40

Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)

As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?

aMJay
  • 3,615
  • 5
  • 11
  • 20
  • 42
    And yet another occasion to ask why so many people are deeply convinced that **every** device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want **any** of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose. – Damon Dec 06 '18 at 14:23
  • 52
    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs. – Tyzoid Dec 06 '18 at 16:22
  • 8
    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place." – Mason Wheeler Dec 06 '18 at 19:46
  • @Damon, I just point people to Bruce Schneier's essay [**Click Here to Kill Everyone**](https://www.schneier.com/essays/archives/2017/01/click_here_to_kill_e.html). (He's also written a book, *Click Here to Kill Everybody,* which I imagine is an expansion on the essay.) – Wildcard Dec 07 '18 at 03:56
  • 2
    @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer. – Acccumulation Dec 07 '18 at 22:59
  • @Tyzoid A hack is when a computer system is used in some way other than it's "supposed" to be used. What *would* you consider a hack? Installing a trojan by getting someone to open a file wouldn't be a hack by your definition, since the computer is configured to run executables, and the file contained an exectuable. – Acccumulation Dec 07 '18 at 23:01
  • 1
    @Acccumulation I'd consider that *social engineering* (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network? – Tyzoid Dec 08 '18 at 00:10
  • In other words, what @Damon said, fits into notion of [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) – VL-80 Dec 08 '18 at 20:02
  • @Accumulation: My printer is networked and accessible to every computer on my network. Has been for years. But it's _not_ accessible or even visible from the internet. Why would that be useful? My NAS and my surveillance cameras are _also_ accessible (with password) via network. But _not_ via internet. Why would I want _anyone_ to be able to access my files or watch my house? – Damon Dec 08 '18 at 23:00
  • @Damon Whether your printer is accessible via the internet is probably debatable (if your computer is accessible via the internet, and your printer is accessible to your computer, then it is possible to access your printer via the internet). But my point is not that making your devices visible to the internet is useful, it's that making sure it's not takes more effort. – Acccumulation Dec 09 '18 at 18:28

4 Answers4

50

Don't leave your printer exposing port 9100 to the internet.

This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.

The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.

Preventing this attack

All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:

  • Use a VPN to connect to the network, making the printer accessible as if it's in your local network
  • Use a different printing protocol
    • IPP. This is designed to be used over the internet and has built in support for authentication.
    • Google Cloud Print
Joe
  • 2,734
  • 2
  • 12
  • 22
  • If we *did not* receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities? – BruceWayne Dec 06 '18 at 15:59
  • 11
    No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got. – ThoriumBR Dec 06 '18 at 16:39
  • Just to make sure I'm understanding correctly, this attack vector *only* works on port 9100? Or is this just the only port people usually bother to check? – Lord Farquaad Dec 06 '18 at 22:05
  • 1
    This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port – Joe Dec 06 '18 at 22:13
  • 1
    @Joe The printer listens on only 3-4 ports out of 65536, so just **any** port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else. – cybernard Dec 06 '18 at 23:15
  • How do you close port 9100 externally? – papakias Dec 07 '18 at 13:33
9

The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.

For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.

Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 2
    "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway. – Jon Bentley Dec 06 '18 at 13:07
  • 1
    @JonBentley: I disagree. *"not possible"* explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar *"don't have to worry about this specific attack"* is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks. – Steffen Ullrich Dec 06 '18 at 13:15
  • 1
    If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers *is* compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority". – Jon Bentley Dec 06 '18 at 13:21
  • @JonBentley: *"...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..."* - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default. – Steffen Ullrich Dec 06 '18 at 13:31
  • 1
    @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are *not possible* given the *default behaviour* of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security. – Jon Bentley Dec 06 '18 at 13:46
  • 1
    @JonBentley: it's not the same logic. The main problems with mail and web today are not at the protocol level. They are more at the user level, i.e. the user gets tricked into doing things which are harmful (executing alleged software updates, providing credentials to look-a-like sites, explicitly enabling macros when opening a document...). As I said: a proper NAT router reliably protects a printer in the local network against direct access from outside this network. And a broken router causes significantly more critical problems than only access to the internal printer. – Steffen Ullrich Dec 06 '18 at 14:55
  • "I didn't hack your printer; I hacked _you!_" – Michael Dec 06 '18 at 15:56
  • Your first paragraph may allow for more security confidence than perhaps it should. A lot of webcams got 'hacked' because they asked the (upnp enabled) router to open a port and forward it to them (apparently without the owner being properly aware of the consequences). I'm sure there must be at least a few printers that do the same thing. Thus, the end user may not have knowingly 'opened the port', but the technology did it for them. My advice: don't ever allow upnp on your router. But then I'm technologically aware, which of course many people are not. – Ralph Bolton Dec 08 '18 at 10:05
5

That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.

One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.

John Deters
  • 33,650
  • 3
  • 57
  • 110
1

I've seen many home printers, for example Epson, not implementing any security features.

The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.

Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.

akostadinov
  • 555
  • 3
  • 8