Using an Open Source OS helps with malware hidden into drivers or the related installed junk, but unfortunately most network printers phone home, officially to download updates, as soon as they detect a network connection, and there's no way to know or control what they'll do with that connection, short of putting them behind a dedicated firewall.
We have approached the era in which all networked devices should be considered as potentially harmful and dealt appropriately. From TVs to household appliances, home automation systems etc, everything could be used to grab personal information. Hiding a mic or a micro camera into a printer, or any other device, as of today is cheap and trivial. We should consider an untrusted separated network path for all these devices in the home network, so that they can't access our files and their connection attempts would be actively monitored and controlled.
We have approached the era in which all networked devices should be considered as potentially harmful and dealt appropriately.
We're well into that era, but neither the technological protections nor the legal ones have kept up.
Tech laws are still barely on the level of requiring manufacturers of network devices not to use the same default password every time and manufacturers of kitchen appliances to accept some basic "right to repair" provisions. These are steps in the right direction of course but they are small steps at the start of a marathon.
I think a lot of political leaders fail to appreciate the danger here. This has somehow remained true even as tech crime is rocketing. We are seeing more and more headlines about how some aspect of critical infrastructure has been brought down due to some form of technological attack, businesses have lost money due to data losses, people have had their identities stolen after data breaches, etc.
Meanwhile, the tech firms best placed to defend ordinary people and businesses against these kinds of attack are often the ones carrying out the attacks. The fox is guarding the hen house.
Just yesterday, there was a news story in the UK[1] about some home car charging stations being vulnerable to simple attacks. These devices get connected to both home networks and electricity grids. The specific models in question were government-approved too.
I think typical open-by-default networking is fundamentally broken today. It's like software for non-experts that doesn't have the option to install security updates automatically, or a browser or mobile OS that doesn't sandbox web pages or apps individually. Professionals use many tools to lock down organisational networks, audit and manage connected devices, and deal with modern challenges like bring-your-own-device, and they still get hit from time to time. Meanwhile home users are basically expected to install a new Trojan every time they buy a new device. This is not going to end well.
Consider using VLAN for your home network. You can put devices into a separate VLAN without Internet access. This is easy to setup and does not require expensive equipment.
Should use one VLAN per device. I think manufacturers will start using their own mesh networks. If your neighbors have a Vizio TV, your vizio TV will use their connection, same for Samsung, etc. If you have an open guest network, these devices will use it automatically.
The Brother printer I have attempts to hit some static IP in Japan for firmware updates, unencrypted http. So while on some OSes, you can use it without installing a drive, on MacOS, your desktop will automatically download the vendor's software indirectly from Apple. That is why installing printers is a separate permission as it updates system level components.
The only immediate solution I see to this is to have a protocol level firewall say running on an RPi that firewalls the printer off and intermediates all communication between the devices on the local network and the printer.
I need affordable latest WLAN AP with VLAN. Most consumer WLAN APs don't support so we need to buy enterprise or some enthusiast gear.
It seems that on some Xiaomi models, VLAN can't be configured but its firmware is based on OpenWRT, so it can be enabled by hidden API. So maybe SoC itself supports it but manufacturer disable/don't enable it.
Solved