How to protect printers from being hacked

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
40
down vote

favorite
8












Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?










share|improve this question



















  • 41




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    Dec 6 at 14:23






  • 52




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    Dec 6 at 16:22






  • 7




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    Dec 6 at 19:46






  • 2




    @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    Dec 7 at 22:59






  • 1




    @Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
    – Tyzoid
    Dec 8 at 0:10














up vote
40
down vote

favorite
8












Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?










share|improve this question



















  • 41




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    Dec 6 at 14:23






  • 52




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    Dec 6 at 16:22






  • 7




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    Dec 6 at 19:46






  • 2




    @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    Dec 7 at 22:59






  • 1




    @Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
    – Tyzoid
    Dec 8 at 0:10












up vote
40
down vote

favorite
8









up vote
40
down vote

favorite
8






8





Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?










share|improve this question















Recently it got to my attention that someone has hacked around 50,000 printers and used them to print the message they wanted to. (link)



As someone who doesn't have a lot of knowledge about networks or hacking, what would be the steps to take to protect my printer or similar accessories from such attacks in the future?







protection printers






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 9 at 11:10









jraspiprojects

74




74










asked Dec 6 at 9:58









aMJay

30926




30926







  • 41




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    Dec 6 at 14:23






  • 52




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    Dec 6 at 16:22






  • 7




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    Dec 6 at 19:46






  • 2




    @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    Dec 7 at 22:59






  • 1




    @Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
    – Tyzoid
    Dec 8 at 0:10












  • 41




    And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
    – Damon
    Dec 6 at 14:23






  • 52




    I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
    – Tyzoid
    Dec 6 at 16:22






  • 7




    The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
    – Mason Wheeler
    Dec 6 at 19:46






  • 2




    @Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
    – Acccumulation
    Dec 7 at 22:59






  • 1




    @Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
    – Tyzoid
    Dec 8 at 0:10







41




41




And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23




And yet another occasion to ask why so many people are deeply convinced that every device (including printers, cameras, refridgerators, toasters, home automation) must be connected to, and accessible via internet. That hack is an example of why this awesome idea isn't so awesome at all. You do not want any of the computers, printers, or other devices in your home / office visible, identifiable, or accessible by someone on the outside (other than via VPN). Never, not ever. There's nothing to gain, and everything to lose.
– Damon
Dec 6 at 14:23




52




52




I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22




I'd hardly classify this as a hack - the printers were configured to accept print jobs from the public internet, and someone went and sent them print jobs.
– Tyzoid
Dec 6 at 16:22




7




7




The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46




The best answer to practically any "how to protect X from being hacked" question, where X is anything but a server, PC, or other computer that has to be connected to fulfill its primary functionality, is "don't put it on the Internet in the first place."
– Mason Wheeler
Dec 6 at 19:46




2




2




@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59




@Damon Clearly, having a printer networked to your computer is useful. And having a printer connected to your computer but not to any other computers is harder than having it connected to every computer.
– Acccumulation
Dec 7 at 22:59




1




1




@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10




@Acccumulation I'd consider that social engineering (same reason phishing attacks aren't called hacks). Now - if the trojan was triggered via a non-executable file (word doc, excel sheet, pdf, etc) or did anything, such as install a backdoor or trigger other actions on the network, that could be considered a hack (in my mind). As another example - if I misconfigure my wifi as "open," and my neighbor connects - has she hacked my wifi? Consequently, if they connect their smartphone and it autodiscovers my airplay device/printer/etc, have they hacked my network? Has Apple hacked my network?
– Tyzoid
Dec 8 at 0:10










4 Answers
4






active

oldest

votes

















up vote
50
down vote



accepted










Don't leave your printer exposing port 9100 to the internet.



This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



Preventing this attack



All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:



  • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

  • Use a different printing protocol


    • IPP. This is designed to be used over the internet and has built in support for authentication.

    • Google Cloud Print






share|improve this answer






















  • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
    – BruceWayne
    Dec 6 at 15:59






  • 11




    No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
    – ThoriumBR
    Dec 6 at 16:39










  • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
    – Lord Farquaad
    Dec 6 at 22:05







  • 1




    This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
    – Joe
    Dec 6 at 22:13






  • 1




    @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
    – cybernard
    Dec 6 at 23:15


















up vote
8
down vote













The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






share|improve this answer


















  • 2




    "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
    – Jon Bentley
    Dec 6 at 13:07










  • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
    – Steffen Ullrich
    Dec 6 at 13:15







  • 1




    If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
    – Jon Bentley
    Dec 6 at 13:21










  • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
    – Steffen Ullrich
    Dec 6 at 13:31







  • 1




    @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
    – Jon Bentley
    Dec 6 at 13:46


















up vote
5
down vote













That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






share|improve this answer



























    up vote
    1
    down vote













    I've seen many home printers, for example Epson, not implementing any security features.



