Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hundreds of Printers Expose Backend Panels and Password Reset Functions Online (bleepingcomputer.com)

Posted by msmash on from the ignorance-is-bliss,-not dept.

Catalin Cimpanu, writing for BleepingComputer: A security researcher has found nearly 700 Brother printers left exposed online, allowing access to the password reset function to anyone who knows what to look for. Discovered by Ankit Anubhav, Principal Researcher at NewSky Security, the printers offer full access to their administration panel over the Internet. Anubhav has provided Bleeping Computer with a list of exposed printers. Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few. The cause of all these exposures is Brother's choice of shipping the printers with no admin password. Most organizations most likely connected the printers to their networks without realizing the admin panel was present and wide open to connections. These printers are now easy discoverable via IoT search engines like Shodan or Censys.

29 of 61 comments (clear)

  1. Connected Directly to the Internet? by nsuccorso · · Score: 3, Interesting

    Do the printers have to be connected to routable IPs and have the admin ports wide open? Who connects their printer to the public internet? Or is there something more sinister involved?

    1. Re:Connected Directly to the Internet? by Anonymous Coward · · Score: 3, Informative

      My former employer is a great example of publicly accessible printers. Multiple arguments (not disagreements... straight up arguments) with my manager at how absurd this was all so "a few people might need to print something from home and have it on their desk at work". No VPN. No locking down the printers to be only accessible from our subnet even. Plain ole HP 4250's exposed to the world with original firmware.

      The best part was when 6 months after i gave up on arguing, we started getting printer spammed and all eyes were on me as though my mentioning it could happen automatically made me at fault.

      "Hey what about ice bergs?"

      This of course was the local university where everyone bends over backwards to anyone with a PHD because they always know better.

      Best career move i could make was leaving the Titanic.edu!

    2. Re:Connected Directly to the Internet? by FictionPimp · · Score: 2

      Exactly what I was thinking. Who the hell lets inbound unsolicited connections into their network?

    3. Re:Connected Directly to the Internet? by Tarlus · · Score: 3, Informative

      I've come into numerous environments throughout my career that had a multitude of printers set up on public IP's, no firewall, and in numerous cases, with the default admin password. No valid reason for doing so. Just a lack of proper management.

      --
      /* No Comment */
    4. Re:Connected Directly to the Internet? by Tablizer · · Score: 1

      Vintage IOT, enjoy!

      --
      Table-ized A.I.
    5. Re:Connected Directly to the Internet? by lhowaf · · Score: 2

      Equifax?

    6. Re:Connected Directly to the Internet? by toejam13 · · Score: 1

      Not necessarily. If these printers are factory configured to use uPnP and their edge firewalls allow it, these printers could punch their way out even if they were on a network with private IP space.

      I'd bet that many of these printers are on small business DSL or cable connections that come with a pool of public addresses and these folks just connected directly to the Internet. No firewall, no security.

    7. Re:Connected Directly to the Internet? by EvilSS · · Score: 2

      Exactly what I was thinking. Who the hell lets inbound unsolicited connections into their network?

      Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    8. Re:Connected Directly to the Internet? by trg83 · · Score: 1

      The good news is mostly only early adopters of the Internet like gigantic corporations and government entities have that sort of access to public IPv4 addresses. Oh, wait. That makes it much, much worse!

    9. Re:Connected Directly to the Internet? by dissy · · Score: 1

      I've come into numerous environments throughout my career that had a multitude of printers set up on public IP's, no firewall, and in numerous cases, with the default admin password. No valid reason for doing so. Just a lack of proper management.

      I dunno, that doesn't really answer the question.

      How does any organization even obtain public internet routable IPs without proper management to set that up?

      With so many devices defaulting to NAT and requiring work to turn that off, assuming you can turn it off, how do those devices even get a public IP instead of an internal IP without proper management?

