Hundreds of Printers Expose Backend Panels and Password Reset Functions Online

Catalin Cimpanu, writing for BleepingComputer: A security researcher has found nearly 700 Brother printers left exposed online, allowing access to the password reset function to anyone who knows what to look for. Discovered by Ankit Anubhav, Principal Researcher at NewSky Security, the printers offer full access to their administration panel over the Internet. Anubhav has provided Bleeping Computer with a list of exposed printers. Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few. The cause of all these exposures is Brother's choice of shipping the printers with no admin password. Most organizations most likely connected the printers to their networks without realizing the admin panel was present and wide open to connections. These printers are now easy discoverable via IoT search engines like Shodan or Censys.

Connected Directly to the Internet?

[nsuccorso]

Do the printers have to be connected to routable IPs and have the admin ports wide open? Who connects their printer to the public internet? Or is there something more sinister involved?

Re:Connected Directly to the Internet?

My former employer is a great example of publicly accessible printers. Multiple arguments (not disagreements... straight up arguments) with my manager at how absurd this was all so "a few people might need to print something from home and have it on their desk at work". No VPN. No locking down the printers to be only accessible from our subnet even. Plain ole HP 4250's exposed to the world with original firmware.

The best part was when 6 months after i gave up on arguing, we started getting printer spammed and all eyes were on me as though my mentioning it could happen automatically made me at fault.

"Hey what about ice bergs?"

This of course was the local university where everyone bends over backwards to anyone with a PHD because they always know better.

Best career move i could make was leaving the Titanic.edu!

Re:Connected Directly to the Internet?

[FictionPimp]

Exactly what I was thinking. Who the hell lets inbound unsolicited connections into their network?

Re:Connected Directly to the Internet?

Who connects their printer to the public internet?

Every school in America. How else are teachers supposed to print from home?

Re:Connected Directly to the Internet?

[Tarlus]

I've come into numerous environments throughout my career that had a multitude of printers set up on public IP's, no firewall, and in numerous cases, with the default admin password. No valid reason for doing so. Just a lack of proper management.

Re:Connected Directly to the Internet?

[Tablizer]

Vintage IOT, enjoy!

Re:Connected Directly to the Internet?

I've seen the very same thing at no fewer than law firms. No idea what the rationale for any of it was.

Re:Connected Directly to the Internet?

[lhowaf]

Equifax?

Re:Connected Directly to the Internet?

Most people leave uPnP enabled on their home routers, which allows devices to open ports all by themselves. I don't know how or why uPnP ever became a thing, but it needs to be done away with.

Re:Connected Directly to the Internet?

[toejam13]

Not necessarily. If these printers are factory configured to use uPnP and their edge firewalls allow it, these printers could punch their way out even if they were on a network with private IP space.

I'd bet that many of these printers are on small business DSL or cable connections that come with a pool of public addresses and these folks just connected directly to the Internet. No firewall, no security.

Re:Connected Directly to the Internet?

[EvilSS]

Exactly what I was thinking. Who the hell lets inbound unsolicited connections into their network?

Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.

Re:Connected Directly to the Internet?

[trg83]

The good news is mostly only early adopters of the Internet like gigantic corporations and government entities have that sort of access to public IPv4 addresses. Oh, wait. That makes it much, much worse!

Re:Connected Directly to the Internet?

Don't you think that in 2017 it's time to admit both parties are at fault here, though? Sure, the IT policies are really bad, but the device maker bears some of the blame for making it so easy to get so wrong too, no? (I'm a security professional saying this, but I'm not someone who attributes everything to bad users. Bad interfaces and places where making really bad mistakes is the easiest path should be called out.)

Re:Connected Directly to the Internet?

[...] This of course was the local university where everyone bends over backwards to anyone with a PHD because they always know better.

Being that I'm nearing a century old, I say never bend over backwards for anyone with a PhD. PhD = Pathetically Helpless Dumbass.

Re:Connected Directly to the Internet?

[dissy]

I've come into numerous environments throughout my career that had a multitude of printers set up on public IP's, no firewall, and in numerous cases, with the default admin password. No valid reason for doing so. Just a lack of proper management.

I dunno, that doesn't really answer the question.

How does any organization even obtain public internet routable IPs without proper management to set that up?

With so many devices defaulting to NAT and requiring work to turn that off, assuming you can turn it off, how do those devices even get a public IP instead of an internal IP without proper management?

