Latest news

Exposed IPP-enabled printers on the Internet

One of the new scans enabled as part of the VARIoT project is the IPP (Internet Printing Protocol) scan. This blog entry aims at updating the original blog entry announcing the scans which are being conducted by project consortium member The Shadowserver Foundation, by providing the latest scan results plus an EU breakdown of hosts.

What is the goal of the scan?
The IPP scan is aimed at uncovering printing devices which use IPP (a HTTP POST based protocol) that have been connected to the Internet without adequate access controls or authorization mechanisms in place. This could allow for a potential range of different types of attacks, from information disclosure and service disruption/tampering, to, in some cases, remote command execution. Network connected printers have been with us since the Internet was born (and long before the IoT term was coined!), but their security aspects are often still misunderstood or completely ignored by many end users. 

How do we scan?
We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5th of June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8th of June 2020. Our IPP scans originally uncovered around 80 000 open devices (printers) per day. About half a year later, as of the 28th December, we now uncover around 71 000 open printers per day. Obviously these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.

What do the country level results show?
As of the 28th December 2020, the IP-geolocated country breakdown of the above reachable IPP responses is as follows:

Top countries with exposed IPP services – out of 71,432 services on that day (28th of December 2020) 

As with our first scans, South Korea, the United States and Taiwan have the most exposed printers, with France being the top EU country.

Exposed IPv4 IPP services by country (28th December 2020)

How has the printer exposure changed over time?
We observe a systematic world-wide drop in exposed printers, something hopefully our reporting has also contributed to.

Exposed IPP services around the world by continent

We observe a larger drop percentage-wise in the EU (+UK).

Exposed IPP services in the EU + UK over time (see table with colour codes assigned to countries below)

In the EU (+UK) we note a drop from 16,025 devices from the 8th June 2020 to 11,516 devices on the 28th December 2020, with the top countries being France, Italy and the United Kingdom. This means that the drop in the EU+UK accounted for around 50% of the worldwide drop in exposed printers. 

Breakdown of exposed IPP devices in EU(+UK) (28th December 2020)

What  printer models are most exposed worldwide?
Out of the roughly 71,000 exposed services, a large percentage returned additional printer information attributes, such as printer names, locations, models, firmware versions, organizational units and even printer wifi SSIDs.

For example, the Top 20 printer make-and-model attribute values returned for the 28th of December 2020 was as follows (20,994 entries in total returned):

3006 Local Raw Printer
659 Samsung C48x Series
 550  Samsung M267x 287x Series
314  Brother DCP-1200 – CUPS + Gutenprint v5.2.10
294  Samsung M2070 Series
230  Samsung M332x 382x 402x Series
226  HP Business Inkjet 2200 – CUPS+Gutenprint v5.2.10
219  CNMF230 Series
208  CNMF633C/635C
182  HP LaserJet MFP M129-M134
169 HP LaserJet M402dn
 166 Samsung C43x Series
 156Samsung M337x 387x 407x Series
 154  SINDOH D410
142  Epson Artisan 50 – CUPS+Gutenprint v5.2.10
141  HP ColorLaserJet MFP M278-M281
140  C56x Series
139 Samsung X3220 Series
 137  SINDOH D420
137HP LaserJet Pro MFP M127fn

Top 20 Exposed Printer Make-and-Models 

What are the risks and what can be done to mitigate them?
Exposing printer devices with anonymous, publicly queryable vendor names, models and firmware versions obviously makes it much easier for attackers to locate and target populations of devices vulnerable to specific vulnerabilities and potentially allow them to establish a foothold in your organization’s network.

We hope that the data being shared in our new open IPP device report will lead to a reduction in the number of exposed IPP-enabled printers on the Internet, as well as raise awareness to the dangers of exposing such devices to unauthenticated scanners/attackers. It is unlikely that many people need to make such a printer accessible to everyone – these devices should be firewalled and/or have an authentication mechanism enabled. Please consult your printer manual to verify how to enable authentication mechanisms and limit exposure!

How can I gain awareness of exposed IPP devices on my network?
As mentioned, we provide network owners and National CSIRTs with daily reports on exposed (and infected) devices on their networks. This includes information about exposed IPP devices. Details about the format of the IPP report being shared can be found in the Open IPP Report page. All existing Shadowserver report subscribers are automatically receiving the Open IPP Report if any open IPP services are identified within their networks and countries (for national CSIRTs).

If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new open IPP report and our other existing report types, then please sign up to our free daily public benefit network remediation feed service

Where can I get the latest statistics on your IPP scans?
If you wish to check the latest updated statistics for the IPP scan, please visit our dedicated IPP scan page.

Leave a Reply

Your email address will not be published. Required fields are marked *