The security researcher Ankit Anubhav, principal researcher at NewSky Security, has discovered nearly 700 Brother printers left exposed online. Anyone can access the administration panel of the printers and take control of the devices.
Anubhav disclosed its discovery via Bleeping Computer providing it a list of exposed printers.
“Accessing a few random URLs, Bleeping has discovered a wide range of Brother printer models, such as DCP-9020CDW, MFC-9340CDW, MFC-L2700DW, or MFC-J2510, just to name a few.” states Bleeping Computer.
Bleeping Computer also forwarded the list to the popular researcher Victor Gevers that once analyzed it will notify the affected organizations.
The researcher discovered many Brother printers exposed line with factory settings, in fact, Brother ships the printers with no admin password.
Anubhav explained that the printers belong to corporate and government networks and known universities.
“I’m surprised about so many known universities included in the list,” Anubhav told Bleeping. “I am planning to reach and notify the orgs with my colleague,”
An attacker can access the administration of the printers connected to the Internet and change settings, such as their passwords, causing problems to affected organizations.
The list provided Bleeping included only printers that exposed the “password.html” file that is related to the password reset page of Brother printers. The expert notices that administration panel exposed by the printers also included options to manage a firmware update.
An attacker can exploit the exposed administration panel to deliver tainted firmware and take full control of the printers.
“An attacker could include spyware-like behavior in tainted firmware updates and have printers send copies of printed documents to an attacker’s server.” continues Bleeping Computer.
“In the case of private businesses and government organizations, this could expose very sensitive information.”
Organizations running Brother printers urge to check if the devices expose the administration panel by default online, and change the default password to prevent unauthorized access to the device.
(Security Affairs – Brother printers, IoT)