Protecting my printer against external attack...

ChrisR

ChrisR

I'm a well known grump...
Suspended / Banned
Messages
11,730
Name
Chris
Edit My Images
Yes
All this news about Internet of Things devices becoming zombies in massive internet attacks is a bit worrying, when you're at my level of a bit of technical knowledge of limited currency. I was briefly a UNIX admin... but it was some time in the 1980s, so not too relevant to today's issues. At home we have a consumer Canon MG5250 printer (installed 2011), a Macbook Pro running Yosemite, a PC running Win10, and a Plusnet Technicolor router (installed 2013). (Oh, and an Android mobile, not sure if that's an issue.) Both the Mac and PC have Kaspersky AV software running, which gives me some level of reassurance.

Presumably the router and the printer are most at risk here. I don't remember the setups for either of them, but I'm trying to work it out. As far as I can remember, the router comes with non-default passwords, ie specific passwords provided with the packaging and/or on the router label. I have not changed any of those passwords.

I've managed to print out the network settings of the printer. It says authentication is AES, WEP Key Length is Inactive, and Authentication is WPA2-PSK. There are two entries for IPsec and Security Protocol that are blank. The printer is directly connected to the PC, but used wirelessly from the Mac (in another part of the house).

I'm guessing the right approach here is first to ensure the router is sufficiently secure, second to ensure the printer can't be accessed from outside the local network, third to ensure the printer settings are the best balance between security and usability.

Any advice on what steps to take would be welcome. I have not yet raised any query with Plusnet, as I'm not sure what questions to ask!
 
One of the key things I would do is to check whether upnp is switched off on your router. Too many devices "punch a hole" in firewalls to phone home or be reached externally whilst really not required.

If you block that and block incoming traffic you should be ok. Printer, CCTV cameras are some of the worst culprits to do that.
 
Turning your printer off should do it. Preferably at the plug.
 
Turn off your computer as well. They'll never get you then.
 
dejongj said:
One of the key things I would do is to check whether upnp is switched off on your router. Too many devices "punch a hole" in firewalls to phone home or be reached externally whilst really not required.

If you block that and block incoming traffic you should be ok. Printer, CCTV cameras are some of the worst culprits to do that.
Click to expand...

Thanks, Sir!

I did discover this afternoon that there appear to be two firewalls, one at Plusnet, one in the router. The first one was off the second at a default setting that seemed pretty strong. I've set the first one to High, and we'll see what trouble it causes if any (dunno if incoming Facetime on the iPad I forgot to mention might be affected).

I remember noticing upnp at some point, and since I don't do gaming I assume it's off, but I'll check that tomorrow.
 
JonathanRyan said:
Turning your printer off should do it. Preferably at the plug.
Click to expand...
Stuart M said:
Turn off your computer as well. They'll never get you then.
Click to expand...
LongLensPhotography said:
Dont forget the smartphones
Click to expand...

Thanks... the printer stays off most of the time, but can sometimes stay on for a few days if I know I'll be doing more printing, to save on ink from head cleaning. Just using the on-machine button though... I guess it's probably still on in there somewhere. :(
 
dejongj said:
One of the key things I would do is to check whether upnp is switched off on your router. Too many devices "punch a hole" in firewalls to phone home or be reached externally whilst really not required.

If you block that and block incoming traffic you should be ok. Printer, CCTV cameras are some of the worst culprits to do that.
Click to expand...
Any router made in the last decade should default block incoming traffic (although, curiously, the Technicolor doesn't unless running in a single public IPv4 address configuration, which while what most home users have is not what I have). If you have a subnet and so have NAT disabled, it lets it all in. When I was using one I ran a separate dedicated hardware firewall appliance between it and the switch.

UPNP had a vulnerability which could expose devices behind a NAT router to the internet, which since uPNP is intended for domestic rather than corporate settings means home networks which will typically have limited internal security, often with unpatched operating systems and so on. If people rely on NAT for intrusion prevention then they shouldn't be allowed an internet connection. NAT is evil (should be my catchphrase).

The technicolor has a very powerful command line configuration if you telnet into it rather than using the rather rubbish interface it presents over http, you can set up all sorts of routing and firewall rules.
 
