Network printer exploited (read: hacked) to print antisemitic documents. How to fix?

I'm unsure if this should be asked here or over on security.stackexchange.com...

Over the Easter long weekend, a small office of ours had a network breach in that an old HP printer was used to print some very offensive antisemitic documents. It appears to have happened to a number of universities in Western cultures all over the world.

Anyway... I read that it's actually a pretty basic security exploit with most networked printers. Something to do with TCP port 9100 and access to the internet. I haven't been able to find much info on the specifics of how because everyone seems too concerned with the why.

The network setup is pretty simple for the office that was affected. It has 4 PC's, 2 networked printers, an 8-port switch and a residential modem/router running an ADSL2+ connection (with static internet IP and a pretty vanilla configuration).
Is the point of weakness in the modem/router or the printer?

I've never really considered a printer as a security risk that needs to be configured, so in an effort to protect this office's network, I'd like to understand how the printers were exploited. How can I stop or block the exploit? And check or test for the exploit (or correct block of the exploit) in our other much larger offices?


Solution 1:

This attack disproportionately affected universities because, for historical reasons, many universities use public IPv4 addresses for most or all of their network, and for academic reasons have little or no ingress (or egress!) filtering. Thus, many individual devices on a university network can be reached directly from anywhere on the Internet.

In your specific case, a small office with an ADSL connection and home/SOHO router and static IP address, it's most likely that someone at the office explicitly forwarded TCP port 9100 from the Internet to the printer. (By default, because NAT is in use, incoming traffic has nowhere to go unless some provision is made to direct it somewhere.) To remediate this, you simply remove the port forwarding rule.

In larger offices with proper ingress firewalling, you generally won't have any allow rules for this port at the border, except perhaps for VPN connections if you need people to be able to print over your VPN.

To secure the printer/print server itself, use its built in allow list/access control list to specify the range(s) of IP addresses allowed to print to the printer, and deny all other IP addresses. (The linked document also contains other recommendations for securing your printers/print servers, which you should also evaluate.)

Solution 2:

To extend on Michael Hampton's answer. Yes it's likely a port forward rule. But usually that's not something someone would expose deliberately. However it can be added by UPnP devices. Most likely by having UPnP enabled on your residential grade router.

Universities probably have their printers hacked for other reasons as corporate grade routers usually don't support UPnP and if they did it'd be disabled by default. In those situations universities are big and have lots of public IP's and very complex networks and sometimes multiple IT departments with numerous sub-schools and campuses. And don't forget the student hackers who like to poke around.

But, back to my UPnP theory which could fit your case.

It's unlikely someone would deliberately open up port 9100 on your router to enable your printer to be open to the world. Not impossible, but somewhat unlikely.

Here is some info on the more likely culprit UPnP:

UPnP flaws expose tens of millions of networked devices to remote attacks, researchers say

This is how we had thousands of IP cameras hacked into despite being behind NAT routers.

More here: Exploiting Universal Plug-n-Play protocol, insecure security cameras & network printers These articles are a few years old, but are still relevant. UPnP is just plain broken and unlikely to be fixed. Disable it.

The last part of the first paragraph in the second article really sums it up:

Lastly, your network printer is just waiting to be hacked.

And lastly, follow Michael Hampton's advice and add an access control list if possible.