Every time I setup a business internet connection I had to beg and plead to get a /29 over the single IP setup by default, and took more than zero effort to add a router to the mix that either wasn't a piece of crap $20 linksys that forces NAT on you, or to get the ISP to bridge that single IP through their CPE and onto my own router directly.
Not to mention I don't remember any ISP after the dialup era automatically assigning you an IP, let alone providing DHCP services for any routable subnets.

One would expect that without any proper network management things wouldn't be able to be in any situation where $randomDevice plugged in is handed a public IP from any DHCP server anywhere.

If anything I'd expect lack of proper network management to result in nothing working in the first place at worse, or a standard home NAT setup at best.

Re:Connected Directly to the Internet?

You mean apart from anyone with an internet server, or anyone using a peer-to-peer service like BitTorrent? Idiots with printers I guess.

Re:Connected Directly to the Internet?

Including a VPN. You can't have authentication without having an inbound unsolicited connection first.

Re:Connected Directly to the Internet?

That's what UPNP does. Opens up holes in the firewall so that external devices can connect.

Re:Connected Directly to the Internet?

I think there's two factors:

1) UPnP - a surprising number of business networks have this enable by default. Especially true in younger ones who "don't need an IT department, because everything Just Works". They've got two "DevOps gurus" (read: IT guys who also have to do all the dev work, maintain the phones (they're IP phones, right?) and be on call 24/7 in case the CEO's toddler deletes the corporate website again*) running round after hundreds of "rockstars" who want to be "self-managed" and don't think things like security policies should apply to them, because their workflow is too important to interrupt with silly things like security patches.

2) Oldskool orgs that once had real servers on those IPs, but have gradually replaced them with single-function black boxes. So whilst that IP used to point at a department fileserver with proper authentication which just happened to have a printer attached, they moved everything to a central server or The Cloud(TM) and replaced the crappy old printer that'd worked flawlessly for 20 years with a fancy networked one that has a touch screen display, built-in wifi, and keeps breaking down and needing to be hard-reset for some reason. The old system let users send stuff to the office printer from the conference room over the street, so the new one's set up on that IP and it seems to work. The one remaining IT guy who hasn't been offered "relocation" to head office (the other side of the country, with 3x living costs and no increase in pay) or just straight offshore'd is just spending 8 hours a day hiding in a maintenance cupboard somewhere hoping nobody notices that he's still drawing a paycheck.

* because OF COURSE the CEO needs admin credentials to every system - they're the CEO! And OF COURSE it's fine to leave themselves logged in - who needs to remember all those passwords, amirite? And OF COURSE let their kid play with their tablet - little Johnny is such a precocious scamp, he's so much more developmentally advanced than all the other young leaders at the private nursery that costs more a month than those poor DevOps guys make a year; he clearly needs the stimulation that can only be provided by brightly coloured shiny expensive objects.

Why yes, I am a bit bitter; but a lot less bitter than I was when I was in IT. Pulled on a suit, put up my rates by a factor of 20, and now I get to tell C-level execs that they're morons, and they thank me for my insight. Weird world.

Re:Connected Directly to the Internet?

[WorBlux]

Some ipv6 connection will sometimes give you a /56 or higher

Re:Connected Directly to the Internet?

[jabuzz]

Does it say who the public IP addresses belong to? My guess is that they are likely located at universities where they are have loads of public IP addresses and historically everything got a public IP address.

Certainly in the UK all the universities have a full class B network allocation. So that's 65K IP address and you might have say 20K students, 5K staff and say 4-5K postgraduate students. Thats a couple of IP addresses each and still some spare.

Certainly my phone gets a fully routable public IP address when it hooks up to Eduroam at work! We don't have any IPv6 (well apparently we have it at the edge but it's not routed internally) because we don't actually need it. IPv4 address starvation, what's that eh.

Then you have organizations with class A networks. Why would a firm like IBM or HP ever dream of allocating private IP addresses?

Of course these should be firewalled up the wazzo, but again historically there was no such thing as a firewall.

Re:Connected Directly to the Internet?

[plover]

Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.

Except that's not what happened. These cameras were bought by ordinary people who have no idea what "port forwarding" is; they did not follow any instructions to open a hole on their router. They simply went to the store and bought a camera, and then installed a camera app on their phone. That's it. Internally, the camera sent a UPnP message to their router that opened a hole back to the camera, where the camera's weak telnet server and default passwords allowed the bot attacks to succeed.

These people did nothing more than purchase a device that did exactly what it promised on the label. It's not their fault the device accomplished the task by silently screwing their security over.

PC LOAD LETTER

PRESS ANY KEY

Re:PC LOAD LETTER

Why does it say paper jam when there is no paper jam?

If it's what they want..

If someone goes out of their way to setup port forwarding or assign a printer a public IP address without changing the password on the printer, Fuck them. They brought it on themselves, this isn't news, this is just idiots and is no fault the printer manufacturer or design.

Port 9100

#AllTheDickButts

Combined scanners, faxes and printers are gems

My company used hundreds of combined scanner, fax and printer systems but never changed the default passwords or shut down the web admin pages. Anyone on the network could pull off images or emails of almost anything that went through the device. I made multiple warnings but no-one paid any attention. I don't work there any more but I bet they're still the same.

Security "research"?

So this announcement worthy "security research" is that they did a port scan of public IP's and found printers with default passwords? So an unoriginal idea with an obvious outcome and minimal effort put in. Was this some college freshman's homework or something?

I've found copiers online like this

[Fencepost]

I don't recall the precise model, but I was searching for documentation using strings pulled from the login page of a copier - what I got was a bunch of such copiers exposed to the real world using the default credentials.

It was some years back, but I believe I signed into the first one, looked in the address book on it, and emailed a few of the folks who were listed to say "Hey, I got your address from a copier in your office that's exposed to the Internet. Please pass along to your IT folks to fix that."

Re:I've found copiers online like this

Did the feds show up at your door with latex gloves and a bottle of Vaseline?

Ban uPnP

Seriously, not every device on the planet needs a port forward, and we definitely shouldn't be enabling technology that opens them automatically.

don't need no password to just print to them!

[Joe_Dragon]

don't need no password to just print to them! and yes there one with an public ip

Re:don't need no password to just print to them!

[tlhIngan]

don't need no password to just print to them! and yes there one with an public ip

Nice to know we can still throwaway IPv4 addresses so frivolously

I still have a working 4000 with JetDirect card

[Joe_Dragon]

I still have a working 4000 with JetDirect card no it's not online and is only turned on when I need to print.

Re:I still have a working 4000 with JetDirect card

[jabuzz]

Built like a tank and with appropriate maintenance kits good for at least 1 million pages. I did have in a former job a LaserJet 5M with 1.5 million pages on the counter.

Another fake creimer story.

Somehow I don't actually believe this as while I've heard of various tricks and exploits to make people unwillingly print something... I can just see no reason to make malware that goes to the trouble of printing an actual test page when an ASCII penisbird is easier and funnier. I also don't know how that's going to get expensive when you can just turn off the printer. An HP deskjet prints a little under 20 pages a minute and the fastest printers are 100 pages per minute.. aren't they going to run PC LOAD LETTER well before the toner runs out?

Explain yourself or else.

Re:Another fake creimer story.

I'm thinking of a "football player".

By the way, you illiterate Creimy-Dumpty, you may think "of something" or "that something is" etc. You surely can't think something, like a printer. It just doesn't make any sense.

C.D. Reimer is a renowned Slashdot collaborator, as he puts it himself; "Because of the quality of my posts and my article submissions, I'm a highly rated commentator and moderator."

But does anybody ever wondered what "C.D." stands for? Well, it stands for Creimy Dumpty of course!

Creimy Dumpty sat on the wall,
Creimy Dumpty had a great fall.
All the king's horses
And all the king's men
Couldn't put Creimy Dumpty
Together again.

Creimy's siblings video and theme song, very realistic, especially the pants, just like Creimy's:
https://www.youtube.com/watch?...

Creimy's real pictures:
Before the sex change:
https://ibb.co/cc7Ddw
After the sex change:
https://ibb.co/gVad65

Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
http://www.keynamics.com/image...

Creimy's head, while his supervisor was talking to him, not with him, since it is impossible to do with Creimy:
https://school.discoveryeducat...

Creimy acting in educational resource document, he actually confirmed himself on Slashdot that he was handled by Special Education for the Santa Clara County Office of Education! He is really a king Dumpty!:
http://www.sccoe.org/depts/stu...

Re:Another fake creimer story.

I said deskjet but I meant a laserjet. In any case 100ppm is a lot for an "enterprise grade" office printer.
Don't try and razzle dazzle me I had pnwed half the 5ESS switches in my NPA back when you apparently hadn't been exposed to anything bigger than a c64

Re:Another fake creimer story.

Given that most "fast" commercial printers print around 50 ppm, and may hold a couple reams of paper... how, exactly, are these costs mounting up?

