How would you feel if your personal information like ID and resume were on the internet?
Today, using an internet-connected multi-function printer (hereinafter referred to as MFP) to scan different types of important personal information and send them by email has become a norm for both individuals and enterprises. Since these files should never be leaked, people transfer their data by setting zip passwords or sending a link with a limited download period, following information security policies.
In reality, however, there are many cases where the security of the MFP itself is not concerned. In every printer, there is an admin page and it contains information on who scanned which files. Here, a problem arises as users tend to copy the scanned files to a shared folder using the SMB protocol, then not delete them, and do the same after sending them through email.
A bigger problem is that there have been a myriad of cases where the admin page can be accessed without login authentication through individual or company MFPs. Due to this, not only can anybody access your admin page, but also important personal data registered in the address book like your email. With this security blind spot, the MFPs admin page has become a major target for data breaches.

Admin page of MFP

Recipient Information Page from MFP Admin Page
Vulnerabilities of MFPs Exposed on the Internet
Besides the vulnerability of accessible admin pages without authentication, what exacerbates the problem is that these MFPs are also connected outside the Internet. The following is a search result of MFPs exposed on the internet, restricted to IPP(Internet Printer Protocol) TCP/port 631 only, using port:631 filter on Criminal IP Asset Search. Despite narrowing down the scope with the port filter, 1,549,767 MFPs were found. If we were to include admin pages operating on http/https port 80 and 443, the number would be near uncountable.
[Criminal IP Search 101- How to Search for Exposed MFP Admin Pages]

Results when searched for exposed MFPs using port:631 filter on Criminal IP
In addition to the exposed IPP protocols using TCP/port 631, we took a look at the admin page of the web-accessible MFPs. If you search for a keyword ApeosPort or HP Color LaserJet MFP on Criminal IP Asset Search, you can find numerous opened MFP admin pages on the internet.

Search Result with port: 80 filter and keyword “ApeosPort” on Criminal IP
Search result with keyword “HP Color LaserJet MFP” on Criminal IP
When accessed to the searched actual IP addresses, however, some ApeosPort MFPs can be accessed without authentication, and you can even check the work history like copying, faxing, and printing, as well as the address book list. Despite searched for certain products with a few keywords, we can see that myriads of MFPs are exposed to attack surfaces defenseless.

Fax activity log page on HP Color LaserJet MFP admin page

List of scanned files on Fuji Xerox MFP admin page
Looking into the lists of scanned files on the admin page, we can see that confidential documents such as employee’s performance assessment, invoice, and transaction information are exposed without any security controls, leading to possible leakage to unauthorized outsiders.

MFP admin page’s confidential document exposed to attack surfaces
Already Hacked/Confirmed MFP Vulnerabilities
MFPs connected to the internet and exposed to attack surfaces can be hacked by attackers at any time and in reality, many servers among these exposed MFPs are already hacked. If you search by combining the string ‘Hacked’ and port 631(IPP) on Criminal IP, you can find hacked MFPs. Upon connecting to the corresponding MFPs, you can see that the string on the upper left corner is changed to ‘Hacked by XXXX.’ For your information, there is a printer hacking toolkit called PRET(Printer Exploitation Toolkit) which became infamous for hacking HP printers back in 2020.
Search Result of hacked MFPs on Criminal IP
Admin page of a hacked MFP

Screen of PRET, a printer hacking tool, in execution
Conclusion
Businesses have been putting efforts into preventing possible cyber attacks on MFPs by conducting security checks and security awareness campaigns, and deleting stored files. Despite the endeavors, many of them, mostly institutions and small businesses, continue to suffer from the same security issues. This ongoing issue of decreased security awareness of MFPs is expected to be more fatal to small businesses and institutions. (This issue goes as far as to individuals who are expected to have home IP addresses)
Since the entry into the Information Age, there have been numerous information security policies on personal information delivery, such as using encrypted and disposable emails. However, security policies on MFPs, where these important data are through, remain a task to be solved.
Therefore, security checks on these MFPs must be conducted and the issue of their entire functions being accessible without authentication, in particular, must be corrected as soon as possible. (It is a relief that some of the MFPs found on Criminal IP at least required login authentication to view the registration information menu.)
Additionally, considering that most MFPs are externally exposed without ACL(Access Control List), all businesses and institutions should execute attack surface management on a regular basis.
Source: Criminal IP[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
[…] Read more… […]
[…] If you want to know more about open port vulnerabilities, you can also read Criminal IP Analysis Report on Overlooked Multi-Function Printer Vulberability. […]
[…] refer to our ‘Criminal IP Analysis Report on Overlooked Multi-Function Printer Vulnerability’ article […]