We spend a lot of time and resources here at Keypoint Intelligence educating about (and testing for) printer vulnerabilities. So we never thought we would be happy to see a widespread printer hack…until this one. Members of the notorious cyber-hacking collective know as Anonymous have put their skills to use in supporting Ukraine by sending anti-war messages to printers around the Russian Federation that were left vulnerable to the exploit.
 |
With information about the war tightly controlled by the Kremlin, Anonymous decided this end-run directly to Russian citizens would be an effective way to try to counter Russian disinformation. The group claims to have printed hundreds of thousands of pages bearing messages that include, “Citizens of Russia, act now to stop terrorists…Putin killing over thousands in Ukraine…The people of Russia should find horror in Putin's actions…Fight for your heritage and honor, overthrow Putin's corrupt system that steals from your pockets…Give peace and glory to Ukraine, which did not deserve the murder of its innocents!” Anonymous also claims to be behind the “doxing” (the release of personal information) of 120,000 Russian soldiers.
Printer Hacking Is Easier Than You Might Think
You might think getting printers on private networks and spread around a country to spit out a PDF file sent from overseas would be a tough feat. But, unfortunately, with printers not getting the same attention from IT departments as PCs, servers, and other endpoints, accomplishing this is easy for an experienced hacker.
Our penetration testing of network MFPs has revealed that most devices are shipped from the factory with almost no security enabled. The rationale is that the dealer or IT personnel placing the device will turn off access to unsecure ports and protocols and enable more secure alternatives. But, as Anonymous’ successful exploit shows, that doesn’t always happen in the real world.
Printer Vulnerabilities We Encounter in Testing
What are some of the key mistakes we’ve seen? Leaving Port 9100 (also called the “raw” printer port) open is common. Back in the day, Port 9100 was pretty much the only way to get a Microsoft Windows print stream to a networked device, and it is still the easiest. Companies that opt to leave Port 9100 open are relying on their network firewall to keep traffic from outside their perimeter from getting in. Fat chance! FTP and SMB are other protocols that have been deprecated (widely recognized as vulnerable to attack) and, hence, should be avoided—but they are often left enabled “for convenience sake.” But for whose convenience? The hackers?
Our research has also shown that office equipment service departments are too often lax in keeping printers and MFPs in their purview up to date with the manufacturers’ latest firmware updates. Firmware updates often contain crucial improvements to remedy a newly uncovered security flaw, so ensuring devices are up to date is vital for cyber hygiene. In our conversations, however, some service managers took an “if it ain’t broke, don’t fix it” approach to updating device firmware in the field.
So while we applaud Anonymous’ efforts (in this instance, at least), we are dismayed to see just how many printers are vulnerable to such an attack. We implore all organizations to treat their output devices just like any other endpoint gateway to the network, and secure them as such.
Log in to the InfoCenter to see our MFP Security Overview and Recommendations white paper on the Office CompleteView Advisory Service. If you’re not a subscriber, just send us an email at sales@keypointintelligence.com for more info.
