Exposed IPP-enabled printers on the Internet
One of the new scans enabled as part of the VARIoT project is the IPP (Internet Printing Protocol) scan. This blog entry aims at updating the original blog entry announcing the scans which are being conducted by project consortium member The Shadowserver Foundation, by providing the latest scan results plus an EU breakdown of hosts.
What is the goal of the scan?
The IPP scan is aimed at uncovering printing devices which use IPP (a HTTP POST based protocol) that have been connected to the Internet without adequate access controls or authorization mechanisms in place. This could allow for a potential range of different types of attacks, from information disclosure and service disruption/tampering, to, in some cases, remote command execution. Network connected printers have been with us since the Internet was born (and long before the IoT term was coined!), but their security aspects are often still misunderstood or completely ignored by many end users.
How do we scan?
We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5th of June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8th of June 2020. Our IPP scans originally uncovered around 80 000 open devices (printers) per day. About half a year later, as of the 28th December, we now uncover around 71 000 open printers per day. Obviously these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.
What do the country level results show?
As of the 28th December 2020, the IP-geolocated country breakdown of the above reachable IPP responses is as follows:
As with our first scans, South Korea, the United States and Taiwan have the most exposed printers, with France being the top EU country.
How has the printer exposure changed over time?
We observe a systematic world-wide drop in exposed printers, something hopefully our reporting has also contributed to.
We observe a larger drop percentage-wise in the EU (+UK).
In the EU (+UK) we note a drop from 16,025 devices from the 8th June 2020 to 11,516 devices on the 28th December 2020, with the top countries being France, Italy and the United Kingdom. This means that the drop in the EU+UK accounted for around 50% of the worldwide drop in exposed printers.
What printer models are most exposed worldwide?
Out of the roughly 71,000 exposed services, a large percentage returned additional printer information attributes, such as printer names, locations, models, firmware versions, organizational units and even printer wifi SSIDs.
For example, the Top 20 printer make-and-model attribute values returned for the 28th of December 2020 was as follows (20,994 entries in total returned):
| 3006 | Local Raw Printer |
| 659 | Samsung C48x Series |
| 550 | Samsung M267x 287x Series |
| 314 | Brother DCP-1200 – CUPS + Gutenprint v5.2.10 |
| 294 | Samsung M2070 Series |
| 230 | Samsung M332x 382x 402x Series |
| 226 | HP Business Inkjet 2200 – CUPS+Gutenprint v5.2.10 |
| 219 | CNMF230 Series |
| 208 | CNMF633C/635C |
| 182 | HP LaserJet MFP M129-M134 |
| 169 | HP LaserJet M402dn |
| 166 | Samsung C43x Series |
| 156 | Samsung M337x 387x 407x Series |
| 154 | SINDOH D410 |
| 142 | Epson Artisan 50 – CUPS+Gutenprint v5.2.10 |
| 141 | HP ColorLaserJet MFP M278-M281 |
| 140 | C56x Series |
| 139 | Samsung X3220 Series |
| 137 | SINDOH D420 |
| 137 | HP LaserJet Pro MFP M127fn |
Top 20 Exposed Printer Make-and-Models
What are the risks and what can be done to mitigate them?
Exposing printer devices with anonymous, publicly queryable vendor names, models and firmware versions obviously makes it much easier for attackers to locate and target populations of devices vulnerable to specific vulnerabilities and potentially allow them to establish a foothold in your organization’s network.
We hope that the data being shared in our new open IPP device report will lead to a reduction in the number of exposed IPP-enabled printers on the Internet, as well as raise awareness to the dangers of exposing such devices to unauthenticated scanners/attackers. It is unlikely that many people need to make such a printer accessible to everyone – these devices should be firewalled and/or have an authentication mechanism enabled. Please consult your printer manual to verify how to enable authentication mechanisms and limit exposure!
How can I gain awareness of exposed IPP devices on my network?
As mentioned, we provide network owners and National CSIRTs with daily reports on exposed (and infected) devices on their networks. This includes information about exposed IPP devices. Details about the format of the IPP report being shared can be found in the Open IPP Report page. All existing Shadowserver report subscribers are automatically receiving the Open IPP Report if any open IPP services are identified within their networks and countries (for national CSIRTs).
If you are not already a subscriber to Shadowserver’s public benefit daily network reports and would like to receive this new open IPP report and our other existing report types, then please sign up to our free daily public benefit network remediation feed service.
Where can I get the latest statistics on your IPP scans?
If you wish to check the latest updated statistics for the IPP scan, please visit our dedicated IPP scan page.