Wi-Fi Printer Security: How to Block Access from Hackers and Neighbors

Network printers with support Wi-Fi — a convenient solution for the office or home, but they become an easy target for attackers. An unprotected device can not only print hundreds of sheets of junk, but also access the local network, intercept documents, or use the printer as a platform for attacks on other devices. According to KasperskyIn 2023, 42% of IoT device incidents involved printers—their owners rarely change factory security settings.

The problem is compounded by the fact that many users are unaware of the risks. A printer with an open port 9100 or enabled protocol LPD can be found online in minutes using scanners like Shodan. And if the device supports cloud printing (Google Cloud Print, HP ePrint), the chances of being hacked increase dramatically. In this article - Specific steps to secure your Wi-Fi printer that will take no more than 20 minutes but will make it virtually invulnerable.

1. Why a Wi-Fi printer is vulnerable: main risks

Most attacks on printers exploit three key vulnerabilities:

  • 🔓 Factory credentials. Many models (Canon PIXMA, Epson EcoTank, Brother HL-L2300D) by default they use an empty password or a combination like admin/adminThis information can be easily found in the instructions or in the database. DefaultPasswords.
  • 📡 Open portsProtocols IPP (port 631), LPD (port 515) and JetDirect (port 9100) often remain accessible from the Internet even if the printer is only connected to the local network.
  • 🖨️ Outdated softwareManufacturers rarely release updates for printers older than 3-5 years, and critical vulnerabilities remain in the firmware (for example, CVE-2021-3438 For HP LaserJet).

Real-life example: In 2022, hackers exploited a vulnerability in printers Xerox WorkCentre to distribute racist leaflets at US universities. The attack was made possible by open access to the devices' web interfaces. Similar incidents were recorded in Russia in 2023, where attackers printed ransom demands on small business printers.

⚠️ Attention: If your printer supports AirPrint (For Apple) or Mopria (For Android), it automatically opens ports for the local network. This isn't dangerous in itself, but when combined with a weak password, it creates risks.

2. Step 1: Change the factory password and username

The first thing you need to do after connecting your printer to Wi-Fi is change default credentialsMost models allow you to do this via a web interface or control panel.

How to find the web interface:

  1. Find out the local IP address of the printer (you can print a network report or look it up in the router section DHCP clients).
  2. Enter this IP into the address bar of your browser (for example, http://192.168.1.105).
  3. Log in with factory data (usually admin/empty password or admin/admin).

Next, go to the section Settings → Security → Administrator Settings (The name may vary.) Create a complex password of at least 12 characters that includes:

  • 🔤 Capital and small letters (AaBbCc)
  • 🔢 Numbers (123)
  • 🔑 Special characters (!@#$)
⚠️ Attention: Do not use passwords that are specific to the printer model (e.g. EpsonL3250!). Hackers check such combinations first.

☑️ Secure printer password

Completed: 0 / 4

For models HP (For example, HP OfficeJet Pro 9015e) changing the password may require software installation HP SmartIn this case:

  1. Connect the printer to your PC via USB.
  2. Launch HP Smart and go to Printer Settings → Security → Change Password.

3. Step 2: Set up Wi-Fi network encryption

If the printer is connected to Wi-Fi, its security directly depends on the router settings. Minimum level of protection - this is encryption WPA2-PSK (AES). However, it is better to use WPA3, if the router and printer support it.

How to check and change settings:

  1. Go to the router's web interface (usually 192.168.0.1 or 192.168.1.1).
  2. Go to the section Wi-Fi → Security (or Wireless Network → Security).
  3. Select WPA3-Personal (or WPA2/WPA3 Mixed Mode, if the printer does not support WPA3).
  4. Set a strong password for your Wi-Fi (different from your printer's password!).
Encryption type Security level Printer support
WEP 🚨 Low (hackable in minutes) Obsolete models (before 2010)
WPA-PSK (TKIP) ⚠️ Average (vulnerable to attacks) Most printers from 2010-2015.
WPA2-PSK (AES) ✅ High All models after 2015
WPA3-Personal ✅✅ Maximum New models (2020+)

If your printer does not support WPA3, check the possibility of updating the firmware. For example, for Brother MFC-L2710DW update to version 1.20 adds support WPA3.

📊 What type of encryption does your Wi-Fi router use?
WEP
WPA
WPA2
WPA3
Don't know

4. Step 3: Disabling unnecessary protocols and ports

By default, printers open several ports for network printing:

  • 9100/TCPJetDirect (obsolete, but still in use)
  • 515/TCPLPD (Line Printer Daemon, unsafe)
  • 631/TCPIPP (Internet Printing Protocol, more secure)

For home use it is enough to leave only IPP (port 631). The rest can be disabled through the printer's web interface:

  1. Go to Network → Ports (or Settings → Network Services).
  2. Turn it off LPD And JetDirect.
  3. For IPP enable authentication (option Require Authentication).

For models Canon (For example, PIXMA TR8620) the path will be like this: Settings → Network Settings → LAN Settings → Port Settings.

⚠️ Attention: If you are using a printer in an office with legacy systems (e.g. Windows XP), shutdown LPD may disrupt compatibility. In this case, restrict access by MAC addresses (see the next step).

