Last week we wrote about programmers uploading their private keys along with their public source code.
Hot on the heels of that “epic fail” story comes another internet insecurity meme: network printers left open on the internet.
He reports that he got back “about 86,800 results.” (Geeks will notice that’s very close to 86,400 – the number of seconds in a day.)
For what it’s worth, Howard built up a search term specific to HP printers. If you were to repeat his experiment with other vendors’ URLs in the search mix, you’d probably get hundreds of thousands more publicly-visible printers.
Howard, who has a pithy way with words, says simply:
There's something interesting about being able to print to a random location around the world, with no idea of the consequence.
Lock down your printer :)
PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network.
Interesting, indeed. You’d think we’d remember the lessons of the past.
It was over ten years ago that we first got a serious wakeup call about printers accessible on networks where they shouldn’t be.
At the end of 2002, the security threat of the moment was a virus called Bugbear.
This virus was everywhere, and one of the things it would do was copy itself anywhere on the network it could find, including (because the virus didn’t care if it made a mistake) dumping itself to remote printers.
And evert time you copy tens of thousands of bytes of compiled executable code to a printer, you get tens or hundreds of pages of illegible gobbledegook printed out…
We learned quickly back then. Printing other people’s viral garbage wasn’t just a security risk, it cost real money in wasted paper and toner.
Coming in on Monday morning to an empty paper feeder and 2000 pages of wingding-a-ling drivel in the output tray focused the mind of many a company beancounter!
Take Adam Howard’s advice. Lock down your printers.
Firstly, there’s a security risk implicit in letting untrusted outsiders connect to internal devices. Printers these days have their own OS, network stack and often rather powerful firmware.
A lot could go wrong.
Secondly, it’s resource mismanagement, plain and simple. You don’t let outsiders randomly and remotely turn on taps in the bathroom to waste water they can’t even see, let alone wash with.
So why let them send print jobs they’ll never read or even collect?
PS. HP got in touch with us, or at least their PR company did, to re-echo the advice to lock down your printers, for example by password-protecting the web interface and not letting traffic from outside your network to your printers in the first place.
They recommended this useful document, HP Imaging and Printing Security Best Practices. It goes beyond password protection, covering additional topics such as how to inhibit functions you don’t need, and how to avoid leaving behind left-over data from scans or print jobs. It even has recommendations for the physical security of your printer.
At 93 pages, it’s not a 60-second exercise to read it, but if you’re an HP user, I suggest you take a look. There’s plenty of food for thought in there.