      Every time I setup a business internet connection I had to beg and plead to get a /29 over the single IP setup by default, and took more than zero effort to add a router to the mix that either wasn't a piece of crap $20 linksys that forces NAT on you, or to get the ISP to bridge that single IP through their CPE and onto my own router directly.
      Not to mention I don't remember any ISP after the dialup era automatically assigning you an IP, let alone providing DHCP services for any routable subnets.

      One would expect that without any proper network management things wouldn't be able to be in any situation where $randomDevice plugged in is handed a public IP from any DHCP server anywhere.

      If anything I'd expect lack of proper network management to result in nothing working in the first place at worse, or a standard home NAT setup at best.

    10. Re:Connected Directly to the Internet? by Anonymous Coward · · Score: 1

      I think there's two factors:

      1) UPnP - a surprising number of business networks have this enable by default. Especially true in younger ones who "don't need an IT department, because everything Just Works". They've got two "DevOps gurus" (read: IT guys who also have to do all the dev work, maintain the phones (they're IP phones, right?) and be on call 24/7 in case the CEO's toddler deletes the corporate website again*) running round after hundreds of "rockstars" who want to be "self-managed" and don't think things like security policies should apply to them, because their workflow is too important to interrupt with silly things like security patches.

      2) Oldskool orgs that once had real servers on those IPs, but have gradually replaced them with single-function black boxes. So whilst that IP used to point at a department fileserver with proper authentication which just happened to have a printer attached, they moved everything to a central server or The Cloud(TM) and replaced the crappy old printer that'd worked flawlessly for 20 years with a fancy networked one that has a touch screen display, built-in wifi, and keeps breaking down and needing to be hard-reset for some reason. The old system let users send stuff to the office printer from the conference room over the street, so the new one's set up on that IP and it seems to work. The one remaining IT guy who hasn't been offered "relocation" to head office (the other side of the country, with 3x living costs and no increase in pay) or just straight offshore'd is just spending 8 hours a day hiding in a maintenance cupboard somewhere hoping nobody notices that he's still drawing a paycheck.

      * because OF COURSE the CEO needs admin credentials to every system - they're the CEO! And OF COURSE it's fine to leave themselves logged in - who needs to remember all those passwords, amirite? And OF COURSE let their kid play with their tablet - little Johnny is such a precocious scamp, he's so much more developmentally advanced than all the other young leaders at the private nursery that costs more a month than those poor DevOps guys make a year; he clearly needs the stimulation that can only be provided by brightly coloured shiny expensive objects.

      Why yes, I am a bit bitter; but a lot less bitter than I was when I was in IT. Pulled on a suit, put up my rates by a factor of 20, and now I get to tell C-level execs that they're morons, and they thank me for my insight. Weird world.

    11. Re:Connected Directly to the Internet? by WorBlux · · Score: 1

      Some ipv6 connection will sometimes give you a /56 or higher

    12. Re:Connected Directly to the Internet? by jabuzz · · Score: 1

      Does it say who the public IP addresses belong to? My guess is that they are likely located at universities where they are have loads of public IP addresses and historically everything got a public IP address.

      Certainly in the UK all the universities have a full class B network allocation. So that's 65K IP address and you might have say 20K students, 5K staff and say 4-5K postgraduate students. Thats a couple of IP addresses each and still some spare.

      Certainly my phone gets a fully routable public IP address when it hooks up to Eduroam at work! We don't have any IPv6 (well apparently we have it at the edge but it's not routed internally) because we don't actually need it. IPv4 address starvation, what's that eh.

      Then you have organizations with class A networks. Why would a firm like IBM or HP ever dream of allocating private IP addresses?

      Of course these should be firewalled up the wazzo, but again historically there was no such thing as a firewall.

    13. Re:Connected Directly to the Internet? by plover · · Score: 1

      Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.

