Hundreds of thousands of printers were “pwnd” last week to show owners how insecure they are and that some can join botnets to assist in DDoS attacks.
The issue is that port 9100 is often left open to external Internet connections to allow firmware to be updated and Web printing. It is not known just how many printer makes and models are affected but a table at the end of this article lists 20 commercial printers that have been PRinter Exploitation Toolkit (PRET) tested.
Hacker Stackoverflowin told Bleeping Computer that his script targeted printing devices that have IPP (Internet Printing Protocol) ports, LPD (Line Printer Daemon) ports, and port 9100 left open to external connections. That is just about every current printer.
The fully automated script (that means it can run forever) also includes an exploit that uses a remote code execution vulnerability to target Dell Xeon printers. “This allowed me to inject PostScript and invoke rouge jobs,” Stackoverflowin said about the RCE vulnerability's role.
{loadposition ray}
Stackoverflowin is a grey-hat hacker (a mix of good and bad – percentages subject to change without notice) and he just wanted to raise awareness about the dangers of leaving printers exposed online without a firewall or other security settings enabled.
Users reported multiple printer models as affected. The list includes brands such as Afico (Ricoh), Brother, Canon, Epson, HP, Lexmark, Konica Minolta, Oki, and Samsung.
The research paper SoK: Exploiting network printers stated
- Even though many proof-of-concept attacks and techniques are known for years, the according countermeasures have not been implemented, leaving the devices and systems vulnerable.
- There is no research or document summarising all existing attacks. More important, there is no general methodology describing how a security evaluation on printers can be done.
- Classification of the existing attacker models relevant for printers is missing.
- There are no tools capable the security evaluation of printers.
In part, the printers are vulnerable as they are exposed to the internet but in part, it is because most use Postscript or PDL (page description language) interpreters that not only control fonts and graphics but the printers central processing unit.
HP has recently protected the BIOS and includes a self-healing function but even that will not prevent port 9100 attacks on networked (that is Ethernet wired or Wi-Fi printers). Printers connected directly via USB with printer sharing disabled are fine.
At present it is advised to close port 9100 for networked printers and change passwords.