5. Step 4: Filtering by MAC addresses

Filter by MAC addresses — an additional layer of security that limits printer access to authorized devices. This isn't a panacea (MAC addresses can be spoofed), but it will make it more difficult for attackers.

How to set up:

  1. Find out the MAC addresses of all devices that need access to the printer (PCs, laptops, smartphones). Windows This can be done through the command:
    ipconfig /all

    Look for the line Physical Address.

  2. Go to the printer's web interface and find the section Network → MAC Filter (or Security → Access Control).
  3. Add MAC addresses to the whitelist and enable filtering.

Example for a printer Epson EcoTank ET-2800:

  • Go to Settings → Network Settings → Wireless LAN → MAC Address Filter.
  • Select Permit (allow only specified addresses).
  • Enter MAC addresses separated by commas (e.g. 00:1A:2B:3C:4D:5E, 00:1F:2G:3H:4I:5J).
What should I do if my device's MAC address has changed?

If you reset your PC's network settings or changed the network card, the MAC address may change. In this case, add the new address to the printer's whitelist. You can find the current MAC address using the command getmac (Windows) or ifconfig (macOS/Linux).

6. Step 5: Update the printer firmware

Manufacturers regularly release firmware updates that patch vulnerabilities. For example, in 2023 HP released a patch for a critical vulnerability CVE-2023-1707, which allowed remote code execution on printers of the series LaserJet.

How to update firmware:

  1. Download the latest version from the manufacturer's official website (section Support or Downloads).
  2. For most models (Brother, Canon) the update is installed via the web interface: Settings → Device Settings → Firmware Update.
  3. For HP use the utility HP Firmware Update Tool.

Important: do not interrupt the update processFor printers Epson This may brick the device. If the update takes longer than 20 minutes, do not turn off the printer—wait until it completes or an error occurs.

Brand Update method Average time
HP Through HP Smart or utility Firmware Update Tool 5–15 minutes
Canon Web interface or utility IJ Network Tool 10–20 minutes
Brother Web interface or BRAdmin Professional 3–10 minutes
Epson Web interface or Epson Software Updater 15–30 minutes
⚠️ Attention: After updating the firmware, some security settings (such as the administrator password) may be reset to factory defaults. Please check them again!

7. Step 6: Disabling cloud services and remote access

Functions like Google Cloud Print, HP ePrint or Epson Connect They're convenient, but they create additional risks. They expose the printer to the internet, which can be used for attacks.

How to disable:

  • 🌐 Google Cloud Print: go to Google account, remove the printer from the list of devices.
  • 🖨️ HP ePrint: In the printer's web interface, go to Settings → Web Services → Turn Off.
  • 📧 Epson Connect: Settings → Epson Connect Services → Disable.

If cloud printing is critical (e.g. for remote work), at least:

  • Use a strong password for your cloud service account.
  • Enable two-factor authentication (if supported).
  • Restrict access by IP (for example, only for your office).

For models Brother Disabling remote access occurs in the section Network → WAN → Remote Setup → Disable.

8. Step 7: Additional security measures

For maximum protection, here are a few more steps:

  • 🔌 Disable WPSThis feature simplifies connecting to Wi-Fi, but is vulnerable to brute-force attacks. Disable it in the router's settings section. Wi-Fi → WPS → Disable.
  • 📡 Create a guest network for the printerSet up a separate network on your router for IoT devices with limited access to the local network.
  • 🔄 Enable event logging. In the printer's web interface, enable logging (Settings → System → Event Log). This will help track suspicious activity.
  • 🔒 Use a VPN for remote accessIf you need access to the printer from outside, set it up WireGuard or OpenVPN on the router instead of port forwarding.

For office printers (Xerox AltaLink, Ricoh MP C3004) also recommended:

  • Tune IPSec to encrypt traffic between the PC and the printer.
  • Use certificates instead of passwords for authentication.
📊 Do you use a printer at home or in the office?
Home
Office (up to 10 people)
Office (10+ people)
Public place (cafe, coworking)

FAQ: Frequently asked questions about Wi-Fi printer security

My printer doesn't support WPA3. What should I do?

Use WPA2-PSK (AES) and additionally enable MAC address filtering. Also, check if there's a firmware update that adds support. WPA3.

How do I check if my printer is hacked?

Signs of hacking:

  • Unknown print jobs.
  • Changed settings in the web interface.
  • The printer connects to unknown networks.

Check the event log (Event Log) and a list of devices connected to the router.

Do I need to change my network SSID for printer security?

Changing the network name (SSID) does not directly improve security, but it will help prevent targeted attacks. Do not use personal information in the name (e.g. Ivanov_Printer).

Is it possible to completely block access to a printer from the Internet?

Yes. Disable port forwarding (Port Forwarding) on the router and deactivate cloud services in the printer settings. Also, check that the printer does not have a public IP address (it should be in the range 192.168.x.x or 10.x.x.x).

Which printers are the most secure?

Models with certificate Common Criteria EAL4+ or support IPSec:

  • HP LaserJet Enterprise M608 (built-in firewall)
  • Xerox AltaLink C8130 (disk encryption and certificate authentication)
  • Brother MFC-L6900DW (support WPA3 And IPv6)