Security researchers have warned for years that every device left online unprotected by a firewall is an attack surface.
Hackers can deploy exploits to take control of the system by force, or they can simply connect to the exposed port when no authentication is necessary.
Devices hacked in this way are sometimes enslaved in botnets with malware, or they act as initial footholds and backdoors in larger corporate networks.
Despite this being common knowledge among cyber-security and IT experts, though, we still have a large number of devices left unsecured online exposed.
IPP exposure
Security experts from the Shadowserver Foundation, a non-profit organization focusing on enhancing cyber-security practices around the world, have issued a alert in a study published earlier this month regarding businesses leaving printers exposed online.
More specifically, experts from Shadowserver scanned all four billion routable IPv4 addresses for printers that expose their IPP port.
IPP stands for “Internet Printing Protocol” and is a protocol, as the name suggests, that allows users to manage internet-connected printers and send printer jobs to online host printers.
The difference between IPP and the many other printer management protocols is that IPP is a secure protocol that supports advanced features like access control lists, authentication, and encrypted communications.
This does not mean however that device owners use any of these features.
Shadowserver experts said they scanned the internet specifically for IPP-capable printers that were left exposed without being protected by a firewall and allowed attackers to query local details via the “Get-Printer-Attributes” function.
In total, experts said that they usually found an average of around 80,000 printers exposing themselves daily online through the IPP port.
The number is about the eighth of all currently linked online IPP-capable printers. A normal scan with the search engine BinaryEdge reveals a daily count of between 650,000 and 700,000 devices with their internet-reachable IPP port (TCP/631).
Issues involving not securing the IPP port
Leaving the IPP port completely exposed online without any additional security, such as a firewall or authentication mechanism, has some major problems.
For example, experts at Shadowserver suggest this port can be used to gather intelligence. This was possible because a large percentage of IPP-capable printers, such as printer names, locations, models, firmware versions, organization names and even WiFi network names, returned additional information about themselves.
Attackers will collect this information and then check for company networks via it on which they would like to concentrate future attacks.
In addition, roughly a quarter of the total number of IPP-capable printers (around 21,000) also revealed the details of their design and make. Researchers at Shadowserver say exposing this information “obviously makes it much easier for attackers to locate and target device populations vulnerable to specific vulnerabilities.”
To make matters worse, IPP hacking tools are also readily available online. Tools such as PRET (Printer Manipulation Toolkit) support IPP hacking, and have been used in the past to hijack and compel printers to print various propaganda messages as well. However, the same toolkit could also be used for a lot worse, such as completely taking over vulnerable devices.
Free daily IPP report
The Shadowserver Foundation, says it plans to publish daily IPP exposure reports on its website in the future.
“We hope that the data shared in our new open IPP device report will lead to a reduction in the number of exposed IPP-enabled printers on the Internet, as well as raising awareness of the dangers of exposing such devices to unauthenticated scanners / attackers,” the organization said in a report released this month.
Companies or national CERT teams which have subscribed to the security alerts of the organization will receive automatic notifications if any IPP services are exposed online within their networks and IP address spaces of the countries.
However, the Shadowserver Project, which has developed quite a following for its work in combating and sinkholing botnets in the infosec world, says businesses should look into protecting their printers while they have not yet been exploited.
“A lot of people are unlikely to have to make such a printer accessible to everyone,” the organization said. “These computers should be firewalled and/or equipped with an authentication mechanism.”
The proactive advice given by the Shadowserver Foundation to deal with internet-exposed devices is consistent with the findings of last year’s academic study which found that DDoS takedowns are usually ineffective, and law enforcement should focus on patching systems to limit the usefulness of an attack vector to an attacker.
The users are advised to review the manuals of their printers to configure IPP access control and IPP authentication features. Most printers in their administration panel have an IPP configuration section from which users can enable authentication , encryption and limit access to the device via access lists.
