I'm waiting for the great network printer security apocalypse. A bunch of these things are in a great position to turn around and launch attacks on the "chewy on the inside" networks of so many companies. Maybe this has already happened.
My printer has a dumb little print server running an embedded flavor of Linux and a publicly known hard-coded (!) root password. While mine is going to the slag heap sooner or later for that and several other fundamental problems, you can guess that many many more of them are out there just waiting to be taken for a ride.
These dumb little boxes may be underpowered, but once you get inside and set them up to forward packets for you, their raw CPU speed becomes less of an issue. You can run all of the fun attacks from a "real" machine and just let it bounce you to the inside world.
My very first criminal act of hacking as a teenager was gaining access to a printer somewhere in Spain, by which I had limited access to the rest of the network but I was too dumb to understand what to do.
So yeah, printers at least were a big gaping hole in the late 90s and early 00s.
Many, perhaps most network-connected printers, NAS units, and other devices (e.g., home-automation hardware) simply assume that the local network they connect to will be securely protected from external attack, so they're not configured to withstand even the simplest of attacks.
This is exactly the opposite of what many security experts recommend: ideally all devices should be secure regardless of whether the network they're on is secure or not. With more and more devices offering remote-Internet-access functionality every day, this principle of security is becoming ever more fundamental.
Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[1]
Like rachelbythebay, I'm also waiting for the great network printer security apocalypse.[2]
UPDATE: Just for the heck of it, I ran a fairly fast scan (nmap -T4 -A -v -PE [IP address]) on an HP all-in-one printer accessible over my LAN, and there were a LOT of open ports -- see pasted results below. I then pointed my browser to port 9100 on the printer, which instantly printed the HTTP headers without complaint. The printer's configuration page reports that it is "secured" by an administrative password.
PORT STATE SERVICE VERSION
80/tcp open http HP PhotoSmart/Deskjet printer http config (Virata embedded httpd 6_0_1)
139/tcp open netbios-ssn?
6839/tcp open tcpwrapped
7435/tcp open tcpwrapped
8089/tcp open tcpwrapped
9100/tcp open jetdirect?
9101/tcp open jetdirect?
9102/tcp open jetdirect?
9110/tcp open unknown
9220/tcp open hp-gsg HP Generic Scan Gateway 1.0
9290/tcp open hp-gsg IEEE 1284.4 scan peripheral gateway
9500/tcp open unknown
--allports (Don't exclude any ports from version detection) .
By default, Nmap version detection skips TCP port 9100 because some
printers simply print anything sent to that port, leading to dozens
of pages of HTTP GET requests, binary SSL session requests, etc.
This behavior can be changed by modifying or removing the Exclude
directive in nmap-service-probes, or you can specify --allports to
scan all ports regardless of any Exclude directive.
PS I think the "-A" and "-T4" is redendant. I think aggressive mode sets the timing to 4 among other things.
dfc: running nmap with "--allports" could make the printer waste a lot of paper, so I won't do it. (FWIW, by pointing my browser to the jetdirect port, I was able to control the timing of the http request with more precision and cancel printing immediately after the first page came out.)
PS. No, I was not trying to replicate what happened -- just trying to get a quick sense of how many ports are open. Sorry for the misunderstanding.
Did you read what I posted? The man page excerpt that I included specifically mentions weird printer behavior.
When you posted the nmap scan report I thought you were trying to replicate what had happened. Otherwise its not really news that print devices have a lot of ports open.
In order to not waste paper you can just have one or two sheets in the tray...
Unfortunately, trying to secure your hardware is a lesson in frustration and ruins the whole experience.
This is because every device acts confused, hangs or produces cryptic errors when facing denied access; restricted resources prevent you from understanding why the access was denied and how to open it; changes in network topology lead to problems that only stumbled over much later; and it's extremelly hostile on guests who spend half a hour trying to configure.
