Research Shows Many Customers Neglect to Set Printer Passwords, Making them Vulnerable to Hacking
NewSky Security, which markets IT security products, recently published a blog post claiming that some thousand Lexmark printers are exposed on the Internet with no security – due to the fact that customers failed to set an admin password for the printers.
NewSky Security points out that printer security is still largely neglected. It says that with its research on the Lexmark printers, an attacker needs only to visit a particular IP address to perform reconnaissance to check whether the printer is secured or not. If the admin password is not set or remains the default from the factory, hackers can easily access the configuration settings and set up a new admin password to gain total control of the printer.
NewSky Security researchers say that out of 1,475 unique IPs, 1,123 Lexmark printers had no security, and only 352 devices (approximately 24 percent) redirected them to a login page, implying that they have a password. Among the vulnerable Lexmark printers they detected, the United States topped the list of Lexmark printers configured without a password.
Threatpost subsequently reached out to Lexmark, which stated:
“At Lexmark, we take device security very seriously. We provide customers with a strong set of security capabilities in every device, right out of the box. Unlike many print providers, these features carry no additional cost and help to securely build a bridge between digital and hardcopy information.
A basic security practice is to password protect any networked device. Printers and MFPs are no exception. We do not set a default password out of the box to prevent having an accessible common credential. We have found that shipping devices with a default or pre-assigned password presents more risk than allowing customers to create their own strong, unique password. Our devices are easily configurable to require a PIN or password for access.
Ports on Lexmark devices are ‘on’ by default to allow for easy installation. We document the network port security on our devices and encourage customers to disable any port that is not in use. Lexmark includes a detailed overview of standard protocols and their uses to enable customers to adjust their settings with confidence.”
NewSky Security’s research shows that users – particularly in the United States – still don’t take printer security seriously. It’s critical when setting up a new printer, copier/MFP, or All-in-One to set a new password and log-in credentials, and this certainly isn’t unique to Lexmark printers.
At Wirth Consulting we’ve handled many different printer configurations,. Certain printers are shipped with default factory admin passwords, while others vary them by model. If you can’t find the default password in the documentation, you can easily find it with a quick search for “default admin password for BigPrint iXYZ printer.” Once you’re into the configuration page, more often than not you simply note the admin password and configure the printer, and don’t bother changing the default password. The attitude quickly becomes “I got it printing, so now I’m good to go.”
We also agree with Lexmark that a default factory password enables a false sense of security – because the default password can usually be found online and users sometimes don’t change it – and that printer admins should religiously set a sufficiently hardened admin password on all of their printers.
- June 2017: Printers Hacked to Send Ransomware Bomb Threats to U.S. Universities
- June 2017: CompTIA Certmaster Introduces New Course On Latest Cybersecurity Certification
- May 2017: Lexmark Beefs-Up Printer and MFP Security with New Secure Document Monitor
- May 2017: Samsung Launches New Remote-Troubleshooting, Security Apps
- May 2017: Next-Generation Nuance eCopy ShareScan V 6.0 Boasts New Security, Productivity Features
- May 2017: New HP LaserJet Enterprise 600 Series ‘Highest-End A4s’ with Highest Level of Security, FutureSmart 4, More
- March 2017: Canon Introduces imageFORMULA ScanFront 400 Scanner with Beefed-Up Security Features
- March 2017: New Brother Business-Class Laser Printers, MFPs Feature ‘Enterprise-Level Security,’ Workflow Solutions
- March 2017: OKI Europe Rolls out New A4 Desktop MFP, MC536dn, with Enhanced Security, More
- February 2017: 150,000 Printers and MFPs Said to Have Been Hacked
- February 2017: HP Recruits Actor Christian Slater to Warn of Printer Security Vulnerabilities
- February 2017: Scammers Blackmailing Users Seeking Help for ‘Printer Error’ Messages
- January 2017: HP: Battle Hackers with these Printer Security Solutions