    The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



    Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






    share|improve this answer




















      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      4 Answers
      4






      active

      oldest

      votes








      4 Answers
      4






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      50
      down vote



      accepted










      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:



      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol


        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print






      share|improve this answer






















      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        Dec 6 at 15:59






      • 11




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        Dec 6 at 16:39










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        Dec 6 at 22:05







      • 1




        This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        Dec 6 at 22:13






      • 1




        @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        Dec 6 at 23:15















      up vote
      50
      down vote



      accepted










      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:



      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol


        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print






      share|improve this answer






















      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        Dec 6 at 15:59






      • 11




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        Dec 6 at 16:39










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        Dec 6 at 22:05







      • 1




        This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        Dec 6 at 22:13






      • 1




        @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        Dec 6 at 23:15













      up vote
      50
      down vote



      accepted







      up vote
      50
      down vote



      accepted






      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:



      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol


        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print






      share|improve this answer














      Don't leave your printer exposing port 9100 to the internet.



      This large-scale printer attack is nothing new. It's happened previously and is very simple to execute.



      The attacker likely used Shodan to scan the entire internet for printers with port 9100 open to the internet. Due to way RAW printing over port 9100 works, all is required after this is to connect to the printer on port 9100 TCP and send the text you want to send to the printer.



      Preventing this attack



      All you need to do is close port 9100 externally. If there is a requirement to print remotely, this is possible in a number of ways:



      • Use a VPN to connect to the network, making the printer accessible as if it's in your local network

      • Use a different printing protocol


        • IPP. This is designed to be used over the internet and has built in support for authentication.

        • Google Cloud Print







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Dec 6 at 11:14

























      answered Dec 6 at 10:32









      Joe

      2,4152819




      2,4152819











      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        Dec 6 at 15:59






      • 11




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        Dec 6 at 16:39










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        Dec 6 at 22:05







      • 1




        This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        Dec 6 at 22:13






      • 1




        @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        Dec 6 at 23:15

















      • If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
        – BruceWayne
        Dec 6 at 15:59






      • 11




        No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
        – ThoriumBR
        Dec 6 at 16:39










      • Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
        – Lord Farquaad
        Dec 6 at 22:05







      • 1




        This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
        – Joe
        Dec 6 at 22:13






      • 1




        @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
        – cybernard
        Dec 6 at 23:15
















      If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
      – BruceWayne
      Dec 6 at 15:59




      If we did not receive the printed page via the hack, is it safe to say that Port 9100 is closed and/or our printer is safely disconnected from such hacks? Or could there be a hundred other reasons I didn't get the printed page, and should still look in to the port and other vulnerabilities?
      – BruceWayne
      Dec 6 at 15:59




      11




      11




      No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
      – ThoriumBR
      Dec 6 at 16:39




      No, the guy just searched for printers in Shodan, found close to one million, and sent the file to the first 50 hundred printers he got.
      – ThoriumBR
      Dec 6 at 16:39












      Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
      – Lord Farquaad
      Dec 6 at 22:05





      Just to make sure I'm understanding correctly, this attack vector only works on port 9100? Or is this just the only port people usually bother to check?
      – Lord Farquaad
      Dec 6 at 22:05





      1




      1




      This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
      – Joe
      Dec 6 at 22:13




      This particular attack abuses RAW printing which by default uses port 9100, however it could potentially use any specified port
      – Joe
      Dec 6 at 22:13




      1




      1




      @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
      – cybernard
      Dec 6 at 23:15





      @Joe The printer listens on only 3-4 ports out of 65536, so just any port won't work on the printer. Also, the attack only focuses on the default ports. Maybe it will change later, or be taken to the next level by someone else.
      – cybernard
      Dec 6 at 23:15













      up vote
      8
      down vote













      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






      share|improve this answer


















      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        Dec 6 at 13:07










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        Dec 6 at 13:15







      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        Dec 6 at 13:21










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        Dec 6 at 13:31







      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        Dec 6 at 13:46















      up vote
      8
      down vote













      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






      share|improve this answer


















      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        Dec 6 at 13:07










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        Dec 6 at 13:15







      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        Dec 6 at 13:21










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        Dec 6 at 13:31







      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        Dec 6 at 13:46













      up vote
      8
      down vote










      up vote
      8
      down vote









      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.






      share|improve this answer














      The attack you link to was against printers which were directly accessible from the internet. If you have a typical home network which is connected to the internet by some DSL or cable router you don't have to worry about this specific attack unless you've explicitly enabled access to the printer from the internet - by default direct access from the internet is not possible due to NAT in the router (i.e. multiple internal IP addresses mapped to a single public IP). If you are in a company and the printers have public routable IP addresses make sure that a firewall is blocking access from outside.



      For home users it is more likely that they install a printer capable of WiFi and keep the WiFi settings in the often insecure default state where the printer creates its own access point without encryption and access control. In this case anybody nearby the printer (i.e. somebody at the next apartment, on the street...) could send jobs to this printer. See for example Guy pulls off genius prank on his neighbour using their unprotected WiFi printer. Thus, make sure to disable WiFi if you don't need it and configure it securely if you need it.



