Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Brother printers sending ink data to Amazon?
157 points by Ajay-p on Oct 9, 2023 | hide | past | favorite | 76 comments
A most unusual thing. Every once in a while I get an email from Amazon that it's time to re-order Brother ink. I always delete these because I rarely print, but also figure it's just Amazon reminding me to buy something.

Today I decided to opt out/unsubscribe once and for all. Instead I see this at the bottom of the email:

"Click here to view or manage settings, including the option to opt out if you are already using another replenishment service.

This took me to https://drs-web.amazon.com/settings

"The data shown is based on estimated consumption reported by smart devices and orders you place through Amazon."

Here it had a link to "Consumption history" which upon clicking showed me the ink levels of my Brother printer for the past two weeks. Date and time.

WTF?! It is not apparent that I can disable this function. Can anyone else duplicate?

Update : This is part of Alexa it seems, and folded in to the Dash replenishment protocol; note I have never had a Dash button.

Amazon's instructions for this were not very helpful.

https://www.amazon.com/gp/help/customer/display.html?nodeId=201357520

Some digging revealed a Brother help document:

https://help.brother-usa.com/app/answers/detail/a_id/172810/~/cancel-enrollment-%28amazon-smart-reorders%29

This bothers me quite a lot. I never authorized, opted in, or gave either device permission to connect, let alone Amazon to monitor and nag me about it!

Model: Brother MFC-J485DW

Purchased from: Best Buy, an American retailer, after July of 2019.

Firmware: N1901041316




If you have the printer on your network, and any Amazon device on your network, the Amazon device could easily query the printer for ink levels. My Home Assistant does this and I never connected HA to the printer. It’s just part of the status information the printer seems to make available on the network.

It’s not surprising to me that Amazon would do this using one of their devices, as everyone seems to be grabbing as much data as they can. It’s probably described in the T&Cs somewhere (that they can scan your network and use data from it).


This is why IoT devices on my network get their own subnet and they are blocked from communicating with anything but what I allow them to communicate with, including the Internet.

Also I want to make it clear, it shouldn't have to be this way. Devices should be transparent about how they function, but sadly they are not.


Is your printer an IoT device? Is your Echo an IoT device?

I'd say yes to both, and so the problem would persist.

One way to solve this would be to put every single device on a separate vlan (like some public networks do). Just like NAT, that approach certainly has its advantages for the average user from a security perspective, but forces centralization and usage of third-party servers where it shouldn't be required.

Maybe what we need is a "network administration protocol" that would give you pop-ups on your phone when devices tried to discover what's on your network.


> Is your printer an IoT device? Is your Echo an IoT device?

>I'd say yes to both, and so the problem would persist.

My IoT LAN is configured to keep each device within the subnet isolated from one another. So while they might share a subnet, they aren't able to snoop on each other. They also do not share the same switch.


Out of curiosity, how do you achieve that? One VLAN per IoT device?


Not OP.

This is done via "L2 Isolation". WiFi access points typically have this setting, as do some wired switches (ex: Cisco's PVLAN)


Managed switch with VLAN, WLAN AP with VLAN. My Ubiquiti networking stuff does this but if you want decent priced 10 gbit managed switch you're SOL. You'll end up with China stuff.


I do have Ubiquiti, actually, including two 8x10G SFP+ USW-Aggregation, but AFAIK all devices within a VLAN can still communicate with one another. In an ideal world I'd want them to be completely isolated from one another unless I explicitly set up an ACL allowing access.


Within a VLAN, sure, but that is why you should use separate VLANs. Because when you use the same one, you explicitly say: I want those devices to be able to connect to each other.

I just use two.

One for IoT, guest WiFi, etc.

And one for our server, laptops/PC, and mobile devices.

But ideally I'd fine grain it further.


Right, so one VLAN per group of IoT devices you want to segregate together, e.g. a bunch of security cameras and their NVR would go in one VLAN, a sprinkler controller on a separate VLAN, and so on.

I'm on a single VLAN and associated WLAN for all my IoT devices but I would also like to segregate them further. The 4-WLAN limit on Unifi does limit what can be done, however.


You can do client isolation on the WAP. If you do this, the clients cannot contact each other. Then, on the switch you can assign like 4k VLANs. But I'm not sure how to do that. Because all the data arrives on the same port. But in theory, you have a DHCP server for say a /24 and you could give each of those IPs their own VLAN.

