A security researcher has found nearly 700 Brother printers left exposed online, allowing access to the password reset function to anyone who knows what to look for.
Discovered by Ankit Anubhav, Principal Researcher at NewSky Security, the printers offer full access to their administration panel over the Internet.
Anubhav has provided Bleeping Computer with a list of exposed printers. Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few.
One of the cause of some of these exposures is Brother's choice of shipping the printers with no admin password. Most organizations most likely connected the printers to their networks without realizing the admin panel was present and wide open to connections. These printers are now easy discoverable via IoT search engines like Shodan or Censys.
Researchers plan to notify affected orgs
"I'm surprised about so many known universities included in the list," Anubhav told Bleeping in a private conversation.
Besides universities, there were also some printers on corporate networks and what appeared to be government networks.
"I am planning to reach and notify the orgs with my colleague," Anubhav said.
Bleeping Computer also forwarded the list to fellow researcher Victor Gevers. Gevers is the chairman of the GDI Foundation, a non-profit that specialized in notifying organizations affected by vulnerabilities, malware, and other cyber threats.
"We will process the list ASAP," Gevers told Bleeping earlier today.
Inherent threat of leaving admin panels wide open
Yesterday, at the Virus Bulletin 2017 security conference, Martijn Grooten, editor of the Virus Bulletin magazine said that security practitioners have a responsibility to clearly communicate risks.
While there are legitimate use cases for having a printer connected to the Internet, we believe that even Mr. Grooten would advise against leaving the printer's administration panel exposed without a password.
For example, an attacker could change the printers' passwords and cause downtime to affected organizations.
Firmware attacks made easy
The list that Anubhav provided Bleeping included only devices that exposed their "password.html" file specific to the password reset section of Brother printers. The panels for some of these printers also included options to verify and trigger a firmware update.
On normal smart devices, even if the firmware update process includes a vulnerability that allows an attacker to hijack the process and deliver tainted firmware, this attack is often mitigated by blocking access to unauthenticated attackers to this page.
Having the printer's admin panel widely exposed online removes this protection. An attacker could include spyware-like behavior in tainted firmware updates and have printers send copies of printed documents to an attacker's server.
In the case of private businesses and government organizations, this could expose very sensitive information.
The race is now on for NewSky and GDI researchers to notify as many affected organizations as possible.
Organizations running Brother printers should verify if the printer exposes the administration panel by default online, and/or set a custom password to prevent unauthorized access to the device.
Comments
forum11 - 6 months ago
"While there are legitimate use cases for having a printer connected to the Internet, we believe that even Mr. Grooten would advise against leaving the printer's administration panel exposed without a password."
I'd argue that there are very few if any legitimate reasons for having a printer publicly accessible on the internet. And that goes for many other kinds of devices too. If for some reason you must print to a remote site you should be connected to that site via VPN.
talkradioaddict - 6 months ago
Who gives their printer a public IP address?
Occasional - 6 months ago
I think there's a service that will let you email a document to your local public library, to print (for a small fee), and pick up there - likely each printer has a unique IP address. Businesses offering similar services would do the same.
forum11 - 6 months ago
That may be the case, but it still seems unnecessary to expose the printer itself to the open internet.
gordonframsay - 6 months ago
My neighborhood is full of open wifi networks to printers and such. A lot of devices when plugged in start in a open wifi mode to let the first one to connect to it configure it, set a password, etc. and attach it to a wifi network. I imagine they just connected the USB cord to it to print and haven't known that the wifi on it is still in set-up mode (for years, in some cases!) for anybody in the area to attach to.
Occasional - 6 months ago
Maybe it would be best to ship devices with ALL functionality turned off by default.
Then, have the user enable each function, individually (no "enable all"), according to procedures set out in the manual (so the user would have to read the manual, and so at least have a clue as to what they are enabling, the risks and responsibilities).
Can't imagine that would ever fly with consumer products - but would probably lead to far fewer Bleeping Computer articles, if business and government entities required it (or a group policy configuration substitute).