Thousands of unprotected printer hard drives are lying exposed on the internet.
According to researcher Chris Vickery at Mackeeper, poor security hygiene on the part of various companies is being exploited for a secret technique used by hackers to host malicious code and evade detection.
Specifically, printers that IT admins have connected to a network but haven’t placed behind a firewall are at risk for hard-drive exploitation, if port 9100 was left open.
Hackers can host malicious web pages and scripts on the printer and link it to potential victims. Or, they can host an executable somewhere so it can later be served through a WGET request.
“Your office’s big HP printer probably has many gigs of internal storage space, and, if you don’t protect port 9100, you’re basically handing an anonymous FTP server to the hacker community,” said Vickery in a short note. “These printers are wonderful repositories. It doesn’t take much creativity to realize that even highly illegal materials could be stored this way.”
There are already a few free, open source pieces of software that can be used to upload and interact with HP printer hard drives over port 9100, Vickery noted.
“After all, this kind of printer is usually powered up and online twenty-four hours a day,” explained Vickery. “Even in sleep mode it will still host files. And who checks the contents of their printer’s hard drive? What are the odds of this hacker’s secret stash ever being discovered? Pretty low if you ask me.”
He added that any organization leaving their printers exposed to the internet probably doesn’t have a logging system in place, either.
“The chances of being caught are extremely low for the malicious actor,” he said.
IT admins can thwart the issue with two basic steps: They should ensure that network-connected printers are behind a firewall, with a closed port 9100.
“The scenario involving Port 9100 identified by MacKeeper is one in which PJL or PostScript filesystem commands are used to store malicious software on a printer using Port 9100,” an HP spokesperson told us. “This scenario can be prevented by disabling the PJL/PS filesystem commands, directions for which can be found in the document, HP Printing Security Best Practices for HP LaserJet Enterprise Printers and HP Web Jetadmin. In addition, customers have the option of using the more secure protocol IPPS (Internet Print Protocol over HTTPS) instead of Port 9100.”
“Regardless of which printing protocols you use, managing printer configuration is an important step in protecting the print environment,” cautioned the HP spokesperson. “The average printer has over 250 settings, including ports and protocols that could be a source of vulnerability. HP encourages customers to protect their printers by turning off any unused ports and protocols, providing tools to help with this including HP JetAdvantage Security Manager, which provides policy-based security management across a printer fleet, and WebJet Admin, a free tool that provides web based configuration for HP printers.”
Back in September, HP announced new printers with enhanced protection, including HP Sure Start BIOS protection, Run-time Intrusion Detection and firmware whitelisting.
Photo © FabrikaSimf