      Except that's not what happened. These cameras were bought by ordinary people who have no idea what "port forwarding" is; they did not follow any instructions to open a hole on their router. They simply went to the store and bought a camera, and then installed a camera app on their phone. That's it. Internally, the camera sent a UPnP message to their router that opened a hole back to the camera, where the camera's weak telnet server and default passwords allowed the bot attacks to succeed.

      These people did nothing more than purchase a device that did exactly what it promised on the label. It's not their fault the device accomplished the task by silently screwing their security over.

      --
      John
  2. PC LOAD LETTER by Anonymous Coward · · Score: 2, Funny

    PRESS ANY KEY

    1. Re:PC LOAD LETTER by Anonymous Coward · · Score: 1

      Why does it say paper jam when there is no paper jam?

  3. I've found copiers online like this by Fencepost · · Score: 1

    I don't recall the precise model, but I was searching for documentation using strings pulled from the login page of a copier - what I got was a bunch of such copiers exposed to the real world using the default credentials.

    It was some years back, but I believe I signed into the first one, looked in the address book on it, and emailed a few of the folks who were listed to say "Hey, I got your address from a copier in your office that's exposed to the Internet. Please pass along to your IT folks to fix that."

    --
    fencepost
    just a little off
  4. don't need no password to just print to them! by Joe_Dragon · · Score: 1

    don't need no password to just print to them! and yes there one with an public ip

    1. Re:don't need no password to just print to them! by tlhIngan · · Score: 1

      don't need no password to just print to them! and yes there one with an public ip

      Nice to know we can still throwaway IPv4 addresses so frivolously

  5. I still have a working 4000 with JetDirect card by Joe_Dragon · · Score: 1

    I still have a working 4000 with JetDirect card no it's not online and is only turned on when I need to print.

    1. Re:I still have a working 4000 with JetDirect card by jabuzz · · Score: 1

      Built like a tank and with appropriate maintenance kits good for at least 1 million pages. I did have in a former job a LaserJet 5M with 1.5 million pages on the counter.

  6. Re: Printer Malware... by Monster_user · · Score: 1

    Funny.

    Happens whenever somebody forgets to update the drivers on a machine connected to the printer, and then it suddenly decides to print a single page.

  7. don't do this by spongman · · Score: 1

    absolutely _don't_ do this:
    - write a script to connect to the printers
    - change the admin password to something random
    - print out a page explaining what's going on along with the new admin password.

  8. Damn by buss_error · · Score: 1

    Another tool I use to break in to things discovered. sigh Only 999,999,999 left.

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
    1. Re:Damn by buss_error · · Score: 1

      Just in case it isn't obvious, I'm kidding. I never break into anything I don't own or have written permission to do so.

      --
      Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
    2. Re:Damn by dysmal · · Score: 1

      Another tool I use to break in to things discovered. sigh Only 999,999,999 left.

      "I got 999,999,999 problems but a printer ain't one of them!"

  9. Re:Brother by 50000BTU_barbecue · · Score: 1

    Weird. I bought a HP color laser printer that right out of the box couldn't print a straight line, it looked like a drunk person tried to draw the lines.

    I returned it and bought a Brother instead. It seems to like curling the paper because I understand that Brother uses a higher melting point for their toner.

    You can't win these days, printers are a dead end technology.

    --
    Mostly random stuff.
  10. Blame the network admin by aglider · · Score: 1

    You need a whole lot of stupidity to have a printer (not a SERVER) visible on the internet.
    In the end, you assign to the printer either an unprotected public IP or a reverse-NAT private address.
    Both cases deserve the noose!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  11. Stupid, incompetence, both, or ? by Miser · · Score: 1

    Whenever I see articles like this, I have to ask myself - WHY would you expose a printer to the public Internet?

    I've been doing tech for 20 years and NOT ONCE have I done this, or even been asked to do this by some moron MBA CEO (which says a lot).

    You want access to that printer's IP from outside? SSH tunnel or VPN for you - or nothing. Full stop.

    -Miser