December 20, 2017
NewSky Security researchers have found that hundreds of Lexmark printers are vulnerable to attack due to “gross negligence”.
As threatpost reveals, 1,123 Lexmark printers linked to businesses, some US government offices and universities have been rendered “misconfigured, open to the public internet and easily accessible to anyone interested in taking control of targeted devices.”
These vulnerable devices “lacked an administrative password”, a fact discovered by researchers when they used a custom Shodan search method.
As a result, they could fall prey to a number of “malicious activities” including the addition of a back door, being taken offline, printing junk content, or having their print jobs captured.
“We focus on printers which can be controlled by anyone without hacking skills because of gross negligence of the users,” said Ankit Anubhav, researcher with NewSky Security in an interview with Threatpost.
Printer security is a crucial issue in our increasingly technological society, with malicious attacks on printers being “far from new”.
“While many people have awareness to change router passwords, printer security is still neglected at large. On similar lines, we observed that more than a thousand Lexmark printers are up for grabs for attackers, because they simply have no password,” according to NewSky Security.
Earlier this year, the company discovered that 700 Brother printers “were configured insecurely and visible to the Internet.”
As with the Lexmark printers, administrative panels “were left remotely accessible”, although in the case of Lexmark’s devices, “admins didn’t require login credentials at all to view or modify settings.”
“This was not an exceptional case when it comes to Lexmark printers. We used custom Shodan Dorks to get list of relevant online Lexmark devices, and found out that out of 1,475 unique IPs, 1,123 Lexmark printers had no security. Only 352 devices (approx. 24%) redirected us to a login page, implying they have set up a password,” NewSky explained.
Neither Lexmark or government agencies with vulnerable printers have offered any comment.
“All the blame cannot be put on the end user as some of them might not be tech savvy. Since Lexmark is not forcing users to set up a password, I don’t consider the security architecture to be very strong. This is equivalent to setting up an email ID for someone, but it has no password and anyone can log in,” Anubhav said.
Categories : Around the Industry