FWIW, I try to use wired as much as possible. Although for security cameras people like to use PoE and I think if you can get physical access to the PoE port, you can also try a MITM or a physical sniffer for examples see the stuff Hak5 sells.


Old Brocade switches are quite feature rich, but still affordable.


You can enable WiFi isolation in most access points. I've thought about a second AP and lan in my router for this reason. My current AP puts guests on a separate subnet not sure how well isolated though.


Peer to peer isolation is what your missing


What would make more sense, but is harder to do, is to use bridge filtering instead of assigning unique VLANs per device.


I keep seeing this suggestion (put devices on a subnet, lock them out of everything else)...

Do you have a link or guide to help me understand how to set this up. It seems like a great idea!


The cheapest way would be to go to your WiFi router and look for "Guest WiFi" settings, hope it's not too cheap that this functionality isn't included, activate said network, and put the devices on the guest WiFi.

More complicated settings involve the keyword "VLAN", afaik most home routers don't have this.


How would you send a data to printer that is in separate subnet?


Unfortunately I do not have a guide, perhaps this would be a good idea for a blog post? I'll write something up when I have a free weekend.

Keep in mind that a lot of this will be heavily dependent on what kind of router and LAN configuration you have.


Also you can use DNS filter like NextDNS.io to block specific domains.

How you setup your LAN printer from subnet to get data from your your main subnet?


This is a good idea that’s inaccessible to >99% of customers. That’s the part that frustrates me. We save ourselves but these companies just couldn’t care less about our teeny tiny slice of the pie.


This is a smart idea now you mention it. Those internet of sh!t devices are back doors onto your network.


Whilst it might be in the T&Cs somewhere, it’s the not-good variety of surprise that a company should really try to avoid.

I don’t have Alexa devices on my network, and I’m glad. I do have other vendor smart things, and I’d absolutely expect a notification if they were going to be poking around at my other devices to send information off to a company for their benefit.

Poor play, Amazon


It’s probably described in the T&Cs somewhere

Which.. I never read but I concur with your theory.


I doubt the legality of a T&Cs that demands permission to use and gather information on the local network and any device connected to it. It seems about as legal as T&Cs that demand the users first born child.


It seems like you haven’t been paying attention to what big tech has been doing the past decade. Every piece of available data is considered as a free-for-all to collect and use however they want. Everything on the web is scraped. Every time you move your phone its location is collected. Everything you say in earshot of a smart speaker is recorded. Every time you turn on a light, the bulb phones home.

There’s no legal rights or enforcement against any of this.


You’re making an is-ought mistake. User belorn only claimed that such collection and recordings would be illegal, not that the law would be enforced.


Time to learn everything they scan for, and set up a honeypot that makes people's Amazon devices fill with dummy devices.


This reddit post from 3 years ago suggests that Amazon is using SNMP to monitor your local network printers.

Put your Amazon devices in an isolated "IOT" network if possible.

https://www.reddit.com/r/amazonecho/comments/ip5i1c/alexa_no...


Or disconnect the printer completely, attach a rpi to the printer's USB port, and install CUPS.

Network level security is already difficult enough even for professionals, it's nearly impossible to really "secure" consumer grade home networks with tons of random consumer grade devices by trusting one brand and distrusting another.

Personally, I don't see my printer's ink level as some sensitive information. But if I do, I would put it behind auth/encryption.


I connect my printer via USB for this exact reason. Connecting it to Wifi is convenient but just poses too many potential attack vectors. I agree that ink levels are not sensitive information, but a lot of things that you print (or scan if your printer has a scanner too) is sensitive. Given that so many printers are inadvertently accessible on the Internet [1], I'd rather just connect my printer via USB and avoid that issue entirely.

[1] https://darknetdiaries.com/episode/31/


Our home is quite small and so we had to put the printer in another room, hence wifi. I will rethink placement because cable is indeed much better.


That is an excellent idea, thank you! I have some micro routers that I can use.


You could also try changing the "SNMP Community String" on your Brother printer and see if your "consumption history" stops.

https://help.brother-usa.com/app/answers/detail/a_id/164663/...


