How to protect printers from being hacked
Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?
protection printers
edited Dec 9 at 11:10
jraspiprojects
74
asked Dec 6 at 9:58
aMJay
30926
|
show 5 more comments
Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?
protection printers
edited Dec 9 at 11:10
jraspiprojects
74
asked Dec 6 at 9:58
aMJay
30926
41
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23
52
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22
7
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46
2
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59
1
@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10
|
show 5 more comments
Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?
protection printers
edited Dec 9 at 11:10
jraspiprojects
74
asked Dec 6 at 9:58
aMJay
30926
Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)
As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?
protection printers
protection printers
edited Dec 9 at 11:10
jraspiprojects
74
asked Dec 6 at 9:58
aMJay
30926
edited Dec 9 at 11:10
jraspiprojects
74
asked Dec 6 at 9:58
aMJay
30926
edited Dec 9 at 11:10
jraspiprojects
74
edited Dec 9 at 11:10
jraspiprojects
74
edited Dec 9 at 11:10
jraspiprojects
74
74
asked Dec 6 at 9:58
aMJay
30926
asked Dec 6 at 9:58
aMJay
30926
asked Dec 6 at 9:58
aMJay
30926
30926
41
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23
52
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22
7
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46
2
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59
1
@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10
|
show 5 more comments
41
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23
52
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22
7
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46
2
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59
1
@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10
41
41
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23
52
52
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22
7
7
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46
2
2
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59
1
1
@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10
@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10
|
show 5 more comments
4 Answers
4
active
oldest
votes
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
answered Dec 6 at 10:32
Joe
2,4152820
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
11
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
1
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
1
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
|
show 1 more comment
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
|
show 3 more comments
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
answered Dec 6 at 13:19
John Deters
26.2k24087
add a comment |
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
answered Dec 7 at 7:41
akostadinov
26117
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
answered Dec 6 at 10:32
Joe
2,4152820
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
11
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
1
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
1
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
|
show 1 more comment
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
answered Dec 6 at 10:32
Joe
2,4152820
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
11
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
1
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
1
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
|
show 1 more comment
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
answered Dec 6 at 10:32
Joe
2,4152820
Don't leave your printer exposing port 9100 to the internet.
This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.
The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.
Preventing this attack
All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:
- Use a VPN to connect to the network, making the printer accessible as if it's in your local network
- Use a different printing protocol
IPP. This is designed to be used over the internet and has built in support for authentication.- Google Cloud Print
answered Dec 6 at 10:32
Joe
2,4152820
edited Dec 6 at 11:14
answered Dec 6 at 10:32
Joe
2,4152820
answered Dec 6 at 10:32
Joe
2,4152820
answered Dec 6 at 10:32
Joe
2,4152820
2,4152820
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
11
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
1
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
1
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
|
show 1 more comment
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
11
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
1
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
1
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
– BruceWayne
Dec 6 at 15:59
11
11
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
– ThoriumBR
Dec 6 at 16:39
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
– Lord Farquaad
Dec 6 at 22:05
1
1
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
– Joe
Dec 6 at 22:13
1
1
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
@Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
– cybernard
Dec 6 at 23:15
|
show 1 more comment
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
|
show 3 more comments
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
|
show 3 more comments
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.
For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.
Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
edited Dec 6 at 10:24
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
answered Dec 6 at 10:19
Steffen Ullrich
113k13197260
113k13197260
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
|
show 3 more comments
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
2
2
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
"don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
– Jon Bentley
Dec 6 at 13:07
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
@JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
– Steffen Ullrich
Dec 6 at 13:15
1
1
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
– Jon Bentley
Dec 6 at 13:21
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
@JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
– Steffen Ullrich
Dec 6 at 13:31
1
1
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
@steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
– Jon Bentley
Dec 6 at 13:46
|
show 3 more comments
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
answered Dec 6 at 13:19
John Deters
26.2k24087
add a comment |
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
answered Dec 6 at 13:19
John Deters
26.2k24087
add a comment |
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
answered Dec 6 at 13:19
John Deters
26.2k24087
That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.
One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.
answered Dec 6 at 13:19
John Deters
26.2k24087
answered Dec 6 at 13:19
John Deters
26.2k24087
answered Dec 6 at 13:19
John Deters
26.2k24087
answered Dec 6 at 13:19
John Deters
26.2k24087
26.2k24087
add a comment |
add a comment |
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
answered Dec 7 at 7:41
akostadinov
26117
add a comment |
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
answered Dec 7 at 7:41
akostadinov
26117
add a comment |
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
answered Dec 7 at 7:41
akostadinov
26117
I've seen many home printers, for example Epson, not implementing any security features.
The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.
Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.
answered Dec 7 at 7:41
akostadinov
26117
answered Dec 7 at 7:41
akostadinov
26117
answered Dec 7 at 7:41
akostadinov
26117
answered Dec 7 at 7:41
akostadinov
26117
26117
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
41
And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23
52
I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22
7
The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46
2
@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59
1
@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10