OK, the router settings say UPnP is enabled; the next line says "Ext Security: Yes", whatever that means. There are no listed Assigned Games and Apps. Guess I should turn UPnP off...

I looked up the port requirements for Facetime and Skype. Skype wants access either to all ports above 1024, or to 80 and 443. Facetime wants a lot: 80, 443, 3478-3497, 5223, 16384-16387, 16393-16402. Hmm.
 
IMO always worth running "shields up" over at GRC.com it will the level of exposure you have based on ports.

They also have other tools to check other types of exposure!
 
Had an online chat with Plusnet support today. Helpful, as far as it goes, but you can't really explore things to get to understand the answers better.

It appears my router firmware is up to date and shouldn't need an update. I pressed them a bit, and he said "Our products team are up to date on the latest issues, we at Plusnet take security very seriously and where required we will look to release software and firmware that protects our customers and our network from any security exploits or vulnerabilities." I asked how, he said they had some remote administration software, that the router serial number was registered on the account, which allowed them to push firmware updates to the router.

I wasn't entirely sure how convincing that was. AFAIK my router has never been updated, and I'd be surprised if there were no known vulnerabilities in 3 years. OTOH I suppose it could have got upgraded without our knowing...
 
Box Brownie said:
IMO always worth running "shields up" over at GRC.com it will the level of exposure you have based on ports.

They also have other tools to check other types of exposure!
Click to expand...

I'd never heard of them, thanks for that. This forum really works! (y)

Tried it. With the Firewall set to High (which looks like it will block incoming Facetime, test this evening), they said:

"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!"

Good news, I guess!
 
Well that was interesting. I asked the Plusnet guy whether it would be a problem for incoming Facetime calls that I had set their firewall level to High. He replied "Yes it will block all incoming connections. High will isolate your connection to a very limited range of functions... so if you want to communicate with other machines [High] will cause a lot of problems. Low is adequate enough to protect your local network from any illegitimate access."

As I mentioned above, I was expecting an incoming Facetime call this evening, from my son, whom I had forewarned. I was expecting a text to say it had not worked, but was quite surprised when we did receive the incoming call, and chatted for a while with no apparent problems. :) Not quite sure how that happened... anyway I guess I'll leave that High setting in place for now. The problem is, it'll likely cause trouble in a couple of months time, when I have forgotten all about it! :(
 
FaceTime will work because both devices are registered to a central service for push notifications. Provided the correct network ports are open on the firewall for outbound connections, then FaceTime will usually work just fine.

When your son started the call, your phone was notified via a push notification and started the call in the other direction. The FaceTime servers handle the connections and you get to talk to your son :)
 
Andy Taylor said:
FaceTime will work because both devices are registered to a central service for push notifications. Provided the correct network ports are open on the firewall for outbound connections, then FaceTime will usually work just fine.

When your son started the call, your phone was notified via a push notification and started the call in the other direction. The FaceTime servers handle the connections and you get to talk to your son :)
Click to expand...

That sounds reasonable... except I can't see how the push notification gets to the iPad (wifi only) without any inbound ports open? Unless it's sitting there polling all the time...
 
ChrisR said:
That sounds reasonable... except I can't see how the push notification gets to the iPad (wifi only) without any inbound ports open? Unless it's sitting there polling all the time...
Click to expand...

That's more or less what is happening, your iPad registers itself with the Apple push notifications service and that connection remains active in the background even if your device is sleeping. The only way to stop it is to disable notifications or switch off the device.
 
ChrisR said:
That sounds reasonable... except I can't see how the push notification gets to the iPad (wifi only) without any inbound ports open? Unless it's sitting there polling all the time...
Click to expand...

Andy Taylor said:
That's more or less what is happening, your iPad registers itself with the Apple push notifications service and that connection remains active in the background even if your device is sleeping. The only way to stop it is to disable notifications or switch off the device.
Click to expand...
https://developer.apple.com/library...tml#//apple_ref/doc/uid/TP40008194-CH100-SW9/

In case you are troubled by sleepless nights :)
 
You must log in or register to reply here.
Back
Top