How would you feel if your personal information, such as your ID and resume, were posted online?

Using an internet-connected multi-function printer (MFP) to scan and email important personal information has become commonplace for individuals and enterprises. Since these files should never be leaked, people transfer their data by setting zip passwords or sending a link with a limited download period, following information security policies.

In reality, however, there are many cases where the security of the MFP itself is not concerned. Every multi-function printer has an admin page that may retain information on who scanned which files. Here, a problem arises as users sometimes copy the scanned files to a shared folder using the SMB protocol and fail to delete them or leave them behind after emailing them.

A major security concern is the prevalence of cases where the admin page of individual or company MFPs can be accessed without login authentication. This security blind spot not only allows anyone to access the admin page but also exposes important personal data, such as email addresses, registered in the address book. As a result, the MFPs admin page has become a major target for data breaches.

Admin page of MFP

Admin page of MFP

Recipient Information Page from MFP Admin Page

Recipient Information Page from MFP Admin Page

Vulnerabilities of MFPs Exposed on the Internet

 In addition to the vulnerability of accessible admin pages without authentication, the problem is exacerbated by the fact that many MFPs are connected to the internet. The following is a search result of MFPs exposed on the internet, restricted to IPP (Internet Printer Protocol) TCP/port 631 only, using port:631 filter on Criminal IP Asset Search. Despite narrowing down the scope with the port filter, 1,549,767 MFPs were found. If we were to include admin pages operating on HTTP/HTTPS ports 80 and 443, the number would be nearly incalculable.

[Criminal IP Search 101- How to Search for Exposed MFP Admin Pages]

port:631

Results when searched for exposed MFPs using port:631 filter on Criminal IP

Results when searching for exposed MFPs using the ‘port:631’ filter on Criminal IP

In addition to the exposed IPP protocols using TCP/port 631, we also examined the admin pages of web-accessible MFPs. If you search for the keywords ApeosPort or HP Color LaserJet MFP on Criminal IP Asset Search, you can find numerous MFP admin pages that have been opened to the internet.

ApeosPort port: 80

Search Result with port: 80 filter and keyword “ApeosPort” on Criminal IP

Search results for “ApeosPort port: 80” on Criminal IP

HP Color LaserJet MFP

Search result with keyword “HP Color LaserJet MFP” on Criminal IP

Search results for “HP Color Laserjet MFP” on Criminal IP

It has been discovered that certain ApeosPort MFPs can be accessed without authentication by knowing their actual IP addresses. This allows an attacker to view the work history, address book list, and other copying, faxing, and printing information on these devices. Even with only a few keywords, it appears that there are numerous MFPs that remain defenseless against potential attacks.

Fax activity log page on HP Color LaserJet MFP admin page

Fax activity log page on HP Color LaserJet MFP admin page

List of scanned files on Fuji Xerox MFP admin page

List of scanned files on Fuji Xerox MFP admin page

Upon reviewing the lists of scanned files on the admin page, it has been observed that confidential documents, such as employee performance assessments, invoices, and transaction information, are exposed without any security controls. This puts the documents at risk of being accessed by unauthorized individuals and may result in leakage of sensitive information.

MFP admin page’s confidential document exposed to attack surfaces

MFP admin page’s confidential document exposed to attack surfaces

Already Hacked/Confirmed MFP Vulnerabilities

MFPs connected to the internet and exposed to attack surfaces can be hacked by attackers at any time and in reality, many servers among these exposed MFPs are already hacked. If you search by combining the string ‘Hacked’ and port 631(IPP) on Criminal IP, you can find hacked MFPs. Upon connecting to the corresponding MFPs, you can see that the string on the upper left corner is changed to ‘Hacked by XXXX.’ For your information, there is a printer hacking toolkit called PRET(Printer Exploitation Toolkit) which became infamous for hacking HP printers back in 2020.

Hacked port: 631

Search Result of hacked MFPs on Criminal IP

Search Result of hacked MFPs on Criminal IP

Admin page of a hacked MFP

Admin page of a hacked MFP

Screen of PRET, a printer hacking tool, in execution

Screen of PRET, a printer hacking tool, in execution

Conclusion

Businesses have been taking measures to prevent potential cyber attacks on MFPs, such as conducting security checks, raising security awareness, and deleting stored files. However, despite these efforts, many institutions and small businesses still face security issues related to MFPs. This ongoing problem of decreased security awareness particularly concerns small businesses and institutions, and it extends to individuals who use MFPs at home and have personal IP addresses.

Since the entry into the Information Age, there have been numerous information security policies on personal information delivery, such as using encrypted and disposable emails. However, security policies on MFPs, where these important data are through, remain a task to be solved.

Therefore, security checks on these MFPs must be conducted and the issue of their entire functions being accessible without authentication, in particular, must be corrected as soon as possible. (It is a relief that some of the MFPs found on Criminal IP at least required login authentication to view the registration information menu.)

Additionally, since most MFPs are externally exposed without an Access Control List (ACL), it is important for businesses and institutions to conduct attack surface management regularly.


Source: Criminal IP