How to protect printers from being hacked

Don't leave your printer exposing port 9100 to the internet.

This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.

The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.

Preventing this attack

All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:

  • Use a VPN to connect to the network, making the printer accessible as if it's in your local network
  • Use a different printing protocol
    • IPP. This is designed to be used over the internet and has built in support for authentication.
    • Google Cloud Print

The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.

For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.

Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.

That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.

One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.