How to protect printers from being hacked
up vote
36
down vote
favorite
Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?
protection printers
New contributor
|
show 2 more comments
up vote
36
down vote
favorite
Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?
protection printers
New contributor
35
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday
41
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday
5
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday
@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago
|
show 2 more comments
up vote
36
down vote
favorite
up vote
36
down vote
favorite
Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?
protection printers
New contributor
Recently it got to my attention that someone has hacked around 50.000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks?
protection printers
protection printers
New contributor
New contributor
New contributor
asked yesterday
aMJay
28926
28926
New contributor
New contributor
35
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday
41
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday
5
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday
@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago
|
show 2 more comments
35
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday
41
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday
5
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday
@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago
35
35
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday
41
41
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday
5
5
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday
@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday
@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago
|
show 2 more comments
4 Answers
4
active
oldest
votes
up vote
44
down vote
accepted
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
8
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
|
show 1 more comment
up vote
7
down vote
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
|
show 2 more comments
up vote
5
down vote
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
add a comment |
up vote
0
down vote
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
add a comment |
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
44
down vote
accepted
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
8
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
|
show 1 more comment
up vote
44
down vote
accepted
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
8
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
|
show 1 more comment
up vote
44
down vote
accepted
up vote
44
down vote
accepted
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
edited yesterday
answered yesterday
Joe
2,3552819
2,3552819
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
8
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
|
show 1 more comment
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
8
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
yesterday
8
8
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
yesterday
|
show 1 more comment
up vote
7
down vote
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
|
show 2 more comments
up vote
7
down vote
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
|
show 2 more comments
up vote
7
down vote
up vote
7
down vote
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
edited yesterday
answered yesterday
Steffen Ullrich
112k13195258
112k13195258
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
|
show 2 more comments
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
2
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
yesterday
1
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
yesterday
1
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
yesterday
|
show 2 more comments
up vote
5
down vote
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
add a comment |
up vote
5
down vote
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
add a comment |
up vote
5
down vote
up vote
5
down vote
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
answered yesterday
John Deters
26.1k24087
26.1k24087
add a comment |
add a comment |
up vote
0
down vote
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
add a comment |
up vote
0
down vote
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
add a comment |
up vote
0
down vote
up vote
0
down vote
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
answered 20 hours ago
akostadinov
25117
25117
add a comment |
add a comment |
aMJay is a new contributor. Be nice, and check out our Code of Conduct.
aMJay is a new contributor. Be nice, and check out our Code of Conduct.
aMJay is a new contributor. Be nice, and check out our Code of Conduct.
aMJay is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
35
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
yesterday
41
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
yesterday
5
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
yesterday
@Damon, I just point people to Bruce Schneier's essay Click Here to Kill Everyone. (He's also written a book, Click Here to Kill Everybody, which I imagine is an expansion on the essay.)
– Wildcard
yesterday
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
5 hours ago