2020-06-30
In early June shadowserver.net reported that they are finding roughly 80,000 unfirewalled printers on the internet each day. That means that these printers are unprotected and that bad actors on the 'net can discover multiple characteristics about the printers.
According to the report, some of the information they discovered from the exposed printers was, "printer names, locations, models, firmware versions, organizational units and even printer wifi ssids". That means anyone on the internet could see this information. That is a bad case of information leakage!
The protocol they used was the Internet Printing Protocol (IPP). That protocol uses HTTP and supplies information about the printers when requested. Normally, a printer should be protected by an internet firewall. However, some firewalls may allow the IPP port (TCP port 631) through the firewall. Allowing users to print on a printer remotely may be convenient, but it can be a security issue. Different printers expose different information to outside users, and different printers support different authentication protocols. The report notes that the 80,000 printers were without "adequate access controls or authorization mechanisms in place". In other words, even if the discovered printers had good authentication mechanisms, they were not in use.
Let's look at just two of the issues this poses. First is the potential exposure of a network's Wi-Fi SSID. With that information, an attacker could become a host on the network. If this is accompanied by exposure of the location of the printer, the attacker could potentially know the physical location of the network. With access to the network, an attacker could scan for vulnerable devices and potentially compromise them.
The second issue is that many printers are older and may not have all security patches installed (or there may be none for a particular printer). It is possible that bugs in printer firmware may allow an attacker to install malicious software on the device or to use the device to connect to other network hosts.
Mitigations
There are three essential actions an administrator must take to help avoid attacks on or via these devices: update firmware, enable strong authentication on the printers, and block access to the printer from devices not on the local network.
When I teach Learning Tree's cyber security introduction class, I stress the need to update device firmware. It applies to routers, printers, and other devices connected to the network. Software can have bugs, and keeping it current allows fixes that prevent security issues.
IPP provides for multiple methods of authenticating clients. Most or all devices support a username/password combination. Some support other methods including digital certificates and OAuth. Administrators should enable the strongest mechanism the device and organization can support.
Finally, organizations need to evaluate whether or not internet access to the printer is necessary. If it isn't, the firewall rule allowing remote access should be disabled. If it is, is VPN access to the network a better solution. If remote users can connect to the network with a VPN, is there a reason they need to connect to the printer separately?
Devices exposed to the internet without firewall protection pose risks including information leakage and potential compromise of the device. The actions I recommend above for connected printers apply to all directly connected devices.
To your safe computing,