That is a great solution. I found that I can go to http://IPAddress/net/net/sntp.html and disable SNTP. I also scrambled the Primary SNTP Server Address, and put the synchronization interval to as high as it would go; 100 hours.


SNMP is completely different than SNTP. SNTP is basically just a minimal NTP client that just queries the time and doesn't attempt to do anything like compensate for network latency or use multiple NTP servers.


This is the real solution. Pretty much all printers accept read/write from public by default and share a lot of info about themselves. Any program on your computer could do this if it wants, the only surprise here is that it took this long for anyone to bother.


That should be the solution for everything but unfortunately I'm dealing with containers that advertise their IP via Bonjour (or whatever the new thing is). But since they run in a container they get their 172.19.0.0/24 IP, so they broadcast the wrong one.

Then there is the issue of certain devices only accepting things like HomeKit via a barcode and/or discovery, and not via IP addresses.

If I could just do IP addresses it would be so much more easy to cordon off things. IPs can talk across networks with ease, no hacks required, but at least I control it.

Inside of a network it's very hard to selectively allow / deny traffic.


What model(s) of Alexa devices do you have, if you don't mind sharing?


I have a 3rd gen Echo Dot


I've recently changed my home network to ensure all IoT devices are on their own VLAN where they can't talk to each-other and only have access to the internet.

I see my paranoia was not unwarranted.

That being said, if I had a network printer, I would've connected it to yet another VLAN I have set up which does not even have access to the internet.

Setting all this up required quite a bit of time, effort and networking/firewall knowledge. I wonder if there's a market for providing such capabilities out of the box for the less tech-inclined privacy-conscious consumers.


> less tech-inclined privacy-conscious consumers

That group is much smaller than most tech-conscious people imagine (at least outside of Germany).

My experience with people outside of the tech bubble is that people care a lot more about privacy from their bosses / exes / partners / parents (and very occasionally law enforcement), but almost never about privacy from big companies.

The only thing that actually makes people scared is seeing ads for products that they were recently discussing in person, and that's actually due to coincidence and search history, not, as they think, devices listening on them. I keep pointing this out every time the same thing happens on (linear) TV.


What makes you so sure that devices aren't listening? Apparently there used to be (maybe still is) a loophole where apps can listen for specific keywords the same way the phone listens for "hey siri" or "ok google" ... apps can stuff a whole bunch of keywords into the list and listen for them that way without explicitly processing all of the audio from your device.


Sorry I can't remember where I read it, I think it was actually in a comment thread here on hacker news.


Nothing like this on iOS at least.


>but almost never about privacy from big companies

Mostly because privacy prevents a lot of desirable features from working.


I for one would pay for such a thing. I hate spending hours tinkering with network/firewall rules. It's dull as hell and a huge time sink to get everything right. And I have three decades of Linux knowledge. How is man-on-the-street supposed to do any of this stuff? :(


It'd be nice if more routers were covered by OpenWRT, and if it had a really convenient "wizard" for setting this kind of thing up. Of course, both of these are hard problems.


I have an HP multi-function laster printer and got a similar message yesterday about my black toner running low. Got the same email with the same useless instructions to opt-out. I have and would never opt-into this feature.

I have a feeling this is alexa searching your network and helping itself to your devices.


If you cared about privacy you won’t have an Alexa device in your house.


Exactly


The feature seems perfectly fine for those who want it, but the idea that you never opted in is troubling.

So the question is, how did your printer get linked to your Amazon account?

Possibilities:

1) You registered your printer with Brother (possibly when setting up wireless or cloud services) and put in your email address which is also the one associated with Amazon. Did you opt in without realizing (via a dark pattern? hidden in TOS?)? Or did they opt you in without any consent at all?

2) You bought the printer from Amazon and they already knew the printer serial number (common with certain electronics brands) and that's how it got associated. Perhaps there's a notice on the add-to-cart or checkout page that you'll be enrolled, or an opt-in checkbox? Or maybe it is without consent?


See my other comment on this. I did not register it with Brother, and have no account with Brother. Given this is Amazon, I cannot help but feel pessimistic that this was done without consent.


Ah ha, it turns out there's a third option -- Alexa automatically finds printers on your network and checks their ink levels:

https://www.amazon.com/b?ie=UTF8&node=19820259011

So it doesn't seem to have anything to do specifically with Brother at all.

