Researchers at NewSky Security have found hundreds of Lexmark printers misconfigured, open to the public internet and easily accessible to anyone interested in taking control of targeted devices.
Researchers identified 1,123 Lexmark printers traced back to businesses, universities and in some cases U.S. government offices. Adversaries with access to those printers can perform a number of different malicious activities ranging from adding a backdoor to capturing print jobs, taking a printer offline or printing junk content to physically disrupt a printer’s operation.
Vulnerable Lexmark printers identified by researchers, using a custom Shodan search technique, lacked an administrative password.
“We focus on printers which can be controlled by anyone without hacking skills because of gross negligence of the users,” said Ankit Anubhav, researcher with NewSky Security in an interview with Threatpost.
Attacks on printers are far from new and have ranged from cross-site printing attacks, RAW printing on port 9100 or exploiting known printer IP addresses for networked devices. For its investigation, NewSky Security focused on printers with no security.
“While many people have awareness to change router passwords, printer security is still neglected at large. On similar lines, we observed that more than a thousand Lexmark printers are up for grabs for attackers, because they simply have no password,” according to NewSky Security that published its findings Monday.
This is not NewSky’s first discovery of misconfigured printers. In October, the New Jersey Cybersecurity and Communications Integrator Cell released a security bulletin warning NewSky found 700 Brother printers were configured insecurely and visible to the internet.
In the case of Brother, as with Lexmark, affected printers left administrative panels remotely accessible over TCP ports 80 and 443. In the case of Lexmark admins didn’t require login credentials at all to view or modify settings.
“These printers also have several ports open including TCP port 21 (FTP) and TCP port 23 (Telnet) creating additional opportunities for unauthorized access into both the device and the organization’s network,” authorities warned.
According to researchers, this type of access to a networked printer allows a remote attacker to view the device’s status, printer model, serial number and MAC address. In addition to that an attacker can view the printer’s firmware version, ink levels, and network configuration that allows them to enable proxies, change administrator passwords, modify sound volume, contact information, device status, time, and date, create a self-signed certificate and private key and even upload documents and send jobs to the printer.
“This was not an exceptional case when it comes to Lexmark printers. We used custom Shodan Dorks to get list of relevant online Lexmark devices, and found out that out of 1,475 unique IPs, 1,123 Lexmark printers had no security. Only 352 devices (approx. 24%) redirected us to a login page, implying they have set up a password,” NewSky wrote.
Government agencies with vulnerable printers that were contacted by Threatpost did no return requests for comment.
In a statement Lexmark told Threatpost:
“At Lexmark, we take device security very seriously. We provide customers with a strong set of security capabilities in every device, right out of the box. Unlike many print providers, these features carry no additional cost and help to securely build a bridge between digital and hardcopy information.
A basic security practice is to password protect any networked device. Printers and MFPs are no exception. We do not set a default password out of the box to prevent having an accessible common credential. We have found that shipping devices with a default or pre-assigned password presents more risk than allowing customers to create their own strong, unique password. Our devices are easily configurable to require a PIN or password for access.
Ports on Lexmark devices are “on” by default to allow for easy installation. We document the network port security on our devices and encourage customers to disable any port that is not in use. Lexmark includes a detailed overview of standard protocols and their uses to enable customers to adjust their settings with confidence.”
“All the blame cannot be put on the end user as some of them might not be tech savvy. Since Lexmark is not forcing users to set up a password, I don’t consider the security architecture to be very strong. This is equivalent to setting up an email ID for someone, but it has no password and anyone can log in,” Anubhav said.
(This story was updated on 12/20/2017 at 4pm ET with a comment from Lexmark)