A friend of mine over here recently discovered that a certain printer manufacturer (very big one) had a complete SNMP service that runs on all the printers - they aren't protected and you can run any command on it. You can even tell the printer to download, load, and reboot with custom firmware. Amongst many other yucky things.
Especially with the development of IPv6, internal routing becomes transparent and the appearance of protection offered by NAT is gone. Possibly these printers all have been assigned a public-reachable IPv6 addresses.
It isn't an "appearance" of protection. NAT is the best thing to happen to security for home networks since their inception. The push to remove it with IPv6 and to force home users who don't care about these things to put their entire home network directly on the Internet is going to wreak havoc.
The security comes from the stateful firewall, not from the NAT. In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.
The stateful firewall is there because it is necessary for NAT. If it weren't necessary for NAT, consumers would not bother with it. Customers buy the router with the firewall to hook up multiple computers, they don't care about the security. You could argue that they should hire a security consultant to educate them on the need for a stateful firewall when setting up their home network, but you would be smoking crack.
> In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.
My thinking is router manufacturers will probably not do this. Because if you don't have a firewall and expose all your computers to the Internet via IPv6, Everything Just Works (assuming the rest of the world uses IPv6, which will be a close approximation to the truth in the future world we're talking about). Which means those insecure routers will have a better user experience for the vast majority people in the market, who don't have a clue about networking and would rather gouge their eyes out than learn about it.
Routers currently don't do this for IPv4 for a good and simple reason: When you're assigned a single public IP by your ISP, there's no way to automagically tell which host is supposed to receive an inbound connection.
The "good" news (from a security standpoint) is that the most clueless will probably be using IPv4 for a long time to come, helped along in their foot-dragging by the eventual release of IPv4 space by early adopters of IPv6-only.
I don't think so - putting "WITH FIREWALL" and "SHIELDS YOU FROM EVIL" will cost manufacturers maybe a few cents and is almost guaranteed to boost sales.
And for services running behind that router there'll probably be some kind of PNP port opening (so there can be "PLAY WITH FRIENDS EASILY" next to those other stickers)
You can't be seriously claiming that someone is port scanning my /48 that I've had since the early 00s? Over a typical slow internet connection that would take rather a long time to find my printer. Lets say you slammed my couple megabit cablemodem with a million address probes per second (yes I'm well aware thats impossibly high). It would only take you 38 billion years of continuous scanning to find my printer. I'll even give you credit that most people are using just a couple (obvious) /64 inside their /48. Assuming my math is correct it would take a mere half a million years per /64, so figure a couple million years and you'll own my home lan...
As soon as some random website's PHP script publishes your IPv6 address, there goes your security.
Assuming your IP address will remain secret seems naive.
Also, this assumes your IP address within your /48 is randomly chosen. Common user choices (or router implementations) might not default to random choices, or the randomness might not actually be very random.
... for example if the IPv6 address is autoconfed from the MAC address, then you can exploit the structure of the MAC address to target a much smaller range of address suffixes, specific to the manufacturer of your target device(s).
it's worth noting, I think, that Schneier is pretty out of touch when it comes to the whole "open wireless" thing, because he leaves himself open to a bunch of local-only attacks. he's correct that your computer should be able to withstand being on the 'open' internet, since it is every time you take it to work or a coffee shop or something, but, don't be an idiot, just turn WPA2 on at your house.
many access points (I think) now provide a feature where they can run multiple SSIDs. so if you're savvy, you can turn on a guest-only open wifi for when you have visitors, and turn it off when they leave. kind of like a guest key for your spare room!
he leaves himself open to a bunch of local-only attacks
What kind of attacks might those be?
Consider the case of a computer connected to the network with no open ports (other than say, 25 for SSH), with a properly configured firewall, that connects to the Internet through a VPN and with an operating system that auto-updates itself.
I secure mine mostly so that a neighbor won't download torrents on my connection and thus negatively impact my experience. I imagine in an actual house it's not as necessary, but I live in a zone of large buildings and usually see 20+ networks visible.
