The security organization Shadowserver performed a global IPP scan and found many printers that openly share information.
Shadowserver has marked the affected nations on a map
In June 2020, Shadowserver’s IT security team conducted a global IPP port scan of the approximately 4.3 billion possible IP addresses in the IPv4 address space. The aim was to find out whether there are network printers with Internet Printing Protocol (IPP) support that can be openly controlled. The result is interesting: between 79,000 and 80,000 printers are tracked down every day. The team has summarized the findings in a report.
Attackers can use the openly communicating printers to obtain information about printer models, their location, firmware versions of the printers and also WLAN SSIDs of the devices. It is then possible, for example, to exploit possible security gaps in these devices and penetrate company networks. The scan of Shadowserver sends the command IPP Get-Printer Attributes on TCP port 631, which, according to the Speedguide page, can also be used to launch a denial of service attack on the MacOS printer sharing service.
Incorrect configuration of the printers
- The reading of information without rights should actually be prevented with IPP, since the protocol supports functions such as encryption and authentication via TLS and is compatible with the Internet protocol HTTPS.
- IPP allows printers to perform, cancel or query the status of printer jobs from outside a local network, which can be useful for IT service providers.
- A popular implementation of the protocol is the open source printer service Cups, developed by Apple.
However, security features must be configured properly, which according to Shadowserver is often not the case. Also, affected printers should be located behind a firewall to be less vulnerable.
According to the security team, there are a total of about 700,000 IPP printers on the Internet, accessible via the binaryedge search engine, for example. This means that about 11.5 percent of all IPP-compatible devices were set up incorrectly or not secure enough. South Korea is by far the nation with the most vulnerable printers on the Internet. 36,300 scanned devices originated from this area. In second place is the USA with 7,900 devices, followed by Taiwan with 6,700 devices. Germany is in tenth place with 1,400 printers.
Shadowserver has also listed affected devices by reported model name. Among these are devices from Samsung, Brother and HP, with Samsung having by far the most scanned models. This would explain why the home country and strong market of South Korea is in first place among nations.