Internet-Connected Printer Vulnerabilities Exploited by Criminal Actors

In late May 2017, more than 130 businesses, universities, and law enforcement agencies nationwide received fake bomb threats from an individual threat actor by facsimile, or as a forced print job on misconfigured Internet-connected printers. In all instances, the actor did not appear to target a specific printer model. The actor exploited Internet-connected printers that allowed external connections over port 9100 and did not require authentication. In one instance, the actor sent a bomb threat to a networked printer by compromising avulnerable server running an outdated version of a PHP-based web application used to control security cameras. Following the intrusion, the actor wiped all logs associated with the incident.

According to FBI and open source reporting, in February 2017 a hacker using the alias Stackoverflowin compromised over 160,000 printers with open connections to the Internet by scanning for printers open on ports 515, 631, and 9100. Stackoverflowin sent print jobs to the affected printers and claimed the devices were part of a “flaming botnet.” Stackoverflowin claimed the goal of the attack was to demonstrate vulnerabilities exist in Internet-connected printers and were subject to exploitation.
Also in February 2017, computer security researchers from University Alliance Ruhr identified and published flaws in 20 printer models based on common printing languages (Postscript and PJL), which would allow malicious actors to steal information, manipulate print jobs, shut down devices, or cause physical damage to the printer.

Between March 2016 and August 2016, an identified hacker compromised unsecured network printers at universities nationwide to print anti-Semitic flyers.
The FBI judges it is highly likely criminal actors will exploit Internet-connected device vulnerabilities and use them as pivot points for network intrusions. Vulnerable printers and other Internet-connected devices can easily be identified through open source scanning tools and search engines, such as Shodan.

Recommendations
The FBI has identified the following recommendations to prevent these types of cyber attacks:

  • Ensure ports 515, 631, and 9100 are not publicly accessible over the Internet. If keeping these ports open is necessary, consider whitelisting specific IP addresses or subnets to ensure only legitimate traffic can connect to the printer.
  • Consider the use of alternative ports for Internet-connected printers and other devices.
  • Ensure all Internet-connected printers and devices on the network have strong usernames and passwords. Default usernames and passwords should be changed.
  • Conduct daily reviews of printer logins to identify and flag unauthorized IP addresses.
  • Configure firewalls to block traffic from unauthorized IP addresses to printers and other network devices.
  • Restrict Internet-connected printer and device connectivity to non-sensitive business networks.