86,800 network printers open to the whole internet - is one of them yours?

Filed Under: Featured, Security threats

Last week we wrote about programmers uploading their private keys along with their public source code.

Hot on the heels of that "epic fail" story comes another internet insecurity meme: network printers left open on the internet.

UK blogger @skattyadz, alias Adam Howard, did a Google search for a URL matching the pattern you might use to connect to a nearby printer on your office network.

He reports that he got back "about 86,800 results." (Geeks will notice that's very close to 86,400 - the number of seconds in a day.)

For what it's worth, Howard built up a search term specific to HP printers. If you were to repeat his experiment with other vendors' URLs in the search mix, you'd probably get hundreds of thousands more publicly-visible printers.

Howard, who has a pithy way with words, says simply:

There's something interesting about being able to print to a random location around the world, with no idea of the consequence.

Lock down your printer :)

PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network.

Interesting, indeed. You'd think we'd remember the lessons of the past.

It was over ten years ago that we first got a serious wakeup call about printers accessible on networks where they shouldn't be.

At the end of 2002, the security threat of the moment was a virus called Bugbear.

This virus was everywhere, and one of the things it would do was copy itself anywhere on the network it could find, including (because the virus didn't care if it made a mistake) dumping itself to remote printers.

And evert time you copy tens of thousands of bytes of compiled executable code to a printer, you get tens or hundreds of pages of illegible gobbledegook printed out...

We learned quickly back then. Printing other people's viral garbage wasn't just a security risk, it cost real money in wasted paper and toner.

Coming in on Monday morning to an empty paper feeder and 2000 pages of wingding-a-ling drivel in the output tray focused the mind of many a company beancounter!

Take Adam Howard's advice. Lock down your printers.

Firstly, there's a security risk implicit in letting untrusted outsiders connect to internal devices. Printers these days have their own OS, network stack and often rather powerful firmware.

A lot could go wrong.

Secondly, it's resource mismanagement, plain and simple. You don't let outsiders randomly and remotely turn on taps in the bathroom to waste water they can't even see, let alone wash with.

So why let them send print jobs they'll never read or even collect?

PS. HP got in touch with us, or at least their PR company did, to re-echo the advice to lock down your printers, for example by password-protecting the web interface and not letting traffic from outside your network to your printers in the first place.

They recommended this useful document, HP Imaging and Printing Security Best Practices. It goes beyond password protection, covering additional topics such as how to inhibit functions you don't need, and how to avoid leaving behind left-over data from scans or print jobs. It even has recommendations for the physical security of your printer.

At 93 pages, it's not a 60-second exercise to read it, but if you're an HP user, I suggest you take a look. There's plenty of food for thought in there.

Image of network printer courtesy of Shutterstock.

, , , ,

You might like

13 Responses to 86,800 network printers open to the whole internet - is one of them yours?

  1. Retrotecchie · 581 days ago

    This brings a whole new dimention to getting drunk at an office party and then photocopying your posterior!

    Imagine...your backside, anywhere in the world with an unsecured network printer...

  2. Sam · 581 days ago

    In the 1960s we would write a boot block to the printer then cause the processor to read it, with the inevitable result! Caught the operator on the wrong foot every time!
    Nothing changes.

  3. Jean · 581 days ago

    So, besides turning your printer off, what can you do to lock people out of your printer?
    I'm talking about a printer at home.

    • Kose · 580 days ago

      Your printer at home should not be on the internet, as it will not have a public IP address as its in your internal network. However, if it is wifi enabled or your wifi is not correctly secured, someone within range of this could potentially send jobs to it and use up all your expensive printer ink.

      The best thing you can do is to change the default password or secure your network with WPA2 encryption.

    • Paul Ducklin · 580 days ago

      Depends on the printer. Not all printers are directly accessible via web-style URLs like the ones found in the search done by Adam Howard. (Check your printer manual or favourite search engine for details.) So you might not have much to worry about.

      Also, as @Kose says above, in theory, your printer at home "should not be on the internet, as it will not have a public IP address as it is in your internal network."

      However, if you have UPnP (Universal Plug and Play) enabled, whether by accident or by design, in your router at home, your printer, and other devices on your internal network, *might* be accessible to outsiders. UPnP is designed, amongst other things, to make device management work reliably through a router.

      I suggest you have a look here:

      http://nakedsecurity.sophos.com/what-if-your-secu...

      That's a related article we wrote about security problems with some security cameras inadvertently being "hackable" from outside your network. There's some advice there about how to control UPnP, which is probably worth knowing about anyway. (Check the article and then the comments.)

      HtH.

  4. dev · 580 days ago

    Google results not correct: http://goo.gl/JKjsk

    First page of Google search shows 86000+ results within 0.26 secs. Unfortunately if you click second page of Google search it shows total of 13 results. Means there are only 13 printers are able to index by Google search. Can you review it once again.

    • The small print on the Google page reads:

      "In order to show you the most relevant results, we have omitted some entries very similar to the 13 already displayed."

      You can then go on to view many many more pages of search results if you want..

      • dev · 580 days ago

        Yeah i tried that one too. I found only 71 results :) There are only 8 pages that shows 71 results. Any idea why?

      • AncientBrit · 580 days ago

        This is a "feature" of Google searches that's been around for at least a decade - for whatever reason, the reported count is way off the mark, even if you include omitted results. Only when you click on the supposed last page of results do you see a truer picture.

        It doesn't detract from the report, of course - the count doesn't really matter, it's the vulnerability and being aware of it.

    • Nomphra · 580 days ago

      Could it be that you have Google set to search only in your locale, rather than "The Web" (in "Search Tools")? I get "about 86,100" results.

      • dev · 580 days ago

        Na, i am using "The Web" it shows 86,100 results in 1st page but if i click 8th page it shows 71 results. i can see there are 8 pages.

  5. Michael · 580 days ago

    Any site list some good/better/best practices to locking down printers from attack?

  6. Nikos · 579 days ago

    With this article I remembered a 15 year old crank in Universities. A user changed the IP address (or even a MAC address) of a laptop/printer/etc. to match that of a mail server/router/younameit. Usually, the server would switch off its Ethernet adapter since there was a duplicate IP on the net.

    Imagine now someone doing this remotely via an open printer!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog