back to article Printers now the least-secure things on the internet

The Internet of Things is exactly as bad a security nightmare as pessimists think it is, according to Bitdefender's Bogdan Botezatu. The senior threat analyst at the Romanian security software company called by to chat to Vulture South while in Australia (we were, I suspect, meant to discuss the company's 2017 launches, but …

  1. Christian Berger

    If he had a clue about the situation...

    ...we would know that that "hacking a printer to cause a fire" thing was mostly PR. The fixation unit of printers has a hardware overheat protection once it gets to hot. Essentially there's a little heat activated fuse. So even if you manage to put new firmware on (which is unfortunately possible without interaction on the printer itself), you can only break it, but not cause any problem. And fixing printers would be simple, just put an "upgrade firmware" mode into the menu, perhaps allow for a PIN to be required, and have it not print anything while that mode is on. If you have an USB interface, you can even upgrade your firmware from that, instead of "printing" it to the printer.

    Signing firmware will only make it harder for legitimate changes to the firmware, for example to get out security holes by removing services you don't need.

    For actual attacks changing the firmware probably isn't a sensible way to go. It's far easier to use the features provided in the default firmware. I wouldn't be surprised if there are postscript engines that allow for network access.

    1. Anonymous Coward
      Anonymous Coward

      Re: If he had a clue about the situation...

      The point isn't that the printer itself could burn the house down, it's that if it's readily compromised then it can be used as a point of access to all the other devices on the network, including those IoT things that potentially could be used to cause harm.

  2. edge_e
    Facepalm

    Do printers really need to be connected to the internet?

    How often do you send something to a printer that you don't have physical access to?

    1. Drone Pilot

      Re: Do printers really need to be connected to the internet?

      I've always wondered this. Why do I want to print from my phone to my home printer when I am in another country? It'll give me a paper-jam anyway!

    2. John Sager

      Re: Do printers really need to be connected to the internet?

      They probably aren't, directly, but it seems that all manufacturers of kit these days want their box to phone home. Perhaps only on installation but often to keep in contact either all the time or periodically. So they talk upnp to the router and set up a little hole. I've had to put a firewall rule in to my (home-brew router) to stop my printer phoning back to HP.

      I've recently bought a z-wave controller and that set up a ssh session to a cloud server to provide remote access from android/iPhone apps. No thanks. I'll do the remote access myself, so that ssh session now doesn't get started.

      Supposedly to manage a Netgear WiFi extender I should log into it via some name that resolves to a cloud server somewhere and it will automagically log me on to the device. Sod that for a game of soldiers, I've set up to log on directly.

      Now, I can sort this stuff, but most consumers can't. I do wonder what the motivation is here. Do the manufacturers want to make it easier for Joe Public, or is this a golden opportunity to collect usage data which can then be sold on? Either way, it's a mess.

    3. Lotaresco

      Re: Do printers really need to be connected to the internet?

      "How often do you send something to a printer that you don't have physical access to?"

      In a work context? Every day.

      "Do printers really need to be connected to the internet?"

      Probably not, but many are for convenience and remote management. This is hardly new, the Tektronix printers that I was using sixteen years ago were all provide with web interfaces and SNMP. The printers could be interrogated remotely to check supplies and status and could be remotely updated as required. This may sound like pointless nerdery, but when you are trying to maintain printers over a corporate WAN spanning many branch offices then it becomes vital to have remote management features. even quite low end printers like the Brother

      Those of us who know what we are doing plan LAN connectivity to support out of band management of all devices so that we don't connect the management features of our network devices directly to the internet. However many work environments seem to have completely unplanned ad hoc networks with the management and user interfaces connected to the same LAN via unmanaged switches.

      These days even relatively low-end printers such as the Brother SOHO range support what were "advanced" group printer features such as secure print, remote management and remote printing. Usually all of the interfaces are active by default and it takes a conscious effort to lock down access to the printer management and reporting features to the support staff.

      1. A Non e-mouse Silver badge

        @Lotaresco - Re: Do printers really need to be connected to the internet?

        I think you've missed the point: All this IoT hubris is aimed at the consumer who has few IT skills (and even fewer security skills!)

        Business environments have been doing remote management & access on all sorts of devices for decades. (And still can't always get it right!)

    4. John Lilburne

      Re: Do printers really need to be connected to the internet?

      Obviously you've not had someone around your house wanting to print some document that they've got stored, or can only access from some Android device. No I'm not going to allow them to connect their snoopage device to my system.

      If they can connect to the printer via bluetooth OK, but most of them don't know how to do that. Nor do they seem to know how to email the damn thing or how to login to their webmail account either.

    5. Anonymous Coward
      Anonymous Coward

      Re: Do printers really need to be connected to the internet?

      Yes, so your fridge can print you a reminder to get more milk!

    6. VinceH

      Re: Do printers really need to be connected to the internet?

      "How often do you send something to a printer that you don't have physical access to?"

      Well, I have a couple of times when out and about spotted open WiFi hotspots provided by printers - so sent a simple text file to them saying "You really should secure this, you know." (IIRC, one time it didn't work - I had an error, the wording of which I can't remember, and the other time I had no feedback at all to the attempt, positive or negative, so I've no idea if that printed.)

    7. Eddy Ito

      Re: Do printers really need to be connected to the internet?

      The internet, probably not unless you have to use Google Print or some such nonsense but the intranet, yes, definitely, even if that is via VPN. As far as printers that want to access the internet that's what firewalls are for.

    8. Fatman

      Re: Do printers really need to be connected to the internet?

      You must not work for a large enterprise organization, not to comprehend WHY this would be desired.

  3. sitta_europea Silver badge

    Not that it's even remotely likely, but if somebody sold me a 'fridge that had a capability to connect to the Internet, I wouldn't connect it to the Internet. Nor to any network.

    How hard can it be?

    1. Ole Juul

      "I wouldn't connect it to the Internet."

      Ya but there's nothing worse than your fridge giving you a 404 instead of a beer.

      1. Anonymous Coward
        Anonymous Coward

        Re: "I wouldn't connect it to the Internet."

        I'd prefer a 420...

    2. Steve Davies 3 Silver badge

      But people are stupid (in general)

      The salesman says

      'connect it to the internet when you get home' and 99.99% of buyers will do just that beleiving that it is required in order to make it work.

      all clearly written down in 'how to train your salsesforce 101'.

    3. Oengus
      Thumb Down

      The reason the fridge connects to the internet is to give the fridge manufacturers new income streams.

      Stream 1- It will phone home to tell the manufacturer what products you use so they can profile you for targeted advertising on the inbuilt screen.

      Stream 2- It will arrange for delivery of items that are running low or nearing "end of life" from the retailer who provides a percentage of all sales to the fridge manufacturer (of course it won't connect with your "preferred provider") and of course the provider will change their systems every 5 years or so such that you need to update your fridge software but

      Stream 3- because the manufacturer doesn't provide software upgrades anymore... you will need to buy a new fridge. (see story on Sony Bravias and YouTube).

      If you disconnect the fridge from the internet it won't be able to "phone home" so won't know what to do when the temperature changes. You can't have these smart devices operate autonomously.

      IOT and Smart devices are not about making things better for the end user. They are about giving control back to the manufacturers and giving them additional ways to "milk" their customers.

      1. Charles 9

        "It will phone home to tell the manufacturer what products you use so they can profile you for targeted advertising on the inbuilt screen."

        Honest question. How will the refrigerator know what I put in and take out of it? It's not like it has a laser scanning net inside the door, which probably won't work anyway if the barcode's stripped off or turned face-down or whatever...

    4. Anonymous Coward
      Anonymous Coward

      I wouldn't connect it to the Internet

      What if it come sufficiently enabled so as to connect by itself, using an open wifi network, or a mobile data networks?

      Are you going to put it in a Faraday cage?

      1. Doctor Syntax Silver badge

        Re: I wouldn't connect it to the Internet

        "What if it come sufficiently enabled so as to connect by itself, using an open wifi network, or a mobile data networks?"

        I wouldn't buy it. Next question please.

        1. Charles 9

          Re: I wouldn't connect it to the Internet

          How are you going to not buy it when ALL refrigerators on the market have the feature standard and secondhand ones aren't available anymore because all trade-in/part exchange fridges get scrapped? It's a question of WHEN, not IF. It's already happening with TVs. Fridges, stoves, and other appliances are next.

          1. VinceH

            Re: I wouldn't connect it to the Internet

            This is where legislation is needed. It should be enshrined in law that any consumer device that does not require internet connectivity to perform its core function should be able to work without internet connectivity.

            A fridge's core function is to maintain a cool temperature for the storage of its contents. That does not require internet connectivity.

            A TV's core function is to present sound and vision from an external source, most often an aerial. That does not require internet connectivity.

            And so on.

            1. Charles 9

              Re: I wouldn't connect it to the Internet

              "This is where legislation is needed. It should be enshrined in law that any consumer device that does not require internet connectivity to perform its core function should be able to work without internet connectivity."

              Then it's game over because the manufacturers have the legislators' ears. The law will go the other way and mandate internet connections for public safety issues (say an appliance catches fire while you're away, just to list an excuse), with all non-connected device not legal for resale.

              1. VinceH
                Unhappy

                Re: I wouldn't connect it to the Internet

                "The law will go the other way and mandate internet connections for public safety"

                While I'd like to see legislation that is more protective of consumers' rights to buy things that just work as they should, sadly I do expect it's more likely to go that way.

    5. Doctor Syntax Silver badge

      "Not that it's even remotely likely, but if somebody sold me a 'fridge that had a capability to connect to the Internet, I wouldn't connect it to the Internet. Nor to any network."

      The problem starts when the fridge won't work unless it's connected to the net.

    6. This post has been deleted by its author

    7. Captain DaFt

      " but if somebody sold me a 'fridge that had a capability to connect to the Internet, I wouldn't connect it to the Internet. Nor to any network."

      But what do you do if it "helpfully" auto logs on to any available WiFi connection it can detect?

      You might have yours locked down, but Fred across the street will be wondering who keeps sending him those "Need more cheese and beer" messages.

  4. Rich 11

    Product upgrade time

    Either they'll be force-marched into buying a new refrigerator/washer/dryer /microwave because the software is end-of-life; or they'll be stuck with a product that's vulnerable to attackers.

    Just another step on the planned obsolescence pathway...

    1. Known Hero

      Re: Product upgrade time

      or just unplug it.

      I tell my boys they have full control of the internet, if people are mean etc unplug ... YOU HAVE THAT CONTROL, NOBODY ELSE.

      1. Charles 9

        Re: Product upgrade time

        Oh? How do you unplug a whispernet? And trying to break the radio could cause a suicide circuit and break the whole thing...

        1. Known Hero
          FAIL

          Re: Product upgrade time

          the world is full of whatif's ... but how to unplug Just connect it to a wifi that goes nowhere.

          What if it requires a connection to operate ... Don't buy it.

          There are also the options of .....

          hand wash your clothes, Build you own, Laundromats, refurbish older machines.... and on and on and on (pun intended).

          1. Anonymous Coward
            Anonymous Coward

            Hand wash your clothes or build your own washing machine

            Yay for progress!

          2. Charles 9

            Re: Product upgrade time

            "hand wash your clothes, Build you own, Laundromats, refurbish older machines.... and on and on and on (pun intended)."

            Handwashing means giving up a precious day (of work or leisure) every week, laundromats will be Big Brother posts, and few have the skills to roll their own, especially since water and electricity are tricky things when in close proximity. As for old machines, they can make a law that mandates connected devices AND render old devices not legal for resale.

  5. David Roberts

    Insidious

    My latest HP printer wanted to phone home to report on the toner cartridges.

    Presumably to confirm that you are using 3rd party toner and invalidating the warranty ; avoiding the usual trick of removing the original toner catridges and then putting them back if a fault appears.

    I told it "No" but who knows if it obeyed me?

    The defaults on installation are massively biased towards data collection.

    I don't have a current use case for Internet printing; perhaps there might be for households where there is nobody at home you can trust to print a file locally?

    1. Charles 9

      Re: Insidious

      "Presumably to confirm that you are using 3rd party toner and invalidating the warranty ; avoiding the usual trick of removing the original toner catridges and then putting them back if a fault appears."

      And there are those that simply don't care because the printer is secondhand and without warranty anyway. Next thing you'll know they'll add some new requirement that'll let them prevent resale of all existing printers...

    2. Sandtitz Silver badge

      Re: Insidious

      "My latest HP printer wanted to phone home to report on the toner cartridges. Presumably to confirm that you are using 3rd party toner and invalidating the warranty "

      Using 3rd party toners do not void warranty in countries with reasonable consumer protection.

      If however the 3rd party toner borks the printer then the warranty may be void and the 3rd party supplier would be responsible to unbork the printer in addition of replacing the faulty toner with a new one / giving money back.

  6. peasant

    Iot or Bitdefender lack of products 2017

    Would this be home or office. Whilst you might need an internet facing printer in your office I doubt you would need a raft load of electric ovens.

    Hmmm the conversation quickly digressed, I wonder why.

    However I give you a shit load of fear so you can buy some Bitdefender products next year which will alleviate nearly all of the problems discussed. However as of yet there are no products, but our free version might help with you internet printer.. or not

  7. Spoobistle

    Internet of punter-milking

    I'm starting to wonder if anyone thinks about quality any more. It seems we are lumbered with either cheap as chips tat which can be exploited by any hacker, or locked down "milking machines" which only function while they can phone home to check the subscription is being paid. (Case in point: I have three old BT Vision boxes at home, which I picked up in the detritus at car boot sales. These would be perfectly capable of functioning as Freeview receivers or PVRs, but the software makes this impossible to do legally. So all they can do is bulk up the electrical appliance waste stream.)

