Up for grabs: US Government Lexmark printers (and thousands of others) exposed on the Internet with no security

Introduction

An enterprise network is as secure as its weakest link. While in many cases the endpoints are secured by an efficient Antivirus/CyberSecurity software, other connected devices on the network might not be privileged enough to share the same security. Many people have the awareness to change router passwords, but printer security is still neglected at large. Similarly, we observed that more than one thousand Lexmark printers are up for grabs by attackers because they simply have no password. Some of these printers are connected to potentially sensitive networks, including one in the United States Government (Lafayette Consolidated Government).

Sorry state of Lexmark Printer security

An attacker needs only to visit the following IP­, where the “example.ip” is the IP address of the Lexmark printer, to perform reconnaissance (to check whether the printer is secured or not).

example.ip/cgi-bin/dynamic/printer/config/secure/auth/security_summary.html?info=normal&referrer=main_security

Using the same URL, we can see that the printer of Lafayette Consolidate Government has no authentication.

Because of this, the attacker can simply visit this link hxxp://example.ip/cgi-bin/dynamic/printer/config/secure/authsetup.html and they will be presented with an interface that allows them to set up a new password– overwriting previous configurations. This effectively gives the attacker control of the printer.

This is not an exceptional case when it comes to Lexmark printers. We used custom shodan dorks to get a list of relevant online Lexmark devices and found that out of 1,475 unique IPs, 1,123 Lexmark printers had no security. Only 352 devices (approximately 24 percent) redirected us to a login page, implying they have set up a password. The following is a country-specific graph of Lexmark printers with no authentication. The U.S. tops the list.

The above map shows the global data for the sample set we used via shodan dorks. While Australia stands out on the green side (with most Lexmark printers having authentication), most other countries are on the red side of the things, with most devices being “hackable.”

Conclusion

We have informed Lafayette Consolidated Government about this printer, and are reaching out to other organizations that have this security issue with Lexmark printers. Many vulnerable printers (221) belong to reputed universities. We have observed abuse of university printers in the past, and this has potential to worsen the issue. While vulnerabilities in Lexmark and other printers have been observed before, in this case, an attacker can take control of these poorly configured devices without any impressive hacking skills.

The awareness of printer security is rising. Recently, we observed the state of New Jersey issue a security alert for a similar problem discovered by NewSky Security about vulnerable brother printers. However, there is still a long way to go in order to safeguard such poorly configured printers. In many cases, the printer is equipped with security options, but the end user doesn’t utilize them. Even Lexmark stated that “Properly configured, features supporting network security can protect Lexmark devices from unauthorized access.” User awareness as well as stricter policies by both networks and printer vendors (for example, a printer is only allowed to work if it has a strong credential set) can make these smart printers safer.

Ankit Anubhav, Principal Researcher, NewSky Security (NewSky Security)