Experts from the non-profit organization Shadowserver Foundation posted a warning, where once again they recommended companies not to leave printers accessible via the Internet for everyone.
For their research, experts scanned four billion IPv4 addresses looking for printers with an open IPP (Internet Printing Protocol) port. As the name implies, this protocol allows users to manage printers connected to the Internet and remotely send them print jobs.
The difference between IPP and many other printer management protocols is that IPP is a secure protocol that supports access control lists, authentication, and encrypted connections. But, unfortunately, this does not guarantee that device owners will actually use any of these features.
According to the Shadowserver Foundation, they specifically searched the Internet for IPP-enabled printers, but without firewall protection that would allow attackers to request local data using the Get-Printer-Attributes function.
According to experts, as a rule, every day they find about 80,000 printers available online through the IPP port. This number is approximately one-eighth of the total number of IPP-enabled printers connected to the Internet. In conventional scanning using the BinaryEdge search engine, between 650,000 and 700,000 devices with an available IPP port (TCP / 631) are detected daily on the network.
With open IPP ports (without a firewall and authentication) there are several problems. So, this port can be used to collect information. Many IPP-enabled printers are willing to provide additional information about themselves, including the device name, location information, model, firmware version, organization name, and even a Wi-Fi SSID. Researchers warn that attackers can collect such information and then use it to search for corporate networks for future attacks.
In addition, about a quarter of the total number of IPP printers (about 21,000) also provide information on their brand and model. The disclosure of such information can greatly facilitate the process of discovering groups of specific devices that are vulnerable to certain problems.
Tools for hacking printers through IPP are not at all difficult to find on the network. Solutions such as open source PRET (Printer Exploitation Toolkit) in the past have already been used for mass hacking of printers, after which they were ordered to print arbitrary messages. Moreover, in theory, the toolkit can be applied to more serious attacks, for example, to completely seize control of vulnerable devices.
Shadowserver Foundation specialists plan to publish daily reports on devices available through IPP on your site. They hope this helps draw attention to the problem and ultimately leads to a reduction in the number of IPP-enabled public printers.