Printers without Passwords Offer Easy Picking to Hackers

Any connected device on the network is a potential entry point for a hacker, including printers, an item often overlooked when setting up perimeter defenses. A researcher has discovered hundreds of printers unprotected on the Internet, offering direct access to the administration panel.

The machines, from Brother Industries, ship without a password for the web-based management interface, although the page asks the owner to set one up. Since the printers are exposed online, getting to the configuration page is a matter of loading the device’s IP address in a web browser.

The list, which contains about 700 IP addresses for defenseless printers, was built by security researcher Ankit Anubhav, who provided it to Bleeping Computer. The publication was able to use them to access the configuration panel of multiple Brother models, and reported that some included an option for installing firmware updates; this could let a hacker breach the defenses by applying a malicious firmware variant containing spyware or malware that spreads deeper into the network.

Anubhav said he planned to contact the parties running the printers with a vulnerable setup and warn them of the risk. The publication also informed Victor Gevers of the GDI Foundation – an organization that reports vulnerabilities to system owners, who said they would make processing the list a priority. Despite these efforts, at the moment of writing many printers from Brother are still exposed online across the world, including in Belgium, Korea, the UK, Spain, Sweden, Finland and the US.

These printers appear to run with the manufacturer’s setup, which likely has enabled protocols considered insecure. Telnet is one of them, but Brother printers include support for others, like CIFS, SNMP, IPP. As long as they are supported, an intruder could funnel malicious PostScript and PJL (Printer Job Language) code through them to gain access to the file system and memory, or to manipulate or capture print jobs. Even if protocols are disabled, as some models, attackers can make the adjustment to their advantage from the online interface.

A less experienced attacker could also cause a great deal of inconvenience. Since all options are in the open, anyone could start changing settings for printing and copying or disconnecting the device from the network. Most models offer users the possibility to prevent modifications of the configuration. Once the attackers are done, they can use this function to lock the owner of the printer out, forcing them to reset the device to its factory configuration. The silver lining in this would be that the owner may have learned a lesson and protect the administration panel with a password.

The potential dangers of hacking into a printer have been illustrated in a video series from HP. While the attacks are fictitious, the threat is real. Living in a world filled with connected devices it makes sense to try to secure them as best as possible.