June 29, 2020
Since July 2019, The Shadowserver Foundation has been participating in an EU CEF (Connecting Europe Facility) funded project called VARIoT. The main goal of the VARIoT (Vulnerability and Attack Repository for IoT) project is to create new services that provide actionable security-related information about the Internet of Things (IoT)
One of The Shadowserver Foundation’s roles in the project involves expanding its internet wide daily port scanning capability to enable the mapping of exposed IoT devices on the Internet. The aim is to alert National CSIRTs and network owners of exposed and potentially vulnerable IoT devices, as well as to build higher level statistics about IoT device types observed on a per-country level, which can be shared via the European Data Portal with the general public.
The Shadowserver Foundation’s new Internet Printing Protocol (IPP) scan is the second (after the Open MQTT scan) IPv4 Internet-wide scan that the foundation has enabled as part of its VARIoT efforts.
It is aimed at uncovering printing devices which use IPP (a HTTP POST based protocol) that have been connected to the Internet without adequate access controls or authorisation mechanisms in place. This could allow for a potential range of different types of attacks, from information disclosure and service disruption/tampering, to, in some cases, remote command execution.
Network connected printers have been with us for a long time, but their security aspects are often still misunderstood or completely ignored by many end users.
The Shadowserver Foundation explained: “We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5 June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8 June 2020. Our IPP scans uncover around 80,000 open devices (printers) per day. Obviously these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.”
A full country and printer type breakdown can be found here.
Out of the roughly 80,000 exposed services, a large percentage returned additional printer information attributes, such as printer names, locations, models, firmware versions, organisational units and even printer wifi ssids.
The Shadowserver Foundation said: “We hope that the data being shared in our new open IPP device report will lead to a reduction in the number of exposed IPP-enabled printers on the Internet, as well as raise awareness of the dangers of exposing such devices to unauthenticated scanners/attackers. It is unlikely that many people need to make such a printer accessible to everyone – these devices should be firewalled and/or have an authentication mechanism enabled.”
Details about the format of the new report being shared can be found in the new Open IPP Report page.
Categories : World Focus