Well, if his Internet connection is open, then he's open to being prosecuted for what other people might download on it.
As a celebrity, he probably has some substantial de facto immunity against this. (One blog post, and "the Internet" will show up on his side.) The rest of us... not so much.
Actually with an open wifi you're more protected agaist such instances because it's concrete proof that your IP was shared by other people, considering how ISVs assign these IPs dynamically and that their logs may not be accurate.
And in civil lawsuits, you can spend several thousand dollars in legal fees more or less effectively making your point.
Also, it's increasingly apparent that other jurisdictions will increasingly attempt -- or be used -- to ensnare people in more... "permissive" jurisdictions. Don't like the venue? Sue -- or prosecute -- them in another venue.
On the one hand, I feel sad that my response to this is to "close up" connectivity. On the other hand, I for one don't have the resources with which to liberally take such situations on.
That assumes that his network allows anyone to connect to the internet from it, which is not implied here. Open wifi usually lets anyone who hops on the network talk to the world, but I'd bet someone like Schneier is more sophisticated about that sort of thing.
Putting SSH on the open internet with port 22 means it'll be readily identified when people scan. Then they might well try to use dictionary attacks etc. - I'd advise against it simply to stop the log files filling up.
OpenBSD's second remotely-exploitable hole relied on being on the same network segment (AIUI from a quick read it involved sending malformed IPv6 packets). Such vulnerabilities aren't particularly common, but you're always going to be exposing a somewhat wider attack surface to the local network than to the internet at large.
If they're decent, the guest ID/config can have its own password. Approved guests get wireless without having to put it up and take it down. Unapproved "guests" remain unapproved.
Your stand is fairly unwarranted though. People know what "pointing your browser" means in this context as it is still a commonly used turn of phrase, even though it may date back into the long forgotten antiquity of almost 20 years ago.
> "[...] we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet. All it takes is for somebody to put the appropriate GET request in [...]"
> "Both of our printers have public IP addresses"
It looks like the printer are publicly accessible, and some automated tool (nmap?) is just scanning them for vulnerabilities, open ports, or similar. Not too surprising really.
The printed page even says NMap on it. nmapol=tlitcp is Transport Layer Interface and TCP. I'm not positive, but NMap OL could be NMap openvas-library, which is a vulnerability scanner. Sounds to me like someone scanning with NMap over TLI and TCP and it's hitting these printers.
Don't expose your printers to the web without a strict firewall or VPN/reverse proxy!
When nmap scans port 9100 it doesn't send anything (at least as of nmap 6.00 using -sV). It is probably a higher level vulnerability scanner, possibly metasploit, using nmap to discover open ports and then probe deeper on its own.
Nmap avoids sending to 9100 specifically to avoid sending data that the printer may misinterpret as data to be written to a page. You need to give it the --allports option.
--allports (Don't exclude any ports from version detection) .
By default, Nmap version detection skips TCP port 9100 because some
printers simply print anything sent to that port, leading to dozens
of pages of HTTP GET requests, binary SSL session requests, etc.
This behavior can be changed by modifying or removing the Exclude
directive in nmap-service-probes, or you can specify --allports to
scan all ports regardless of any Exclude directive.
Not if the owners don't password protect anything. Without a valid login it shouldn't print anything, unless that login were exploited, but I don't see any mention of a password being bypassed.
Agreed, I've seen this before as well. I doubt it really has anything to do with Apple and likely the HP printer server software instead - being directly related to an nmap scan.
After playing around with it. I think that what is causing this to happen is that the JetDirect port on the printer (usually 9100) is getting written to by a port scanner. This will cause a printer using JetDirect to print out whatever gets sent to it on that port. Try it yourself if you have a printer that implements it. For me it was a Brother HD-5370DW.
