Research Shows Many Customers Neglect to Set Printer Passwords, Making them Vulnerable to Hacking

NewSky Security, which markets IT security products, recently published a blog post claiming that some thousand Lexmark printers are exposed on the Internet with no security – due to the fact that customers failed to set an admin password for the printers.

NewSky Security points out that printer security is still largely neglected. It says that with its research on the Lexmark printers, an attacker needs only to visit a particular IP address to perform reconnaissance to check whether the printer is secured or not. If the admin password is not set or remains the default from the factory, hackers can easily access the configuration settings and set up a new admin password to gain total control of the printer.

In this case the configuration settings for a printer at Lafayette Consolidate – a town in Louisiana – has no authentication settings and hackers could easily set or change its authentication settings and “own” the printer.

NewSky Security researchers say that out of 1,475 unique IPs, 1,123 Lexmark printers had no security, and only 352 devices (approximately 24 percent) redirected them to a login page, implying that they have a password. Among the vulnerable Lexmark printers they detected, the United States topped the list of Lexmark printers configured without a password.

Threatpost subsequently reached out to Lexmark, which stated:

“At Lexmark, we take device security very seriously. We provide customers with a strong set of security capabilities in every device, right out of the box. Unlike many print providers, these features carry no additional cost and help to securely build a bridge between digital and hardcopy information.

A basic security practice is to password protect any networked device. Printers and MFPs are no exception. We do not set a default password out of the box to prevent having an accessible common credential. We have found that shipping devices with a default or pre-assigned password presents more risk than allowing customers to create their own strong, unique password. Our devices are easily configurable to require a PIN or password for access.

Ports on Lexmark devices are ‘on’ by default to allow for easy installation. We document the network port security on our devices and encourage customers to disable any port that is not in use. Lexmark includes a detailed overview of standard protocols and their uses to enable customers to adjust their settings with confidence.”

Our Take

NewSky Security’s research shows that users – particularly in the United States – still don’t take printer security seriously. It’s critical when setting up a new printer, copier/MFP, or All-in-One to set a new password and log-in credentials, and this certainly isn’t unique to Lexmark printers.

At Wirth Consulting we’ve handled many different printer configurations,. Certain printers are shipped with default factory admin passwords, while others vary them by model. If you can’t find the default password in the documentation, you can easily find it with a quick search for “default admin password for BigPrint iXYZ printer.” Once you’re into the configuration page, more often than not you simply note the admin password and configure the printer, and don’t bother changing the default password. The attitude quickly becomes “I got it printing, so now I’m good to go.”

We also agree with Lexmark that a default factory password enables a false sense of security – because the default password can usually be found online and users sometimes  don’t change it – and that printer admins should religiously set a sufficiently hardened admin password on all of their printers.