Misconfigured enterprise printers can be abused by malicious actors to store malicious code and evade detection, a researcher has warned.
Chris Vickery, the researcher best known for uncovering publicly accessible databases that exposed the details of millions of users, including personal information belonging to hundreds of millions of U.S. voters, has been hired by MacKeeper to lead the company’s new Security Research Center. Vickery joined the company after identifying a misconfigured MacKeeper database containing details associated with 13 million accounts.
As part of his research at MacKeeper, Vickery analyzed printers, particularly how misconfigured devices can be abused by malicious actors for various purposes, including for hosting malicious code and evading detection by security products.
According to the expert, there are thousands of office printers, ones that have gigabytes of internal storage, exposed on the Internet. Vickery has focused his analysis on HP printers, which are accessible over port 9100 and basically provide malicious actors an anonymous FTP server.
Hackers can use free, open-source tools to upload files to HP printers and interact with them over port 9100. Once the files are uploaded, they can be accessed via a Web browser at http://<Printer_IP_Address>/ hp/device /<File_Name>.
“This opens up a world of possibilities. A hacker can host malicious web pages and scripts on your printer and link it to potential victims. Maybe he needs to host an executable somewhere so it can later be served through a wget request. These printers are wonderful repositories. It doesn’t take much creativity to realize that even highly illegal materials could be stored this way,” Vickery said in a blog post.
“After all, this kind of printer is usually powered up and online twenty-four hours a day. Even in sleep mode it will still host files. And who checks the contents of their printer’s hard drive? What are the odds of this hacker’s secret stash ever being discovered? Pretty low if you ask me,” he added.
The researcher has also pointed out that organizations leaving their printers exposed to the Internet likely don’t have any logging systems in place, which seriously decreases their chances of identifying an attack.
A Shodan search shows that more than 21,000 vulnerable HP printers are open on the Web via port 9100, Vickery told SecurityWeek. While port 9100 appears to be specific to HP printers, other brands are likely vulnerable as well.
“I don't know of any big-name targeted attacks involving this kind of technique, but I have seen people brag about using it for various purposes,” the expert said in an email.
HP says it’s aware that its printers can be abused by hackers, which is why in September 2015 the company rolled out new enterprise-grade LaserJet printers with features designed to secure devices against malicious attacks, including HP Sure Start BIOS protection, Run-time Intrusion Detection and firmware whitelisting.
“The scenario involving Port 9100 identified by MacKeeper is one in which PJL or PostScript filesystem commands are used to store malicious software on a printer using Port 9100. This scenario can be prevented by disabling the PJL/PS filesystem commands, directions for which can be found in the document, HP Printing Security Best Practices for HP LaserJet Enterprise Printers and HP Web Jetadmin. In addition, customers have the option of using the more secure protocol IPPS (Internet Print Protocol over HTTPS) instead of Port 9100,” HP told SecurityWeek.
“Regardless of which printing protocols you use, managing printer configuration is an important step in protecting the print environment. The average printer has over 250 settings, including ports and protocols that could be a source of vulnerability,” the company added. “HP encourages customers to protect their printers by turning off any unused ports and protocols, providing tools to help with this including HP JetAdvantage Security Manager, which provides policy-based security management across a printer fleet, and WebJet Admin, a free tool that provides web based configuration for HP printers.”