1. telnet <printer> 9100
2. Type a hello world message.
3. Close the connection
4. The printer will print out whatever you typed. At least it did for me.
I sometimes get the same ones at work! It's the crawler from the Baidu-search-engine checking if the printer is a web-server.
I contacted ITS about it (obviously, you shouldn't be able to print from outside the university) but they haven't really given it any work. It surely is a security hole, and a minor waste of ink & paper.
Actually, it's somebody searching for an open proxy, note the inclusion of http and hostname in the GET. The baidu crawler wouldn't be so ridiculous as to request its own homepage from your server. Somebody is testing to see if they can get your server to proxy to baidu for them.
The strings contain "sqli" which some of the posters inferred to mean they were experiencing a SQL injection. I doubt this is actually the case. I will say, though, that I have a Brother printer like the one described where I work and have seen similar odd strings on papers that come out of it. At least one time, it's just printed gibberish. I think the common denominator is that these printers are openly shared on a network with a public IP (at least mine is...it's at a big University with public IPs fore everybody). I don't know if this is related or not, though.
Seven hours after posting, I've racked up 21 points for this comment.
I think this shows a defect in the blind voting we've had here for the last year or so. There's no way this off-hand comment is worth that much karma, but nobody can see that I'm being overcompensated for it.
I think this idea is on to something and warrants more investigation.
Edit: That's probably what it is. A port scanner climbed through port 9100 and hit the JetDirect port on the printer, which prints whatever raw data it is given. Cool find!
Spoke with a a security guy years ago who got called to a company after they'd been accused of running a warez server. After a bit of digging around he finally found the server on a printer that was running some ancient un-patched version Solaris.
Don't trust your printer! There were a lot of demos of printer hacks at 28c3 and basically I think I might not print anything ever again. A lot of these things have their firmware implemented in postscript. Updating the firmware consists of printing a special document. It's pretty mental tbh. Your jaw will be scraping along the floor at some of the holes these things have.
I've got a HP printer pretty similar to the one mentioned in the thread. In the course of trying to set it up, I by chance pointed my browser to the printer's network printing port. Interestingly enough it printed out all my browser headers. It seems like these printers just spit out anything that hits that port.
Tip for networked computers in colleges, schools, workplaces, and similar environments: You can upload postscript files to them via FTP, this lets you bypass the printer queue running on a server somewhere. Why would you want to do this? Various nefarious reasons, but the reason I did it was because in 90+% printer outages at university, it was the queue server and not the printer itself experiencing a fault.
If you don't know the IP address of the printer, you can normally get them to print out a diagnostics page by fiddling with the buttons, and this page will contain that information. So far I have always succeeded at logging in with guest credentials.
To network admins who don't want people bypassing their queues: vlan your printers!
We had this problem when I was still at high school. It worked for the most part, but when us photography students started printing to the photo printer all hell broke loose. Things would frequently take 30+ minutes to go through the Pharos print server. At the time they had just hired a new IT guy so we asked him if he could set the printer up on our personal laptops (we only had 3 workstations in the room). After much frustration he managed to get it running, except he accidentally set them up to print directly to the printer, not via the print server. Magically things started popping out after a minute or two, which got the teacher inquisitive. Eventually they realised that we weren't being charged for printing anymore when the print information had our personal computer usernames rather than ID numbers but couldn't blame us as they had set it up themselves. After being told not to do that anymore, we all just set up secondary users with our ID numbers so it all looked legit.
Ah, yes - I forgot to mention that side effect, bypassing the print queue will also mean you don't get charged (assuming your institution has a print credits system set up).
I added several strategically-located university printers to my /etc/printcap such that I could just-in-time print homework from my dorm and pick it up on my way to class. True cloud printing ftw!
I once found a public printer which I don't think was supposed to be public. There wasn't any way to contact the owner since it appeared to be in a different country based on IP address.
...so I set it up as a printer and printed a bunch of lolcats to it.. A few days later it wasn't accessible any more =)
<snip>
I'm going to guess that the common theme here is that we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet.
</snip>
Seriously?! Ignoring the fact that I can't remember when I last print something, who needs to print to their house from the internet? Can't they just print it when they get home?
Semi off topic anecdote: when I was at Lockheed the head of HR came to me with a Manila envelope and said "I need to know who printed this and when! And I need to know now!"
I took the envelope and looked at it... It was a bunch of prints of gay porn and gay porn websites.
After a few minutes of digging, it was revealed to be one of the directors in the company had printed them late the night before. Checking the badge system he wasn't in the building. Checked VPN logs and he was logged in at the time.
He was mistakenly on VPN from his house and printed stuff that went to his default printer which happened to be the one in the office.
He was previously thought to be a married straight guy.
Similar scenario happened where I was working one summer. The printer in the office I was borrowing started printing porn while I was out. "I swear it wasn't me!" Not sure if they identified the guilty party.
Eh, it could just mean that technological mishaps can have real world consequences. Presumably the man did not want people to know that he was gay, whatever the reason for that was we can't say for sure.
- They have expensive software on a computer in one place that does not have a printer, and a printer at home without the software
- A couple that works from home likes to collaborate while one of them is one the road, with one printing stuff directly to home after meeting with clients
- They like to print stuff from work while things are on their mind (itineraries, boarding passes, etc.) so that they don't have to think about logistics once they're home with family
- etc.
Beware the sentence that starts with "Can't they just..."
I've actually found it useful in the past to be able to print stuff when I'm not in the office - not useful enough that I really care about the feature, just that since it's there it saves a small step in the alternative of emailing then having them open and print it.
Would be to my office, and why not because I've never needed to. Our current printer can't do printing from over the internet and I don't care enough to bother setting it up.
For what it's worth. This issue (or an issue very similar to this issue) has been discussed on the nmap seclist.
From the email:
"....However, I've noticed a problem now that I've put this into production. When it scans a network printer, the printer spews out garbage, I have a couple wads of paper on my desk with one or two lines of garbage at the top of each page."
They're getting portscanned. I'm surprised this isn't common knowledge.
If you throw ascii at a jetdirect printer, it will generally just print it out for you. I've used this to debug printers before, as well as to goof around with my coworkers a bit.
This reminds me when I was in college- I used to have VNC running on a public IP without any authentication (on purpose). Randomly, bots would connect, take over control of the screen, and print a bunch of test characters out in Notepad before disconnecting.
I don't know if they just hit it by luck or if they were actively looking for/testing/saving open VNC servers.
My home servers get SLAMMED on a daily basis by a whole wonderful plethora of bots. Most recently has been Muieblackcat. Going on the whole salary analogy: I'd make my current salary plus a bit if I had a penny for ever scan on the box in my living room. I keep the Ukrainian IP's off my blacklist just for fun. Nothing sensitive on the server, just my web playpen. I kind of hope that one of these exploits works one day so I can see where I've slipped up.
I vaguely recall that unpatched XP averages just a couple minutes on a network before being owned. If you didn't have the SP on a disc it was a race between the updates and the bots. That might have been old linux propaganda though.
Not propaganda, I saw a great example of this once bringing up a Windows system on a residential line shared with other apartments. Seconds after the box's "Hey, there, Windows Update, got something for me?", the network slowed to a crawl and our router's (rejected) incoming connection log grew hot and heavy. Would be lovely if the massive influx of attempted incoming connections were just eager WindowsUpdate systems, but unless Microsoft moved their infrastructure to China and Romania...
Anyway, there's a reason to travel with your own locked-down router and to never connect through anyone else's connection directly, especially if you're running Windows. Even that's not foolproof, but at least you've got an Angry Bouncer protecting the Windows Club. Windows Update connections totally feel like spotlights and booming bass.