Mystery solved. It's an Alexa feature ("feature").

So feel free to be angry at Amazon, but it's not Brother doing anything wrong. It's just reporting ink levels to anybody on your local network who asks, just like every other printer.

You might want to change your headline since it accuses Brother rather than Amazon.


You can turn this off in the Alexa app. I went looking for it after reading that page.

It's under Settings > Device Discovery (near the bottom of the settings). It's on by default of course.


Next time you add a new device, it will 'find' the printer despite this setting.


Indeed I suspected so, but thought you'd be presented the option not to add it.

But no - these fuckers, when you do device discovery, it re-adds everything it finds automatically instead of confirming what you want to add. Then you have to disable the device once discovered. What do you want to bet that disabled devices occasionally, mysteriously, get re-enabled?


Amazon does the same thing if you link a Samsung Smartthings hub and those little sensors have a low battery.

This is basically the 'promise' of all this smart home junk: your fridge automatically adds milk to your Amazon cart when it scans the contents and sees the level is low. A dubious convenience for users, but an excellent way for companies to ensure you keep buying things from them.


You backdoored your own network by putting an Alexa on it. I wouldn't be surprised if Ring cameras pulled the same shit.

If you really must have this trash on your lan, you have to isolate it at the network level.


Related is that Alexa seems to like to add any HP printers nearby with WiFi direct still on, and relentlessly remind you when the neighbor's printer ink is low. I have ~20 random printers in my Alexa account that I don't own and keep reappearing whenever Alexa scans for new devices.


Does anyone know if setting the printer admin password will disallow querying of the ink level by other network devices?

>Protect your Brother machine against unauthorised access over the network

https://support.brother.com/g/b/faqend.aspx?c=us_ot&lang=en&...


I get an error on https://drs-web.amazon.com/settings – has it been taken down? I also have a Brother printer, which I bought from Amazon.


removes glasses... MOG... That is INTERESTING.

Here is an image of the email I received

https://imgur.com/a/fhvZlsd

and the current status of the web page:

https://imgur.com/jkTD4Xp

I am speechless. This link brought up a narrow page of blue. Is there any way to recover that? Firefox browser. I would love to capture that .. oh I kick myself now for not grabbing a SS.


"You are receiving this message because you connected your Brother MFC-J485DW to Alexa on 5/4/21"

What happened on 5/4/21? You say you bought the printer after July 2019, so it probably wasn't the printer purchase date. Does that line up with the date you bought or installed an ink cartridge from Amazon, or set up Alexa?


When you found that page originally you must have either got there from a POST from another page, or a prior page set a cookie which this page gobbled.


This kind of thing is precisely why I won't touch IoT things with a ten foot pole. You don't know what they're doing. Scanning my network and interacting with other machines on my network without my overt permission is way over the line.

It's also not worth it to me to isolate them on my network. It's easier to only allow devices that I have control over.

These devices cannot be trusted.


How has it linked with your Amazon account then? Just because you bought the printer from Amazon? (As they do with their own devices, e.g. Fire TV Sticks, of course.)


The printer was purchased at a store called Best Buy.

The only interaction that it has ever had with my Amazon account was that I ordered a single purchase of replacement ink cartridges. The idea of it monitoring their status is abhorrent to me and I don't think I would have ever opted in for such thing. Perhaps there was something requiring me to opt out, but ...it was not apparent.

When my Alexa searched for devices connected to my network, it must have noted this printer, then compared it to the fact I ordered ink for it, and just to be extra helpful decided to monitor its levels for me. I can think of no other way...


I would not rule out some connection via the credit/debit card, like how every shop now emails you even though you never gave them your email.


Maybe Amazon tags the serial number of the cartridge and correlates it to your printer with the data Brother gives them. Fucking crazy.


What model printer?


Sorry, just added it. Brother MFC-J485DW


What year was it manufactured? Manuals seem to be from 2016. That's a bit earlier than I'd expect this kind of behavior (not conclusive of anything. Just an observation).

Do you have a firmware date?


Current firmware is N1901041316

I do not have a manufacturer date but it would have been purchased in 2019 or later.


This is deeply disturbing.


People realizing shit in their homes has an API because smart devices started poking it will never not be funny.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: