OMG PRINTER HACKING
Massive Printer “Hack” in the News
Over the weekend, news of a massive printer “hack” broke, resulting in a message being printed out on thousands of printers worldwide. This was the result of @HackerGiraffe, who was intending to use this as an opportunity to raise awareness of printer security. This was a very sophisticated attack (*sarcasm*), requiring the following chain of events that only the most qualified computer hackers would be able to accomplish:
- Looking at Shodan for a list of publicly available printers
- Writing a script to print something to them
If you haven’t yet picked up on my sarcasm, this isn’t really a hack at all – it’s simply exploiting a publicly available service, and having it do exactly what it is designed to do. There’s no 0-day exploits or remote code execution vulnerabilities in play at all. In fact, this type of attack is even being offered as a “service”.
I’ve been talking about this topic for years, and figured this was as good of an opportunity as any to share some thoughts on printer security and what can be done to prevent this sort of thing from happening in the future.
Printers, webcams, IoT light switches – they’re all the same
With the explosion of Internet connected everythings, we’ve seen a massive increase in the amount of “stuff” that gets connected to the Internet. All of these devices have one thing in common: they’re embedded devices. Whenever you connect any sort of device to your network or the Internet, think of it like a printer – many of the techniques I’ll be talking about below are applicable to these devices as well.
But, that all said, printers are particularly evil. Why?
A printer is basically another server on your network. It offers a variety of network services, such as a web server, the printing service, SNMP, and, in some cases, even local data storage.
Copy machines are even worse – in many cases, they’re keeping a digital copy of everything they scan or print on an internal hard drive. And this is often something that is accessible over the network by an attacker or ignored when the device reaches the end of its usable life.
Generally, authentication on a printer is very limited – the web interface may have an administrative login, but all too often this is completely ignored as well. The actual access to the printer itself is almost always completely unrestricted, allowing printing by anyone with network access (or Internet access, if the network that the printer is connected to is publicly available).
This allows for an incident like the one described above to be easily executed, since there are literally thousands of printers publicly available on the Internet right now.
This isn’t purely a printer problem
We’ve known about printer security concerns for years: 10 years ago, as a competitor in the Northeast CCDC regional, I was tasked with setting up a networked printer as a business inject, and many teams were lucky enough to get hundreds of unwanted pages printed by the red team, usually thanks to @armitagehacker (full disclosure – our printer was not successfully used by the red team during this event, and I was “the printer guy” ever since).
But I want to emphasize that this isn’t just a printer problem. It seems like every few months some new news article comes out about some embedded device having something bad happen to it.
A few examples:
- Internet-connected webcams:
- Home routers
- IoT devices
- Police Dashcams
I could go on and on and on. Even articles about hackers using printers to burn down your office have appeared before, SEVEN YEARS AGO.
But clearly we haven’t done anything about it.
Try this at home (or at work, with permission of course)
If you are on a network with a printer (a printer that you own or have permission from the printer’s owner to scan), run the following NMAP scan to see what’s available.
Your printer will probably spit out some random pages, and your NMAP scan will identify a list of ports, which might include the following, among others:
To print something, if Port 9100 is available, simply open a telnet session to the printer’s IP (telnet <ip address> 9100) and start typing. When you close your session, whatever you typed will print out. This technique can also be used on some HP printers to change the LCD text:
There’s a good chance that if you have a networked printer, you’ll easily be able to do any of this. If this networked printer is on a network with unrestricted Internet access, there’s a good chance anyone in the world can do any of this (or you might have been one of the 50,000 targets of the 11/30 incident).
So, how do we protect these devices?
This incident, like many things in security, drives home the importance of proper configuration. A printer should be treated like any other server on the network, and configured appropriately to prevent these sorts of issues from happening.
These are some of my recommendations:
Segment your printers.
Segmenting your printers from the rest of the network, and managing printing via a print server, has several benefits:
- Many attacks directly against the printers will be significantly mitigated. The print server will function as an application firewall for printing, and many attacks relying on invalid/malformed print jobs will not be successful.
- This allows for printing to be better tracked and even authenticated. With printers being a fairly common mechanism for data exfiltration of sensitive information, being able to track this is important (also, it’s way easier to get printing data in Splunk for tracking when this is done).
Beware of default enabled services.
Many printers have tons of protocols and services turned on that aren’t needed for most use cases.
Include printers in your patching cycle. Firmware updates are occasionally released for these devices and often address significant security issues, such as remote unsigned firmware upgrades.
Establish a configuration baseline.
It’s important to establish a configuration baseline for all network devices, including printers. Ensure that these baselines address common security issues, such as controlling access to the management interface and restricting administrative access. Many printers allow for limiting management access to a specific subnet, for example.
If you’re following the recommendation above and segmenting your printers anyway, these two layers can do a great job to reduce the available attack surface, even if the devices aren’t able to be secured very well otherwise.
Do NOT directly connect your printers to the Internet.
This goes without saying, but apparently needs to be said again. No one should be able to access your printer’s web interface, or printing ports, publicly without authentication. If your remote users need to print, for whatever reason, use some sort of VPN solution (or another approach that isn’t usable by anyone in the world) to make this happen.
Extending this to IoT
As already mentioned, printers are far from unique when it comes to embedded devices with security issues. With the explosion of Internet connected devices, these sorts of issues will continue to exist. That said, there are still some steps that can be taken to reduce the likelihood of these devices being used for evil:
Ensure segmentation across your embedded devices.
Same as above – separate your embedded devices from the rest of your network. Assume that they are untrusted and compromised.
Beware of default credentials and configurations.
Some of these can be changed, but some devices will have embedded accounts that cannot be disabled by the end user. In these cases, restricting access (or simply choosing a different device) might be the only options.
Remember to apply firmware updates.
Be sure to apply these when they are available. There are many examples of very horrible security issues that have been identified in various IoT devices which are resolved via firmware updates.
Be cautious of convenience vs. security.
Devices that allow us remote access to something can often sacrifice security for the sake of convenience, ease of installation, or usability. Be vigilant when it comes to enabling remote access, and assume that anything you can do remotely is also something that could potentially be exploited by a malicious user.
While this article is long overdue, I hope it helps drive home the importance of securing your printers (and other embedded/IoT devices). Unfortunately, I don’t see this topic being something that isn’t relevant for a long time, but hopefully, we’ll see less news about printers being used by random people at some point in the future.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.