    I'd like to see appliances marketed in such a way that "Internet extras" are clearly differentiated from on-going expectations of function, and are assessed for safety and security. I don't know who is going to push this though. "Which" perhaps?

    1. Charles 9

      Re: Internet of punter-milking

      Nope. The manufacturers have gone over their heads and straight to the regulators. Watch what happens when this stuff becomes mandatory.

  8. Tom 7

    Printing? Is that still a thing?

    OK the kids do it for homework - ironically mostly for IT - but apart from returning shit that wouldnt need to be returned if the people who sent it could use a computer we are 99.99999% in the 21stC.

  9. ma1010

    Great product idea?

    I don't need my printer, fridge, TV, oven, washer, dryer or any bloody thing except my computer and phone getting on the Internet. And then only to do what I want them to do. Something that could help people fight back against all this might find a large market. Perhaps someone could design a not-sohopeless router that blocks Internet access by default and allows only the computer, phone and specific, designated appliances to get out?

    1. Martin an gof Silver badge

      Re: Great product idea?

      Perhaps someone could design a not-sohopeless router that blocks Internet access by default and allows only the computer, phone and specific, designated appliances to get out?

      But this is already possible with most half-decent routers. The trick is making it the default, and making it easy to use for non-technical types. This is very difficult.

      My router has Bonjour and uPnP turned off, so devices can't tunnel, and although I haven't set it up, it has rules which allow me to block specific MAC addresses from, or only allow specific MAC addresses access to the "outside".

      But this presupposes you have a reliable router, not one that has firmware that constantly re-enables features you thought you'd disabled. They are expensive, but I've been quite impressed with the few Draytek routers I've used. My previous router was a £12 TP-Link device that wasn't terribly stable, but didn't seem to be snooping or opening backdoors without my knowledge...

      M.

      1. Charles 9

        Re: Great product idea?

        "But this presupposes you have a reliable router, not one that has firmware that constantly re-enables features you thought you'd disabled. They are expensive..."

        ...which means your idea is dead in the water. You have to make something that's not only turnkey-simple enough for Joe Stupid to not mess up, but they have to be able to actually afford it.

        1. Martin an gof Silver badge

          Re: Great product idea?

          It's not "my idea". I was trying to say that many of the routers that people already have are capable of blocking this sort of thing. Not every router is a surveillance station for the Chinese secret service. I gave the example of Draytek as selling routers that have good reputations, but I admit they are more expensive than some. I also mentioned a much cheaper router that I have used that also has many of the same facilities.

          What neither of these options has is the ability, automatically (i.e. with no or with minimal user intervention), to identify what should and what shouldn't be allowed access. How could you do it? Look up who owns the range of MAC addresses and allow Asus or Gigabyte through, but not Beko or Bosch? How do you deal with a company such as LG that makes both devices you probably would like to access the internet - mobile phones and smart TVs - and devices you wouldn't - washing machines?

          And the other key thing that is missing is some kind of accreditation for routers where an independent company audits the devices for the ability to do what they should do, and nothing more. Best of luck getting that off the ground :-)

          M.

          1. Charles 9

            Re: Great product idea?

            "And the other key thing that is missing is some kind of accreditation for routers where an independent company audits the devices for the ability to do what they should do, and nothing more. Best of luck getting that off the ground :-)"

            Correct, because there's no such thing as a truly-independent auditor that couldn't be influenced in some way by a big company with deep pockets or simply the whims of their sovereign ruler.

  10. joed

    nothing new

    Some 2 years ago I had to google some printer firmware issue. To my amazement one of results was admin interface of an HP printer in some local government office in Canada. I used opportunity to just print out polite message to take the thing off the Internet. I bet I could retrieve some of recent print jobs (if I cared for that).

    1. Alan Brown Silver badge

      Re: nothing new

      "I used opportunity to just print out polite message to take the thing off the Internet."

      15+ years ago we discovered that one of our printers was being used as a zero-day warez repository.

      Thanks, Hewlett Packard.

      (And no, newer printers aren't any more secure than the old ones)

  11. kbannan

    I can definitely see this. Just read a blog that details some of the things you can do to mitigate the risk of printers on your network. Here are two items from the blog:

    -- Make sure that computing devices use only encrypted communication protocols, and disable unused ports and protocols on the printer.

    -- Support at least one form of user authentication (preferably two or three), and consider the implementation of pull printing for print environments with a high volume of confidential information or compliance requirements.

    The rest of the article talks about why hackers love printers. There are lots of reasons. :) You can find the article here. It's a bitly so just add this to bitly: /2ctpAK9

    Karen Bannan, commenting for IDG and HP

    --

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like