A ream of paper has 500 sheets. Most commercial printers hold at most 2000 sheets of paper. At full speed, with a full load of paper, these printers would print for 40 minutes before running out of paper. And that's assuming the tray where the printer dumps printed sheets doesn't fill up long before page 2000 and jam the printer up.

Or are you saying that somebody IS around, and simply keeps blindly reloading the printers when they run out of paper, not bothering to wonder why somebody is printing thousands of copies of the same test page?

Or are you just making more shit up to try and impress people on Slashdot? Yeah, that's more likely.

Re:Another fake creimer story.

Anyway, you can't ever go wrong with an "enterprise-level" goof as creimer and his "enterprise-level" chair:

Creimy's head, while his supervisor was talking to him, not with him, since it is impossible to do with Creimy:
https://school.discoveryeducat...

Creimy's "enterprise-level" chair, he talks about it all the time on slashdot:
http://www.keynamics.com/image...

Re:Another fake creimer story.

Yeah I meant enterprise-level laserjet and not an enterprise grade deskjet.

Brother

[nuckfuts]

Consistently the worst brand of printers I have to deal with. When clients ask for me for a printer recommendation, the short answer is "anything other than Brother".

Re:Brother

I like my Brother laser printer at home. It just works, never had a issue with network connectivity or drivers. With HP printers I feel like I always have to install hundreds of MB of bloatware to get it to work properly.

Re:Brother

Consistently the worst brand of printers I have to deal with. When clients ask for me for a printer recommendation, the short answer is "anything other than Brother".

As opposed to, say, Lexmark who want to use the DMCA to prevent you buying someone else's toner cartridge?

I've got two Brother laser printers in the house, one has a scanner/photocopier, the other is just a printer. They have the same kind of cartridge, and have lasted me for years.

Not sure what kind of printers you've been dealing with (I know I've had several PoS Canons over the years, and seen more than a handful of people who bought shitty Kodak printers) ... but my laser printers have actually proven to have been a good investment.

Other than they can dim the lights when they warm up, they're pretty reliable. But a laser printer will pretty much always do that.

Re:Brother

[50000BTU_barbecue]

Weird. I bought a HP color laser printer that right out of the box couldn't print a straight line, it looked like a drunk person tried to draw the lines.

I returned it and bought a Brother instead. It seems to like curling the paper because I understand that Brother uses a higher melting point for their toner.

You can't win these days, printers are a dead end technology.

Re:Printer Malware...

Christopher, my love,

I am deeply sorry. I didn't feel well lately but I am better now.
I am sorry that I called you all sorts of names on /. and I feel
truly ashamed of myself.

The python click script you wrote for me my sweet love for my
pheromone revenue stream web site suddenly stopped to work.

Could you come visit me in my studio so we could look at it?

Signed:
Your sweetee who will love you for ever.

Re: Printer Malware...

[Monster_user]

Funny.

Happens whenever somebody forgets to update the drivers on a machine connected to the printer, and then it suddenly decides to print a single page.

don't do this

[spongman]

absolutely _don't_ do this:
- write a script to connect to the printers
- change the admin password to something random
- print out a page explaining what's going on along with the new admin password.

Damn

[buss_error]

Another tool I use to break in to things discovered. sigh Only 999,999,999 left.

Re:Damn

[buss_error]

Just in case it isn't obvious, I'm kidding. I never break into anything I don't own or have written permission to do so.

Re:Damn

[dysmal]

Another tool I use to break in to things discovered. sigh Only 999,999,999 left.

"I got 999,999,999 problems but a printer ain't one of them!"

Re:Printer Malware...

or someone rebooted printer.

" or someone rebooted printer. "... For fuck's sake Chris, for a published author, you write quite stupidly.

ack!

This is the same company that makes the printer preferences dialog pop off the screen because it gets confused in multi-monitor (ie, everyone today) setup?

Blame the network admin

[aglider]

You need a whole lot of stupidity to have a printer (not a SERVER) visible on the internet.
In the end, you assign to the printer either an unprotected public IP or a reverse-NAT private address.
Both cases deserve the noose!

Yawn

How is this even news. I've found over 10,000 routers with full SSH access and default passwords out there in under 3 weeks of scanning.

Stupid, incompetence, both, or ?

[Miser]

Whenever I see articles like this, I have to ask myself - WHY would you expose a printer to the public Internet?

I've been doing tech for 20 years and NOT ONCE have I done this, or even been asked to do this by some moron MBA CEO (which says a lot).

You want access to that printer's IP from outside? SSH tunnel or VPN for you - or nothing. Full stop.

-Miser