It was certainly true at large LAN parties. I had to reinstall Windows at QuakeCon one year, and it was nearly impossible to win the race against the malware floating around the network. Putting your computer on the same LAN as 3000 gamers (most of whom download a lot of warez) isn't exactly the same as connecting your computer to the internet through a firewall, so I'm not sure if my experience at QuakeCon generalizes to a typical PC setup.
Without SP2 installed, I had multiple systems infected before I had a chance for the service pack to finish installing. I eventually had to order it on CD from Microsoft.
I'm guessing that Windows Firewall (included in SP2) buys you some time, but I can't see unpatched system lasting very long.
When I showed up for my first day of work 8 years ago, a newly installed WinXP system awaited me. I had to patch the system that morning because it had been powered on and connected to the network for several days already.
It was an old PC that I didn't care about and only used for testing. I was into security stuff, so it was interesting to see the bots connect (which it why I left it open).
Pretty typical behavior when running vulnerability scanning against a printer target.
Many printers will simply print whatever data comes into certain ports. Have seen similar behavior many times when running web scanning against a printer accidentally instead of a webserver.
I get that this just looks like a scan but it's strange that half a dozen people reported it at the same time (so the problem is likely more widespread). How long would it take to send these packets to all public ips in the world (real question, I have no sense of the scale of ip addresses)? I guess it could be that the ips are known to be running printers by a previous scan. Maybe the printers contact home and the HP accidentally sent them a bad message?
It seems to me that someone was scanning their network for specific services- probably, some DBMS. Printer received the initial communications packet(s) and happily printed whatever was received.
Could this be related with Trojan.Milicenso or Trojan.Eorezo? This is the latest (although its from June/July) threat I know of that prints random stuff
Services shared via Back to My Mac aren't directly accessible from the internet at large. Services shared using Wide-Area Bonjour are publicly exposed.
No need to worry, all Mac's are virus, malware and attack proof and so (by the law of distortion of reality) are any devices or networks attached to a Mac. Go about your business and forget about that pesky "security" thing everyone else likes to talk about. Just etch a picture of Steve striking a thoughtful pose on the lid of your laptop and all your problems will be forgotten.
If Apple's stuff wasn't incredibly overpriced they wouldn't have $100B in the bank. Steve's ghost would be sad and they wouldn't be able to bankroll all their lawsuits (which would also make Steve's ghost sad).
Apple USED to be good at marketing. Have you seen those new ads? The ghost of Steve just barfed in his mouth a little bit. Quick! Someone call Justin Long and John Hodgman, that was working okay...
Rounded rectangles are the new lucite, and therefor not relevant in any way. Apple's lawsuits were based on Steve Jobs being a big baby about how well Android was selling. Now? Who knows how the Apple lawsuit of the day gets kicked off, but you can bet it involves Androids (and not the Star Trek variety).
Now you're just being thick, the first GUI was done by Doug Engelbart (Stanford Research) in '68. It was perfect. Any CS student who took an HCI knows that. Extra points if you know what HCI stands for and don't have to google Engelbart to verify, but I bet you do :)
Some people who use Apple devices just want some of the discretionary income that hipster, fanboi (and fangrl, you sexist) and cultists seem quite happy to part with. Will that be cash or credit?
The anti-Apple trolls have never heard of Douglas Englebart ;-)
Apple has made bad ads before and will make bad ads again. I do think the celebrity/Siri and genius ads are disappointing, but I'm not convinced Apple is no longer any good at marketing because it produced some bad ads.
My printer has a dumb little print server running an embedded flavor of Linux and a publicly known hard-coded (!) root password. While mine is going to the slag heap sooner or later for that and several other fundamental problems, you can guess that many many more of them are out there just waiting to be taken for a ride.
These dumb little boxes may be underpowered, but once you get inside and set them up to forward packets for you, their raw CPU speed becomes less of an issue. You can run all of the fun attacks from a "real" machine and just let it bounce you to the inside world.
Hypothetically speaking, of course.