Check your firewall logs for outbound traffic from your printers

Topic

New Reply

The other day my copy/printer Ricoh vendor called me and said “we can’t get the printer counts from one of your copiers automatically, can you log it in via a web site” and up to this point in time we had faxed the counts in. One of the copiers has no internet access so like duh. I asked them how do they get the counts on the other three and they said “Oh we get it remotely“.

“you remote into my office?”

“yes”

“Since when?”

“Since one of our techs set it up”

I was like …. uh when did you switch over to where you have access to my copiers remotely and thank you because I now have to answer my cyber insurance questions differently.

Long story short they don’t ACTUALLY have remote access to my printers, but the printers DO beacon out to two Japanese IP addresses that they didn’t do before.

The  MP c4504 copiers reach out to the IP address of 210.173.216.59

The MP c4503 reaches out to the IP address of 210.173.216.40

And dear vendors:

1. Understand what is going on and don’t phrase it that “we have remote access”, this is not two way traffic, it’s one way
2. Know exactly what IP addresses are being used and inform the customer.  In a perfect world (I’m not there yet) I would have full egress outbound filtering and would only allow outbound what I approve.  So your IP to an unknown location would have been blocked.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Alex5723, Mr. Austin, windbg

Reply | Quote

Replies

Find a new vendor.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

No kidding.  That’s not nice.

This info in the printers setup and I don’t remember it there before, so clearly they’ve updated the firmware along the way.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Charlie, Mr. Austin

Reply | Quote

Wow. Just recently I added an additional firewall appliance to our network, and it puts all networked devices behind a ‘non-routable’ IP range. I disabled wifi on our HP printer, but it’s still on Ethernet. I’ve generally trusted HP, but maybe it’s time to re-consider that.

And I’ve also made the network wired-only for many reasons. Not the least of which are that EMF pollution (including 5G) often makes living things sick without them knowing it. But a happy side effect of making things wired-only is that is I’m plugging some otherwise surprising holes in our network traffic.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

Reply | Quote

Search in your firewall logs for traffic that matches the IP address of the printers.  See if it’s ‘talking’ to anything.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Mr. Austin

Reply | Quote

I don’t update my printer’s firmware as it will block installing compatible toners.

Reply | Quote

Put your printers on a specific IP range and have your firewall block egress from that range?
Put PCs on a specific IP range / subnet and only allow internet access from that range?
Don’t allow any internal device to access the internet and put a proxy in. Set the proxy on allowed devices via GPO?

cheers, Paul

1 user thanked author for this post.

Mr. Austin

Reply | Quote

? says:

nice catch, Susan. in the olden days my HP895 CSE died so i went over to Walmart and picked up a HP 1000 for 20 bucks and hooked it up. much to my surprise it was phoning  home ostensibly to help me keep the ink cartridges full. removed a piece of software and problem solved. these days i just do’          “sudo systemctl disable –now cups cups-browsed.  printer spying problem solved…”

Reply | Quote

When one can’t easily discern why something is inexpensive (or free), it often turns out that our private data and/or private metadata are the true product. Whether or not we have assented to the terms of the clickwrap. Our HP printer was purchased on sale from Staples. It works well. But HP was also unnecessarily keen on tracking our ink and paper use via automated printer processes which would ‘phone home’ to HP. Nope. We decline to be HP’s product via our private metadata.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

Reply | Quote

Paul T wrote:

Put your printers on a specific IP range and have your firewall block egress from that range?
Put PCs on a specific IP range / subnet and only allow internet access from that range?
Don’t allow any internal device to access the internet and put a proxy in. Set the proxy on allowed devices via GPO?

cheers, Paul

Those are all smart strategies. Merci. Although in our instance the firewall is meant to be an additional ‘proxy’. And since our new, additional firewall is using DHCP just fine, I didn’t want to fiddle with the thing by assigning address leases in it. I’ll be interested in noodling this through, for the sport of being happy with the actions and outcomes of my abilities.

Human, who sports only naturally-occurring DNA ~ oneironaut ~ broadcaster

Reply | Quote

Do you pay by the copy?

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

Yes.  Ergo why they want the copy count.  https://www.ricoh.com/products/printers-and-copiers/ They are leased printers/copiers.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

wavy

Reply | Quote

Oh how nice it is to have the luxury of having a old Brother laser printer with an 8ft. USB cord that I just plug in when I want to print something occasionally.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote