Hundreds of Printers Expose Backend Panels and Password Reset Functions Online

Catalin Cimpanu, writing for BleepingComputer: A security researcher has found nearly 700 Brother printers left exposed online, allowing access to the password reset function to anyone who knows what to look for. Discovered by Ankit Anubhav, Principal Researcher at NewSky Security, the printers offer full access to their administration panel over the Internet. Anubhav has provided Bleeping Computer with a list of exposed printers. Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few. The cause of all these exposures is Brother's choice of shipping the printers with no admin password. Most organizations most likely connected the printers to their networks without realizing the admin panel was present and wide open to connections. These printers are now easy discoverable via IoT search engines like Shodan or Censys.

Connected Directly to the Internet?

[nsuccorso]

Do the printers have to be connected to routable IPs and have the admin ports wide open? Who connects their printer to the public internet? Or is there something more sinister involved?

Re:

[Anonymous Coward]

My former employer is a great example of publicly accessible printers. Multiple arguments (not disagreements... straight up arguments) with my manager at how absurd this was all so "a few people might need to print something from home and have it on their desk at work". No VPN. No locking down the printers to be only accessible from our subnet even. Plain ole HP 4250's exposed to the world with original firmware.

The best part was when 6 months after i gave up on arguing, we started getting printer spamm

Re:

[FictionPimp]

Exactly what I was thinking. Who the hell lets inbound unsolicited connections into their network?

Re:

[EvilSS]

Exactly what I was thinking. Who the hell lets inbound unsolicited connections into their network?

Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.

Re:

[plover]

Way more people than anyone who knows better would believe. Just look at all of the security camera hacks from the past few years. Almost all of those involve people exposing their devices (like security cameras) to the internet via port forwarding so they can remotely access them. The same people who don't know to set a damn password (or reset the default) on those devices. All it usually takes is some port scanning or even just a little google-fu to find them.

Except that's not what happened. These cameras were bought by ordinary people who have no idea what "port forwarding" is; they did not follow any instructions to open a hole on their router. They simply went to the store and bought a camera, and then installed a camera app on their phone. That's it. Internally, the camera sent a UPnP message to their router that opened a hole back to the camera, where the camera's weak telnet server and default passwords allowed the bot attacks to succeed.

These people

Re:Connected Directly to the Internet?

[Tarlus]

I've come into numerous environments throughout my career that had a multitude of printers set up on public IP's, no firewall, and in numerous cases, with the default admin password. No valid reason for doing so. Just a lack of proper management.

Re:

[dissy]

I've come into numerous environments throughout my career that had a multitude of printers set up on public IP's, no firewall, and in numerous cases, with the default admin password. No valid reason for doing so. Just a lack of proper management.

I dunno, that doesn't really answer the question.

How does any organization even obtain public internet routable IPs without proper management to set that up?

With so many devices defaulting to NAT and requiring work to turn that off, assuming you can turn it off, how do those devices even get a public IP instead of an internal IP without proper management?

Every time I setup a business internet connection I had to beg and plead to get a /29 over the single IP setup by default, and took more than zero effort t

Re:

[Anonymous Coward]

I think there's two factors:

1) UPnP - a surprising number of business networks have this enable by default. Especially true in younger ones who "don't need an IT department, because everything Just Works". They've got two "DevOps gurus" (read: IT guys who also have to do all the dev work, maintain the phones (they're IP phones, right?) and be on call 24/7 in case the CEO's toddler deletes the corporate website again*) running round after hundreds of "rockstars" who want to be "self-managed" and don't think

Re:

[WorBlux]

Some ipv6 connection will sometimes give you a /56 or higher

Re:

[jabuzz]

Does it say who the public IP addresses belong to? My guess is that they are likely located at universities where they are have loads of public IP addresses and historically everything got a public IP address.

Certainly in the UK all the universities have a full class B network allocation. So that's 65K IP address and you might have say 20K students, 5K staff and say 4-5K postgraduate students. Thats a couple of IP addresses each and still some spare.

Certainly my phone gets a fully routable public IP address

Re:

[Tablizer]

Vintage IOT, enjoy!

Re:

[lhowaf]

Equifax?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[trg83]

The good news is mostly only early adopters of the Internet like gigantic corporations and government entities have that sort of access to public IPv4 addresses. Oh, wait. That makes it much, much worse!

PC LOAD LETTER

[Anonymous Coward]

PRESS ANY KEY

Re:

[Anonymous Coward]

Why does it say paper jam when there is no paper jam?

I've found copiers online like this

[Fencepost]

I don't recall the precise model, but I was searching for documentation using strings pulled from the login page of a copier - what I got was a bunch of such copiers exposed to the real world using the default credentials.

It was some years back, but I believe I signed into the first one, looked in the address book on it, and emailed a few of the folks who were listed to say "Hey, I got your address from a copier in your office that's exposed to the Internet. Please pass along to your IT folks to fix that."

don't need no password to just print to them!

[Joe_Dragon]

don't need no password to just print to them! and yes there one with an public ip

Re:

[tlhIngan]

don't need no password to just print to them! and yes there one with an public ip

Nice to know we can still throwaway IPv4 addresses so frivolously

I still have a working 4000 with JetDirect card

[Joe_Dragon]

I still have a working 4000 with JetDirect card no it's not online and is only turned on when I need to print.

Re:

[jabuzz]

Built like a tank and with appropriate maintenance kits good for at least 1 million pages. I did have in a former job a LaserJet 5M with 1.5 million pages on the counter.

Re: Printer Malware...

[Monster_user]

Funny.

Happens whenever somebody forgets to update the drivers on a machine connected to the printer, and then it suddenly decides to print a single page.

Brother

[nuckfuts]

Consistently the worst brand of printers I have to deal with. When clients ask for me for a printer recommendation, the short answer is "anything other than Brother".

Re:

[50000BTU_barbecue]

Weird. I bought a HP color laser printer that right out of the box couldn't print a straight line, it looked like a drunk person tried to draw the lines.

I returned it and bought a Brother instead. It seems to like curling the paper because I understand that Brother uses a higher melting point for their toner.

You can't win these days, printers are a dead end technology.

don't do this

[spongman]

absolutely _don't_ do this:
- write a script to connect to the printers
- change the admin password to something random
- print out a page explaining what's going on along with the new admin password.

Damn

[buss_error]

Another tool I use to break in to things discovered. sigh Only 999,999,999 left.

Re:

[buss_error]

Just in case it isn't obvious, I'm kidding. I never break into anything I don't own or have written permission to do so.

Re:

[dysmal]

Another tool I use to break in to things discovered. sigh Only 999,999,999 left.

"I got 999,999,999 problems but a printer ain't one of them!"

Blame the network admin

[aglider]

You need a whole lot of stupidity to have a printer (not a SERVER) visible on the internet.
In the end, you assign to the printer either an unprotected public IP or a reverse-NAT private address.
Both cases deserve the noose!

Stupid, incompetence, both, or ?

[Miser]

Whenever I see articles like this, I have to ask myself - WHY would you expose a printer to the public Internet?

I've been doing tech for 20 years and NOT ONCE have I done this, or even been asked to do this by some moron MBA CEO (which says a lot).

You want access to that printer's IP from outside? SSH tunnel or VPN for you - or nothing. Full stop.

-Miser