      Apart from that the firmware in some printers can be replaced by sending a special document to these. The hacked firmware then can for example allow an external hacker to attack the internal network. See also Researchers at FoxGlove Security have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. To protect against these kind of attacks make sure that the firmware is up-to-date, that security features are enabled which protect replacing the firmware this way (if such settings exist), that the printer can only talk with selected protocols to the rest of the network using a firewall in front of printer or at least configure your perimeter firewall so that the printer can not connect to the internet.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Dec 6 at 10:24

























      answered Dec 6 at 10:19









      Steffen Ullrich

      113k13197259




      113k13197259







      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        Dec 6 at 13:07










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        Dec 6 at 13:15







      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        Dec 6 at 13:21










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        Dec 6 at 13:31







      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        Dec 6 at 13:46













      • 2




        "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
        – Jon Bentley
        Dec 6 at 13:07










      • @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
        – Steffen Ullrich
        Dec 6 at 13:15







      • 1




        If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
        – Jon Bentley
        Dec 6 at 13:21










      • @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
        – Steffen Ullrich
        Dec 6 at 13:31







      • 1




        @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
        – Jon Bentley
        Dec 6 at 13:46








      2




      2




      "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
      – Jon Bentley
      Dec 6 at 13:07




      "don't have to worry" and "not possible" might be a bit strongly worded in the first paragraph. E.g. the router could be compromised. A defense in depth approach would mean that if you deem printer security a high priority, then you should adopt the other techniques anyway.
      – Jon Bentley
      Dec 6 at 13:07












      @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
      – Steffen Ullrich
      Dec 6 at 13:15





      @JonBentley: I disagree. "not possible" explicitly relates to the default behavior of a router and a compromised router should not be considered the default. Also, if the router is compromised then attacks against the printer are probably a minor problem because more critical attacks are possible. Insofar "don't have to worry about this specific attack" is still true - one should instead worry about more critical attacks. Defense in depth is important but it is also important to care first about the important attacks and if there is money and time left about the remaining risks.
      – Steffen Ullrich
      Dec 6 at 13:15





      1




      1




      If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
      – Jon Bentley
      Dec 6 at 13:21




      If that were the case, then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world, content that the default state means that it is "not possible". Furthermore, the default state of many home routers is compromised due to poor security design of the routers themselves (e.g. poor wifi implementations, default passwords, outdated firmware, etc.). I agree with your last sentence, but I covered that with "if you deem printer security a high priority".
      – Jon Bentley
      Dec 6 at 13:21












      @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
      – Steffen Ullrich
      Dec 6 at 13:31





      @JonBentley: "...then we could satisfy all of our security concerns by simply placing a home router between our systems and the outside world,..." - most of the today's security concerns are not sufficiently handled by a NAT router since they concern malicious payloads the user explicitly retrieves from outside (mail, web). Contrary to this preventing direct access to the printer from outside would actually be handled well with a simple NAT router since NAT by design prevents access initiated from the external network to the internal one by default.
      – Steffen Ullrich
      Dec 6 at 13:31





      1




      1




      @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
      – Jon Bentley
      Dec 6 at 13:46





      @steffan By the same logic, mail and web by design should simply display emails and webpages respectively and not execute malicious payloads. We could argue that malicious payloads are not possible given the default behaviour of those protocols / applications. The point is, that they can contain security flaws, and that applies to home NAT routers just as much as it does to anything else. We can't simply blindly rely on components in the security chain to behave as we hope they will. On the contrary, home routers are notorious for having poor security.
      – Jon Bentley
      Dec 6 at 13:46











      up vote
      5
      down vote













      That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



      One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






      share|improve this answer
























        up vote
        5
        down vote













        That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



        One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






        share|improve this answer






















          up vote
          5
          down vote










          up vote
          5
          down vote









          That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



          One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.






          share|improve this answer












          That’s a good start, but know these problems aren’t limited to just printers. All kinds of smart-home devices, including security cameras, lamp controllers, thermostats, etc., can unintentionally expose your whole home’s network to risk of attack.



          One step you could take is to log in to your home router (or cable modem), find the settings for UPnP (Universal Plug and Play) and disable it. UPnP is used by many of these devices to open holes in your firewall and expose themselves to the internet for convenient remote access; the issue is that many of these devices are even less secure than your typical printer. By turning off UPnP, you are not allowing them to place your home network at risk.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 6 at 13:19









          John Deters

          26.1k24087




          26.1k24087




















              up vote
              1
              down vote













              I've seen many home printers, for example Epson, not implementing any security features.



              The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



              Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






              share|improve this answer
























                up vote
                1
                down vote













                I've seen many home printers, for example Epson, not implementing any security features.



                The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



                Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






                share|improve this answer






















                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  I've seen many home printers, for example Epson, not implementing any security features.



                  The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



                  Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.






                  share|improve this answer












                  I've seen many home printers, for example Epson, not implementing any security features.



                  The easiest way to protect them is to connect to a computer via USB or dedicated network/VLAN. Then share them through that server using cups/samba/printer sharing.



                  Other answers about NAT and not exposing ports to the internet are reasonable. But protecting from internal network is also important if you internal network is big. i.e. anything bigger than a home network where you and your family exclusively connect to.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 7 at 7:41









                  akostadinov

                  26117




                  26117



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199226%2fhow-to-protect-printers-from-being-hacked%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown






                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?