Networked Printers are Some of the Oldest IoT Devices, and over 1,000 Lexmark Printers Are Vulnerable Today
Pierluigi Paganini
December 19, 2017
Experts at NewSky Security scanned the Internet and discovered that “out of 1,475 unique IPs, 1,123 Lexmark printers had no security.”
We think of Internet of Things (IoT) as all the “new” devices added to networks like webcams, Internet-connected toys, smarthome devices, etc. But we have been connecting unattended things to networks for a very long time with office printers being some of the earliest. With new IoT threats emerging every day, network-connected printers are once again increasing cyber risk for organizations. This week we learn that more than one thousand Lexmark printers are connected to the Internet with no security.
NewSky Security performed a search for Internet-connected Lexmark printers through the search engine for the Internet of Things, Shodan. They were able to determine that, “
out of 1,475 unique IPs, 1,123 Lexmark printers had no security.“
That means that anyone on the Internet can access the printer’s admin setup at hxxp://example.ip/cgi-bin/dynamic/printer/config/secure/authsetup.htmlwhere example.ip is the IP address of the printer as identified in Shodan. Once at this page, the visitor can set up a new password and proceed to reconfigure the printer as they wish.
You might wonder what is going on here. Why are printers added to networks with no security? This is the same situation that leads to every IoT compromise and things like the
Mirai botnet. Vendors make it simple to get their equipment up and running. In most cases, it
is plugged into the network and it starts working.
If the person performing the installation is satisfied with the minimum requirements, their work is complete.
Anticipating that some users will want to configure their devices once they are on the network, vendors allow remote access through common web interfaces.
Without a firewall between the device and the Internet, anyone with a web browser can access the admin pages. We have seen this same scenario played out on
webcams, routers,
DVRs, and now Lexmark printers.
NewSky Security determined that at least one of the insecure Lexmark printers was in use by Lafayette Consolidate Government and several others are in use by universities. They also identified vulnerable Lexmark printers in many different countries with the majority in the United States.
The problem isn’t with IoT devices in general or Lexmark printers specifically. As long as the devices can be secured, the vendors are doing the right thing. It is up to users to understand the implications of installing equipment on Internet-connected networks and taking the appropriate steps to secure that equipment. There is rarely a reason for a physical device like a printer to be accessible directly from the Internet. A firewall takes care of the basics and then make sure you change default passwords. It isn’t difficult to secure these devices, but it takes a little more than plugging it in and turning it on.
About the author: Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.