Backend panels and password reset functions were left accessible over the Internet.
Nearly 700 Brother printers were found to have been left exposed online, inadvertently offering full access to their administration panel over the Internet. Ankit Anubhav, Principal Researcher at NewSky Security, discovered the security breach, which also exposed the password reset functions to any would-be attacker who knew where to look.
The breach has affected multiple models in the company’s range, including the DCP-9020CDW and MFC-L2700DW. Catalin Cimpanu, of the website Bleeping Computer, speculates that one potential cause is Brother’s shipping of the printers without an admin password. This would lead many organisations to connect the printers to their networks, unaware that the admin panel was wide open to connections. This error has the potential to cause significant downtime for the organisations using the printers (which include universities and what appear to be government networks) by allowing an attacker to change the printers’ passwords remotely.
On some of the affected printers, the panels also included options to verify and trigger a firmware update, leaving them vulnerable to attackers who would normally be restricted from accessing the admin panel. This is particularly concerning in the case of the printers being used by private businesses and governmental organisations, as it would theoretically be simple for attackers to install spyware inside a firmware update, and thus access highly sensitive information.
The list of affected printers has been passed to Victor Gevers, chairman of the GDI Foundation, who specialise in notifying organisations affected by malware, vulnerabilities and other cyber threats. Mr. Gevers has pledged to inform as many affected organisations as possible. In the meantime, organisations running Brother printers should verify if their printer exposes the admin panel by default online, and set a custom password to prevent unauthorised access to their device.