Nearly 80,000 Printers Are Exposed to Malicious Attacks Daily, New Research Shows

An average of 80,000 printers are exposed online via IPP (Internet Printing Protocol) daily, according to a new study from the Shadowserver Foundation.

The non-profit security organization, which has been participating in the Connecting Europe Facility funded project named VARIoT (Vulnerability and Attack Repository for IoT) since July 2019, aims to expand its “Internet wide daily port scanning capability,” creating new services that will provide security-related actionable information about IoT devices.

On June 5, the company began the official scanning of “all 4 billion routable IPv4 addresses for publicly accessible MQTT (Message Queuing Telemetry Transport) broker services enabled on port 1883/TCP,” revealing some alarming security flaws that leave tens of thousands of printers exposed to attacks that could steal information, disrupt services, and even allow remote code execution.

“The goal of the MQTT scanning is to identify not just MQTT brokers exposed on the IPv4 internet, but in particular, MQTT instances that have no authentication enabled – allowing the broker to be anonymously accessed by anyone,” the researchers said. “This could mean that MQTT messages may be read, or potentially even published by a remote attacker. Additionally, as the MQTT service on port 1883/TCP is unencrypted, even user/password protected instances can still lead to data leakage if an attacker can observe the network traffic.”

The top countries with exposed IPP service are South Korea (36.300), the United States (7.900), Taiwan (6.700) and France (2.800). Making matters worse, the scan also revealed that a large percentage of exposed services were returning additional printer information such as printer names, locations, models, firmware versions, organizational units and printer wifi ssids.

“Exposing printer devices with anonymous, publicly queryable vendor names, models and firmware versions obviously makes it much easier for attackers to locate and target populations of devices vulnerable to specific vulnerabilities,” the researchers warned. “It is unlikely that many people need to make such a printer accessible to everyone – these devices should be firewalled and/or have an authentication mechanism enabled.”

The analysis of a June 7 scan reveals 21,875 entries containing the printer make and model attribute values.  Among the most famous printer brands, Samsung and HP stand out.

VARIoT also shared some tips that organizations can use to minimize the exposure of their devices, including enabling authentication of clients, firewalling to restricted clients only, and enabling the broker on the SSL/TLS aware service on port 8883/TCP instead.

Add Comment

Your email address will not be published. Required fields are marked *