80,000 Printers Are Exposing Their IPP Port Online

An anonymous reader quotes a report from ZDNet: In a report published earlier this month, security researchers from the Shadowserver Foundation, a non-profit organization focused on improving cyber-security practices across the world, have published a warning about companies that are leaving printers exposed online. More specifically, Shadowserver experts scanned all the four billion routable IPv4 addresses for printers that are exposing their IPP port. IPP stands for "Internet Printing Protocol" and, as the name suggests, is a protocol that allows users to manage internet-connected printers and send printing jobs to printers hosted online. The difference between IPP and the multiple other printer management protocols is that IPP is a secure protocol that supports advanced features such as access control lists, authentication, and encrypted communications. However, this doesn't mean that device owners are making use of any of these features.

Shadowserver experts said they specifically scanned the internet for IPP-capable printers that were left exposed without being protected by a firewall and allowed attackers to query for local details via the "Get-Printer-Attributes" function. In total, experts said they usually found an average of around 80,000 printers exposing themselves online via the IPP port on a daily basis. The number is about an eighth of all IPP-capable printers currently connected online. A normal scan with the BinaryEdge search engine reveals a daily count of between 650,000 and 700,000 devices with their IPP port (TCP/631) reachable via the internet. What are the issues with not securing the IPP port? Shadowserver experts say this port can be used for intelligence gathering, since many of the printers scanned returned additional info about themselves, such as printer names, locations, models, firmware, organization names, and even Wi-Fi network names.

"To configure IPP access control and IPP authentication features, users are advised to check their printers' manuals," adds ZDNet. "Most printers have an IPP configuration section in their administration panel from where users can enable authentication, encryption, and limit access to the device via access lists."

Or...

[Akardam]

... don't expose your network printers to the internet?

Re:

[Solandri]

Would that I could. A lot of network printers come with it enabled by default (partly the fault of Android not supporting printer drivers, so printer manufacturers had to get creative to allow you to print from your phone). I disabled it on my HP specifically because I never use it and don't want it. But every update seems to re-enable it, to the point where I've just given up disabling it (as there seems to be no way to disable the updates). I've also noticed some WiFi printers even create their own hot

Re: Or...

[Z00L00K]

I see that there's a possibility that some printers utilize the UPnP protocol. So to ensure you have a secure network you have to turn it off in any router and firewall you have.

So the owners may not even be aware of the security breach.

If there are people that are really not having any kind of firewall but are actually putting the printers on the internet then they aren't very bright. Anyway, the exposure to the internet is what made the SQL slammer worm so successful.

Re:

[gweihir]

Put a firewall in. Don't trust consumer devices in any way.

Re:

[arglebargle_xiv]

The difference between IPP and the multiple other printer management protocols is that IPP is a secure protocol that supports advanced features such as access control lists, authentication, and encrypted communications.

IPP is an allegedly secure protocol. Windows has all of that too and yet gets pwned regularly. IPP in practice, as opposed to in whitepapers, is even less secure than Windows is.

Re:

[gweihir]

... don't expose your network printers to the internet?

Naa, that would be a sign of some minimal understanding and sanity. Modern users want no-understanding, no-insight in their deployment of internet enabled hardware! After all they are the customers and what they want counts!

upnp?

[grasshoppa]

I can't figure out how that many printers are assigned a public address. uPNP?

Re:

[fuzzyfuzzyfungus]

The other weird part is that close to half of the printers identified were in South Korea. It's certainly not a surprise that South Korea was better represented than raw population value would suggest, it takes a level of wealth and internet access to have a lot of public facing garbage(especially IPv4 and printers; people whose only contact with the internet is on NATed or IPv6 only cellphones aren't going to have a lot of exposed IPP); but there's still a lot of wealthy industrialized world out there.

C

Re:

[Fly Swatter]

So many ipv4 blocks per person [wikipedia.org] that they generally don't use NAT? Just guessing.

Re:

[Z00L00K]

I don't think this will be resolved unless there's a huge spam flood coming out of these printers where penis enlargement pills and other obnoxious stuff are printed.

Re:

[fuzzyfuzzyfungus]

Honestly, that's the optimistic outcome. Using a public-facing and almost certainly other than totally secure printer as a jump box into the internal network is much less visible; but vastly more dangerous.

Even people who don't let them hang out on the public internet frequently don't update them or wall them off from the rest of the network; and most of the networked ones have shoddy firmware and are smart enough to at least pass malice through, in many cases to host it directly; and unless the network

Re:

[dgatwood]

And of course, you mean these [istockphoto.com].

Re:

[dgatwood]

What's wrong with wide-open goats?

Just like fax machines

[goombah99]

Fax your junk.

Ewww.

[backslashdot]

Ew. Ew.

