Hi Mike and Benjamin,
> On Feb 16, 2024, at 1:03 PM, Benjamin Gordon via ipp <ipp at pwg.org> wrote:
>> CAUTION: External Email
>> On Fri, Feb 16, 2024 at 1:49 PM Michael Sweet <msweet at msweet.org> wrote:
>>> 2. This specifically talks about IPP-USB. A lot of printers
>>> broadcast some kind of initial setup SSID when they're first plugged
>>> in. Does it make sense to allow this mechanism when connected to that
>>> SSID as well? This would be an improvement in convenience for the
>>> user, especially in cases where they might not be planning to put the
>>> printer within USB range of a computer.
>>>>>> Obviously it's not as secure as being physically plugged into the
>>> printer, but in most home networks, the window where an attacker is
>>> going to come connect a new printer to a rogue network is going to be
>>> small. Since that SSID is specifically used for setting up the
>>> printer, an attacker could potentially just connect to it and set up
>>> the printer anyway.
>>>>>> Does this deserve some discussion in the document, either as a
>>> possible implementation or as a reason why it's a bad idea?
>>>> Probably worth discussing. FWIW, such usage would be trivial to exploit, from a distance, through walls, etc. With proper authentication it would be fine, just not without some access control.
>> Agreed that it's trivial to exploit, but a printer broadcasting an
> open setup SSID is already trivial to exploit. If I'm within WiFi
> range and could push these IPP attributes to the printer, I could also
> just use the manufacturer's official app to set up the printer, change
> the password to something the owner doesn't know, etc. The printers
> I've played with have mitigations like turning off the setup SSID
> after a few minutes; those precautions would seem to apply here as
> well.
Regardless of whether there is Wi-Fi access control used by the printer's soft AP BSS, most devices are now supposed to have unique "default passwords", to comply with various cybersecurity requirements that have emerged in the last 5+ years. If we are to provide guidance, I would suggest we say that printers supporting these attributes over network interfaces such as Soft AP require authorization using the printer's unique default administrator password, which will provide that proof of physical access.