Amongst websites, gaming servers, streaming video services, and a plethora of other Internet-accessible services, there may be something lurking out there of which you are completely unaware: your printer. To be precise, there are about 87,700 of them out there on the Internet, at least if you agree with the methodology one blogger used to come to his startling conclusion.
By leveraging the power of Google’s search operator “inurl:”, which returns all results with URLs containing the string listed after the operator, and the search string “hp/device/this.LCDispatcher?nav=hp.Print”, blogger Adam Howard was able to retrieve a list of HP printers that are currently being openly broadcast on the Internet. This list is not by any means extensive, but the implications behind it are severe. To better understand what exactly this discovery may mean for you, a quick explanation of the printing process is in order.
When a job is submitted to a printer, the data being sent is usually encoded using one of two languages: PCL (Printer Command Language) or PS (PostScript). When the printer receives this encoded data, the language interpreter of the machine decodes and processes the data and begins printing the job. For most users, this process is completely invisible; between the application they are using and the print driver handling the submitted jobs, the entire encoding/decoding process is out of their hands. The savvy user, though, can do the encoding and submission themselves. PCL and PS are, after all, coding languages, and are thus susceptible to manipulation and exploitation. This becomes significantly more profound when taking into account a third, less well-known language, PJL (Printer Job Language.)
So, what kinds of risks are involved when any user on the Internet can submit custom-crafted jobs to your printer? The most basic answer to that question is “cost”. By submitting large jobs (or jobs with garbage data that cause the language interpreter to enter a processing loop), malicious users can cost companies massive financial losses in wasted toner, paper, and print management charges. The more detailed answer, however, is even more frightening.
Utilizing known vulnerabilities in certain printers’ embedded web servers, attackers can obtain sensitive information stored within the printers themselves. Depending upon the individual model and the specific configuration of the unit itself, this information can range from stored scan jobs containing data such as payroll information to LDAP server authentication credentials.
Beyond that, the powerful commands available within the PJL language make it possible to manipulate printers in an alarming multitude of ways. From harmless trolling such as changing the ready message displayed on the printer’s control panel to wiping the contents of the printer’s storage device, a skilled attacker can submit PJL jobs to carry out just about any task they desire. While the attack vector for embedded web server exploits and PJL jobs is severely narrow and based upon the individual models, units, and even firmware versions exposed to the Internet, the notion that anybody in the world can cause massive to irreparable damage to your home or office just by accessing your printer is absolutely horrifying.
Obviously, you’ll want to avoid these risks, so what do you need to know to protect yourself? First and foremost, always enable and change the administrator password for your printer. Most printers come with a default administrator username and password, and anybody with access to Google can figure out what they are within a matter of seconds. Beyond that, you’ll want to make sure that you have disabled all unnecessary ports and protocols on your printer. For example, several manufacturers include small, built-in FTP servers with their units to allow for easy firmware updating. If you are not going to use this feature, disable it. On a similar note, ensure that your firewall/router does not allow Internet traffic to be routed to/from the printer. This will prevent any outside traffic from reaching the printer directly through the firewall/router.
By following the simple steps listed above, you can ensure that your printer is not available for the often less-than-scrupulous denizens of the Internet to do with as they please. As a result, you just may save yourself time, money, and a whole lot of headache.
Comments