A security researcher has found nearly 700 Brother printers left exposed online, allowing access to the password reset function to anyone who knows what to look for.
Anubhav has provided Bleeping Computer with a list of exposed printers. Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few.
One of the cause of some of these exposures is Brother's choice of shipping the printers with no admin password. Most organizations most likely connected the printers to their networks without realizing the admin panel was present and wide open to connections. These printers are now easy discoverable via IoT search engines like Shodan or Censys.
"I'm surprised about so many known universities included in the list," Anubhav told Bleeping in a private conversation.
Besides universities, there were also some printers on corporate networks and what appeared to be government networks.
"I am planning to reach and notify the orgs with my colleague," Anubhav said.
Bleeping Computer also forwarded the list to fellow researcher Victor Gevers. Gevers is the chairman of the GDI Foundation, a non-profit that specialized in notifying organizations affected by vulnerabilities, malware, and other cyber threats.
"We will process the list ASAP," Gevers told Bleeping earlier today.
Yesterday, at the Virus Bulletin 2017 security conference, Martijn Grooten, editor of the Virus Bulletin magazine said that security practitioners have a responsibility to clearly communicate risks.
While there are legitimate use cases for having a printer connected to the Internet, we believe that even Mr. Grooten would advise against leaving the printer's administration panel exposed without a password.
For example, an attacker could change the printers' passwords and cause downtime to affected organizations.
The list that Anubhav provided Bleeping included only devices that exposed their "password.html" file specific to the password reset section of Brother printers. The panels for some of these printers also included options to verify and trigger a firmware update.
On normal smart devices, even if the firmware update process includes a vulnerability that allows an attacker to hijack the process and deliver tainted firmware, this attack is often mitigated by blocking access to unauthenticated attackers to this page.
Having the printer's admin panel widely exposed online removes this protection. An attacker could include spyware-like behavior in tainted firmware updates and have printers send copies of printed documents to an attacker's server.
In the case of private businesses and government organizations, this could expose very sensitive information.
The race is now on for NewSky and GDI researchers to notify as many affected organizations as possible.
Organizations running Brother printers should verify if the printer exposes the administration panel by default online, and/or set a custom password to prevent unauthorized access to the device.