In the name of simplicity, it seems like every device is “Web Enabled” now. But the question is, where is the security? I was always stunned on how many Printers you can find completely open on the web through Shodan. I never understood why, until now.
I was setting up a brand new “web enabled” printer. It went great, the quick start guide walked me through installing the ink cartridges, had a great video on connecting the paper trays to the printer and how to correctly insert paper.
It even walked me through turning on networking and getting it connected to my Wireless network.
In no time I was up and running!
It wanted to turn on printing from the internet, it got an e-mail address from the web all by itself and then wanted to turn on additional apps. It was so helpful!
But then I wondered, how is this thing secured?!?
So, I surf to the IP address that the printer was assigned and it had a beautiful web control interface for the printer. That was completely unsecured…
I dug through the menus and finally found the option to turn Web Based security to “On” and put in an administrator password. It informed me that it would not block internet users from seeing everything, but would limit them informational pages only.
Then I realized, it never prompted me to turn control panel security on, and never asked me for a password. So I dug through the included manual (instead of just browsing the quick start guide) thinking I missed something.
Everything was in the manual, including troubleshooting network connectivity. But nowhere did it mention turning security on or how to even do it!
It’s just a printer you say – But printers can leak some very important information, like internal network settings, logs, files and in some cases, even user accounts.
And a few quick keyword searched on Shodan turns up Tens of thousands of insecure printers.
Last month the author of “Shodan Blog” wrote a great article on printers bleeding information publicly.
Titled, “I know You Need Toner“, it lists the printers worldwide that currently are in need of toner:
It also shows the number of printers that need toner by country, and a list of the top organizations that need to change their toner.
Cute, I know, but it should really be a warning to people about what information is being bled publicly through the horde of web enabled devices that we are putting throughout our organizations.
It took several years, but most router manufacturers now ship new routers with some level of security turned on. It looks like other web enabled devices (like printers) need to start doing this too!