Nobody wants to see your IPP port man.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PPH]

Yeah.

I prefer Tits 'n ass [postimg.cc].

80K total, or finding 80K per day?

[WoodstockJeff]

Another "feature" that should default to being unusable until someone you can blame for it makes it work.

Re:

[dgatwood]

Or the same 80K each day.

Re:

[gweihir]

80k total. Scanning the whole (IPv4) Internet does not take that long.

Why connect a printer to the Internet?

[DogDude]

Connecting a printer that's on a LAN to the Internet is a bad idea. Unless the manufacturer is constantly updating the printer with security patches, and somebody is regularly applying those patches, a printer is a huge hole right into a LAN. All of our company's printers all get a fake gateway IP address to keep them off of the Net for the sake of safety.

And the question stands... WHY connect a printer to the Internet? A printer is a physical device that somebody has to physically stand next to in ord

if you pay me $1000 I will print pure black pages

[Joe_Dragon]

if you pay me $1000 I will print pure black pages endlessly

Re:

[Fly Swatter]

A printer is a physical device that somebody has to physically stand next to in order to receive whatever is printed.

Or, you know, FAX machines still exist, remember those?

Security is hard. And once ipv6 is standard and everywhere the problem will only grow.

Re:

[DogDude]

Yup. We still use fax machines. They work and they're simple.

Re:

[AmiMoJo]

It's likely a misconfiguration. Accidentally got added to the DMZ or maybe someone was trying to get it to print from the other office and wrote a bad firewall rule.

Re:

[drinkypoo]

"WHY connect a printer to the Internet?-

All fancy pants printers (especially multifunction devices) come with internet printing functionality these days so that you can print to your LAN printer from your cellular internet or what have you. I don't see the appeal myself but it's super duper common.

I'm a firewall (default deny) believer myself. If I want a hole, I'll open it.

How do you firewall all this...

[aaarrrgggh]

Seriously... what do you do for firewall rules today?

In the IPv4 world I would set devices that do not normally require external connections to a WAN_Deny group, and disable it if I needed to... but with IPv6 and a /64 prefix delegation (=no VLANs on internal network) there is no real means to block devices from the internet. I put some things on an IPv4-only VLAN without external access, but that gets tricky with many things and IGMP-Proxy has some limits.

Surely there is a better way...?

Re:

[OrangeTide]

I'm pretty sure my firewall's default is not to forward IPP ports through the NAT. I'd have to go to extra effort to make this happen.

Re:

[aaarrrgggh]

uPnP does some unexpected things. Most firewalls are just stateful, and there are plenty of ways around that if an internal device initiates connections.

Re:

[Z00L00K]

uPnP must die!

I'm not sure who thought it was ever a good idea, but from my perspective it's one of the more dangerous protocols out there.

Re:

[aaarrrgggh]

Yeah... I have my router block it, but then a lot of these things shift to using cloud agents to maintain and broker an external connection.

Re:

[OrangeTide]

ick. luckily the junky router Comcast didn't have it enabled. I ended up putting OpenWrt on top of that for other reasons (manage my own WiFi network instead of let Comcast do it)

Re:

[nnull]

This is why I started using VLAN's everywhere and just completely block these devices from accessing the internet in the first place.

Re:

[aaarrrgggh]

How do you do it on IPv6 with just a /64? Keep everything link-local?

Re:

[Miser]

Who leaves uPnP turned on today?

Re:

[gweihir]

Default-drop and open only the things needed. No automation.

You know, I have long since observed that professional firewalls come with default-drop, while consumer trash comes with default-accept.

Re:

[Dagger2]

Yes there is: your v6 still goes through a router and you can still do any firewalling you like in exactly the same way you do it in v4.

Re:

[aaarrrgggh]

Host address randomization makes that a little hard. You can do it with DHCP but that is really a kludge... and some hosts do not necessarily respect it.

Re:

[Dagger2]

Ah, right -- and VLANs would be one way to group devices into security groups. This is one of the reasons why /56 is the minimum that any user should be able to get from their ISP.

For directly-connected segments, you can identify devices based on MAC address.

What, no catchy name? I'mma let you finish...

[Mal-2]

It needs a catchy name, like Heartbleed and Meltdown. Maybe IPP Freely?

Funny story when cable internet was relatively new

[klim_kaddidlehopper]

I was an early adopter for RoadRunner and after setting it up myself with the 'installer' watching me (no clue what he was doing), I did a ping sweep of my subnet to see who else may be on in the neighborhood. Found a Windows computer without a firewall and shares openly available, including their printer. So I connected to their printer, with Windows faithfully downloading the drivers, and typed a brief letter stating how they were exposed and what they needed to do. And printed it. On their printer.

Black Faxes

[GRYB Ranix]

Let's gooooooo