Pierluigi Paganini June 23, 2020

Experts found tens of thousands of printers that are exposed online that are leaking device names, organization names, WiFi SSIDs, and other info.

It’s not a mystery, a printer left exposed online without proper security could open the doors to hackers, now researchers from Shadowserver Foundation have discovered tens of thousands of printers that are exposed online that are leaking information.

The Shadowserver Foundation is a nonprofit security organization working altruistically behind the scenes to make the Internet more secure for everyone.

Shadowserver Foundation published a report that warns of printers exposed online by organizations.

The researchers scanned the Internet for printers that are exposing their Internet Printing Protocol (IPP) port online.

The Internet Printing Protocol (IPP) is a specialized Internet protocol for communication between client devices (computers, mobile phones, tablets, etc.) and printers (or print servers). It allows clients to submit one or more print jobs to the printer or print server, and perform tasks such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs.

Unlike other printer management protocols, the IPP protocol supports multiple security features, including authentication and encryption, but evidently organizations don’t use them.

However, this doesn’t mean that device owners are making use of any of these features.

Shadowserver experts discovered an average of 80,000 printers exposed online via IPP on a daily bases, they were able to query the devices for local details via the “Get-Printer-Attributes” function.

In total, experts said they usually found an average of around 80,000 printers exposing themselves online via the IPP port on a daily basis.

“We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5th of June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8th of June 2020. Our IPP scans uncover around 80,000 open devices (printers) per day.” reads the report published by the researchers. “Obviously, these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.”

Most of the exposed printers were in South Korea, followed by the US and Taiwan.

Shadowserver researchers pointed out that these printers returned information that could be used by attackers to launch an attack. This info includes printer names, locations, models, firmware versions, organization names, and even WiFi network names.

The knowledge of the printer model could allow attackers to search for existing exploits for vulnerabilities affecting it and exploit them in an attack.

“Exposing printer devices with anonymous, publicly queryable vendor names, models and firmware versions obviously makes it much easier for attackers to locate and target populations of devices vulnerable to specific vulnerabilities.” continues the report.

It is quite easy for hackers to use tools specifically designed to hack printers such as PRET (Printer Exploitation Toolkit).

In December 2018, the TheHackerGiraffe used the Printer Exploitation Toolkit (PRET) to hijack +50k vulnerable printers to Promote PewDiePie YouTube Channel.

“We hope that the data being shared in our new open IPP device report will lead to a reduction in the number of exposed IPP-enabled printers on the Internet, as well as raise awareness of the dangers of exposing such devices to unauthenticated scanners/attackers,” concludes the report.

Pierluigi Paganini

(SecurityAffairs – hacking, printers)

[adrotate banner=”5″]

[adrotate banner=”13″]