UPDATE

Researchers at NewSky Security have found hundreds of Lexmark printers misconfigured, open to the public internet and easily accessible to anyone interested in taking control of targeted devices.

Researchers identified 1,123 Lexmark printers traced back to businesses, universities and in some cases U.S. government offices. Adversaries with access to those printers can perform a number of different malicious activities ranging from adding a backdoor to capturing print jobs, taking a printer offline or printing junk content to physically disrupt a printer’s operation.

Vulnerable Lexmark printers identified by researchers, using a custom Shodan search technique, lacked an administrative password.

“We focus on printers which can be controlled by anyone without hacking skills because of gross negligence of the users,” said Ankit Anubhav, researcher with NewSky Security in an interview with Threatpost.

Attacks on printers are far from new and have ranged from cross-site printing attacks, RAW printing on port 9100 or exploiting known printer IP addresses for networked devices. For its investigation, NewSky Security focused on printers with no security.

“While many people have awareness to change router passwords, printer security is still neglected at large. On similar lines, we observed that more than a thousand Lexmark printers are up for grabs for attackers, because they simply have no password,” according to NewSky Security that published its findings Monday.

This is not NewSky’s first discovery of misconfigured printers. In October, the New Jersey Cybersecurity and Communications Integrator Cell released a security bulletin warning NewSky found 700 Brother printers were configured insecurely and visible to the internet.

In the case of Brother, as with Lexmark, affected printers left administrative panels remotely accessible over TCP ports 80 and 443. In the case of Lexmark admins didn’t require login credentials at all to view or modify settings.

“These printers also have several ports open including TCP port 21 (FTP) and TCP port 23 (Telnet) creating additional opportunities for unauthorized access into both the device and the organization’s network,” authorities warned.

According to researchers, this type of access to a networked printer allows a remote attacker to view the device’s status, printer model, serial number and MAC address. In addition to that an attacker can view the printer’s firmware version, ink levels, and network configuration that allows them to enable proxies, change administrator passwords, modify sound volume, contact information, device status, time, and date, create a self-signed certificate and private key and even upload documents and send jobs to the printer.

“This was not an exceptional case when it comes to Lexmark printers. We used custom Shodan Dorks to get list of relevant online Lexmark devices, and found out that out of 1,475 unique IPs, 1,123 Lexmark printers had no security. Only 352 devices (approx. 24%) redirected us to a login page, implying they have set up a password,” NewSky wrote.

Government agencies with vulnerable printers that were contacted by Threatpost did no return requests for comment.

In a statement Lexmark told Threatpost:

“At Lexmark, we take device security very seriously.  We provide customers with a strong set of security capabilities in every device, right out of the box.  Unlike many print providers, these features carry no additional cost and help to securely build a bridge between digital and hardcopy information.

A basic security practice is to password protect any networked device. Printers and MFPs are no exception.  We do not set a default password out of the box to prevent having an accessible common credential. We have found that shipping devices with a default or pre-assigned password presents more risk than allowing customers to create their own strong, unique password.  Our devices are easily configurable to require a PIN or password for access.

Ports on Lexmark devices are “on” by default to allow for easy installation. We document the network port security on our devices and encourage customers to disable any port that is not in use. Lexmark includes a detailed overview of standard protocols and their uses to enable customers to adjust their settings with confidence.”

“All the blame cannot be put on the end user as some of them might not be tech savvy. Since Lexmark is not forcing users to set up a password, I don’t consider the security architecture to be very strong. This is equivalent to setting up an email ID for someone, but it has no password and anyone can log in,” Anubhav said.

(This story was updated on 12/20/2017 at 4pm ET with a comment from Lexmark)

Categories: Hacks, IoT, Privacy

Comments (3)

  1. Zeff
    1

    Maybe a valid point regarding defaulting to a secure setup … have them select a PIN or password during setup with the option to opt out? I can live with that. The problem inherent in that is getting them locked out of their devices when they forget that PIN. I took a peek at their user guides. It might be nice to see as a recommendation in the setup guide and called out specifically (perhaps a minimum recommendation since there are so many ways to secure a printer) in the User Guide. Interestingly, they have an entire manual (93 pgs) dedicated to securely configuring your printer … at least for the random model I selected.

    In my opinion, either NewSky seems to be looking for low hanging fruit to build up their name, or it’s an issue of how the author of this post somewhat sensationalized the notification. I’m wondering if it’s not more the second issue when I looked at some of his other posts. In one of them he misquotes Synaptic in his title to give it edge, but then gives their actual wording in the article. So I at least appreciate that. Just not my kind of journalism.

    And let’s be honest with each other here. How is this any different than people not putting passwords on their phones, tablets, or PC’s? And it’s breaking news, somehow? I don’t think so.

    • WhiteHat
      2

      Sponsored comments are easy to identify, sadly. Most hacks are carried out with the simplest of security flaws. Will you adore your bank opening an account with no password and anyone can access it? Phone can have no password, but you need to be present physically to control it. If you are able to pwn it remotely, of course it is a security issue.

  2. Toby
    3

    This is type “security” story is really not well thought out. First this is referencing open networks with no firewall (most companies have firewalls in place on the network to protect against this type of intrusion) and to place the blame on misconfiguration on the manufacturer is asinine. You buy a product learn to configure it… that is why manufacturers have support. Government agencies… which one… animal control, Sanitation, local agency? Sensationalism for a poorly conceived test from an “Security Firm” startup.

Comments are closed.