How to protect printers from being hacked











up vote
36
down vote

favorite
7












Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?










share|improve this question







New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 35




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    yesterday






  • 41




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    yesterday






  • 5




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    yesterday










  • @Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
    – Wildcard
    yesterday










  • @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    5 hours ago















up vote
36
down vote

favorite
7












Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?










share|improve this question







New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 35




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    yesterday






  • 41




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    yesterday






  • 5




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    yesterday










  • @Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
    – Wildcard
    yesterday










  • @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    5 hours ago













up vote
36
down vote

favorite
7









up vote
36
down vote

favorite
7






7





Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?










share|improve this question







New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?







protection printers






share|improve this question







New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









aMJay

28926




28926




New contributor




aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






aMJay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 35




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    yesterday






  • 41




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    yesterday






  • 5




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    yesterday










  • @Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
    – Wildcard
    yesterday










  • @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    5 hours ago














  • 35




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    yesterday






  • 41




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    yesterday






  • 5




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    yesterday










  • @Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
    – Wildcard
    yesterday










  • @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    5 hours ago








35




35




And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday




And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday




41




41




I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday




I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday




5




5




The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday




The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday












@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday




@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday












@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago




@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago










4 Answers
4






active

oldest

votes

















up vote
44
down vote



accepted










Don't leave your printer exposing port 9100 to the internet.



This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



Preventing this attack



All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:




  • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

  • Use a different printing protocol



    • IPP. This is designed to be used over the internet and has built in support for authentication.

    • Google Cloud Print








share|improve this answer























  • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
    – BruceWayne
    yesterday






  • 8




    No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
    – ThoriumBR
    yesterday










  • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
    – Lord Farquaad
    yesterday












  • This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
    – Joe
    yesterday










  • @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
    – cybernard
    yesterday




















up vote
7
down vote













The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






share|improve this answer



















  • 2




    "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
    – Jon Bentley
    yesterday










  • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
    – Steffen Ullrich
    yesterday








  • 1




    If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
    – Jon Bentley
    yesterday










  • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
    – Steffen Ullrich
    yesterday








  • 1




    @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
    – Jon Bentley
    yesterday




















up vote
5
down vote













That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






share|improve this answer




























    up vote
    0
    down vote













    I've seen many home printers, for example Epson, not implementing any security features.



    The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



    Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });






      aMJay is a new contributor. Be nice, and check out our Code of Conduct.










      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      44
      down vote



      accepted










      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:




      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol



        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print








      share|improve this answer























      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        yesterday






      • 8




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        yesterday










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        yesterday












      • This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        yesterday










      • @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        yesterday

















      up vote
      44
      down vote



      accepted










      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:




      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol



        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print








      share|improve this answer























      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        yesterday






      • 8




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        yesterday










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        yesterday












      • This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        yesterday










      • @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        yesterday















      up vote
      44
      down vote



      accepted







      up vote
      44
      down vote



      accepted






      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:




      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol



        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print








      share|improve this answer














      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:




      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol



        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print









      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited yesterday

























      answered yesterday









      Joe

      2,3552819




      2,3552819












      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        yesterday






      • 8




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        yesterday










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        yesterday












      • This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        yesterday










      • @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        yesterday




















      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        yesterday






      • 8




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        yesterday










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        yesterday












      • This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        yesterday










      • @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        yesterday


















      If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
      – BruceWayne
      yesterday




      If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
      – BruceWayne
      yesterday




      8




      8




      No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
      – ThoriumBR
      yesterday




      No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
      – ThoriumBR
      yesterday












      Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
      – Lord Farquaad
      yesterday






      Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
      – Lord Farquaad
      yesterday














      This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
      – Joe
      yesterday




      This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
      – Joe
      yesterday












      @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
      – cybernard
      yesterday






      @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
      – cybernard
      yesterday














      up vote
      7
      down vote













      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






      share|improve this answer



















      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        yesterday










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        yesterday








      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        yesterday










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        yesterday








      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        yesterday

















      up vote
      7
      down vote













      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






      share|improve this answer



















      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        yesterday










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        yesterday








      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        yesterday










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        yesterday








      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        yesterday















      up vote
      7
      down vote










      up vote
      7
      down vote









      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






      share|improve this answer














      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited yesterday

























      answered yesterday









      Steffen Ullrich

      112k13195258




      112k13195258








      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        yesterday










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        yesterday








      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        yesterday










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        yesterday








      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        yesterday
















      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        yesterday










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        yesterday








      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        yesterday










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        yesterday








      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        yesterday










      2




      2




      "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
      – Jon Bentley
      yesterday




      "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
      – Jon Bentley
      yesterday












      @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
      – Steffen Ullrich
      yesterday






      @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
      – Steffen Ullrich
      yesterday






      1




      1




      If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
      – Jon Bentley
      yesterday




      If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
      – Jon Bentley
      yesterday












      @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
      – Steffen Ullrich
      yesterday






      @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
      – Steffen Ullrich
      yesterday






      1




      1




      @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
      – Jon Bentley
      yesterday






      @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
      – Jon Bentley
      yesterday












      up vote
      5
      down vote













      That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



      One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






      share|improve this answer

























        up vote
        5
        down vote













        That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



        One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






        share|improve this answer























          up vote
          5
          down vote










          up vote
          5
          down vote









          That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



          One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






          share|improve this answer












          That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



          One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered yesterday









          John Deters

          26.1k24087




          26.1k24087






















              up vote
              0
              down vote













              I've seen many home printers, for example Epson, not implementing any security features.



              The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



              Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






              share|improve this answer

























                up vote
                0
                down vote













                I've seen many home printers, for example Epson, not implementing any security features.



                The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



                Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






                share|improve this answer























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  I've seen many home printers, for example Epson, not implementing any security features.



                  The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



                  Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






                  share|improve this answer












                  I've seen many home printers, for example Epson, not implementing any security features.



                  The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



                  Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 20 hours ago









                  akostadinov

                  25117




                  25117






















                      aMJay is a new contributor. Be nice, and check out our Code of Conduct.










                      draft saved

                      draft discarded


















                      aMJay is a new contributor. Be nice, and check out our Code of Conduct.













                      aMJay is a new contributor. Be nice, and check out our Code of Conduct.












                      aMJay is a new contributor. Be nice, and check out our Code of Conduct.
















                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Ellipse (mathématiques)

                      Quarter-circle Tiles

                      Mont Emei