3

Commonly, wireless printers in homes and corporate settings can be configured incorrectly, exposing them to the internet. This can be a major security vulnerability, and can allow anyone to not only print stuff remotely on it, but sometimes even get full access to the network it's connected to.

If somebody happens to find a vulnerable printer online, and no contact information associated with it, would it be legal to print a message on it to let the owners know that it's vulnerable, and possibly even how to fix it?

Edit:

Usually, these printers are configured not to have any sort of password, or anything really, preventing access from anyone on the internet. The printer also has to be manually set up to allow access from the internet, so could that technically be considered permission to access the device?

Blue Herring
  • 634
  • 6
  • 17

1 Answers1

5

This could be a violation of 18 USC 1030 (and a crime). A number of things go into requirements for conviction under this law. First, it has to be a computer, which is defined as

an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device

Any printer that I have encountered in the past 40 years counts as "a computer". Second,

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—...(C) information from any protected computer;

It is highly likely that the person printing has to receive some information from the printer, and respond accordingly so you have your "obtains information" element. Maybe not useful information, but information nevertheless. It also has to be a protected computer,

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States

Well, a computer connected to the internet is a protected computer, see US v. Trotter, 478 F.3d 918. Also, the access must be "without authorization or exceeds authorized access". The law doesn't explain with "without authorization" means, but the latter is defined as

to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

If the law were stated in terms of "prohibited access", meaning "express denial of permission", and if the computer owner had set the computer to "prohibited access" by default (password protected), there would be no issue -- accessing the computer is prohibited. "Unauthorized" can also mean "has not been explicitly authorized", i.e. lacking any indication one way or the other. Every computer access is initially unauthorized, until authorization is granted; and re-trying a login after mis-typing a user name (and being denied access) is not a violation of this law.

There does not appear to be case law that addresses the status of computers just left open to the public, and whether using a computer that is so exposed constitutes "unauthorized access". Also, it is not clear that the defendant in this case has "obtained information", since with printing, information flows into the computer. There is also a clause about recklessly causing damage, but I don't see what damage would result ("damage" is defined as "any impairment to the integrity or availability of data, a program, a system, or information"), and how printing would be "reckless". It seems somewhat unlikely that this would be deemed to be a crime, though if you experiment, you could be on the cutting edge of new case law.

user6726
  • 217,973
  • 11
  • 354
  • 589