, Auernheimer confirmed the printer hack was done to spread the message of white supremacy, including anti semitic and anti immigrant warnings. He said he was trying to underscore for fellow white supremacists he associates with online how insecure the Internet of Things is and the ease with which an individual or group with basic knowledge of scripting can carry out “asymmetric” attacks with widespread consequences.
“I wanted …to show them how easy it is to make the world move with as little as a bash one-liner,” he wrote, referring to the popular Unix command language. “The key to making impact in the world is not being the smartest or knowing the most. It’s about operating asymmetrically at scale. Expend the least amount of effort for the most amount of things happening.”
To demonstrate that principle, Auernheimer took aim at Internet connected printers by manufacturers like HP, using a simple, one line script and content from the Daily Stormer web site, an online publication for the white supremacist community. Using the script, he instructed printers around the U.S. to begin spewing out copies of the anti semitic content. Reports streamed in from around the county, as students and staff reacted and university administrators issued condemnations of the attack.
In Massachusetts, printers at Northeastern University in Boston, the University of Massachusetts Amherst and Smith College in Amherst we all reported to have been affected. A source within the information technology department at a leading university said that he knew of “at least 20” major universities who were hit, in locations all over the U.S.
In an email response to a request by The Security Ledger, Casey Bayer of Northeastern University said that over 20 Northeastern printers received the anti semitic print job.
Auernheimer said he did not specifically target colleges and universities and that not all 30,000 systems he targeted were printers. He said he was not sure how many of the attacks were successful and didn’t keep metrics.
He said systems in North America and Australia were targeted, but that he is planning “localized campaigns” for China, Europe and Africa.
The attack appears to be against universities only because they were the victims who complained publicly about receiving the print outs, he said. “There’s certainly thousands of corporate printers and none of the people in the private sector seem to be having mental breakdowns and calling the police and media they seem to just chuck it in the trash and go on with their day.”
As statements of outrage from affected college and university staff, students and employees poured out on Twitter, Auernheimer, using his Twitter handle @rabite defended his actions as legally protected political speech to publicly accessible systems. “I’m not fist-swinging. I’m sending an envelope confirming to public protocol w/ political speech,” he said in a Tweet on Monday. And, later, “limitations on commercial speech don’t apply to political speech.”
In other messages, Auernheimer used virulent racist and anti semitic epithets to fire back at those who condemned his action and message. He also took jabs at politicians, like German Chancellor Angela Merkel.
Aurenheimer’s argument that he was not breaking any laws because the printers were publicly accessible is a reprise of the incident for which he is best known: a 2010 disclosure of a publicly accessible AT&T sever that exposed the e-mail addresses of iPad users to be revealed. Auernheimer was convicted for identity fraud and conspiracy to access a computer without authorization in that case and sentenced to 41 months in federal prison and ordered to pay $73,000 in restitution.
In the wake of the conviction, many legal scholars argued that federal prosecutors incorrectly applied the Computer Fraud and Abuse Act in his case – describing his actions as “hacking,” when the server and the data it contained were publicly accessible. In April, 2014, the U.S. Court of Appeals for the Third Circuit issued an opinion vacating Auernheimer’s conviction. He was released from prison on April 11, 2014 and left the U.S. in September of that year.
Auernheimer now claims to live in Abkhazia, a semi-autonomous region of Georgia that is recognized by Russia and a small number of other countries. He describes himself as a “nationalist activist.”
Printers are easy to find on the public Internet. Using search engines like Shodan.io, simple searches for devices printers using the Printer Job Language protocol and listening on port 9100 expose close to 27,708 Internet facing devices that appear to be printers in the U.S. alone, many of them connected to networks of colleges and universities.
HP LaserJet printers are among the most common devices exposed, though they are not the only vulnerable, connected printers. Auernheimer said he did not need to authenticate to the printers before sending the order to print the anti semitic flier.
The problem of exposed printers isn’t new. John Matherly, the creator of the hardware search engine Shodan.io, noted the proliferation of printers in a blog post more than two years ago. Warnings about attacks on Internet connected printers, such as this one, go back at least a decade.
However, Auernheimer’s attack may finally prompt changes. Bayer of Northeastern said that school “put a firewall in place to block further attacks” and that doing so “should substantially mitigate this kind of risk.”
David Escalante, the Chief Information Security Officer at Boston College, said his campus had isolated printers from the Internet and was not affected. But he said that Internet-exposed printers can cause “a surprising range of problems beyond unexpected print-outs from undesired parties,” especially as those devices add functionality.
“It is really important to secure “smart” or “multi-function” printers, as they can be used for a variety of purposes, including sending out faxes that appear to be from you, storing files, and caching documents scanned on the printer,” Escalante wrote in an e-mail.