How would you feel if your personal information, such as your ID and resume, were posted online?
Using an internet-connected multi-function printer (MFP) to scan and email important personal information has become commonplace for individuals and enterprises. Since these files should never be leaked, people transfer their data by setting zip passwords or sending a link with a limited download period, following information security policies.
In reality, however, there are many cases where the security of the MFP itself is not concerned. Every multi-function printer has an admin page that may retain information on who scanned which files. Here, a problem arises as users sometimes copy the scanned files to a shared folder using the SMB protocol and fail to delete them or leave them behind after emailing them.
A major security concern is the prevalence of cases where the admin page of individual or company MFPs can be accessed without login authentication. This security blind spot not only allows anyone to access the admin page but also exposes important personal data, such as email addresses, registered in the address book. As a result, the MFPs admin page has become a major target for data breaches.
Vulnerabilities of MFPs Exposed on the Internet
In addition to the vulnerability of accessible admin pages without authentication, the problem is exacerbated by the fact that many MFPs are connected to the internet. The following is a search result of MFPs exposed on the internet, restricted to IPP (Internet Printer Protocol) TCP/port 631 only, using port:631 filter on Criminal IP Asset Search. Despite narrowing down the scope with the port filter, 1,549,767 MFPs were found. If we were to include admin pages operating on HTTP/HTTPS ports 80 and 443, the number would be nearly incalculable.
[Criminal IP Search 101- How to Search for Exposed MFP Admin Pages]
In addition to the exposed IPP protocols using TCP/port 631, we also examined the admin pages of web-accessible MFPs. If you search for the keywords ApeosPort or HP Color LaserJet MFP on Criminal IP Asset Search, you can find numerous MFP admin pages that have been opened to the internet.
It has been discovered that certain ApeosPort MFPs can be accessed without authentication by knowing their actual IP addresses. This allows an attacker to view the work history, address book list, and other copying, faxing, and printing information on these devices. Even with only a few keywords, it appears that there are numerous MFPs that remain defenseless against potential attacks.
Upon reviewing the lists of scanned files on the admin page, it has been observed that confidential documents, such as employee performance assessments, invoices, and transaction information, are exposed without any security controls. This puts the documents at risk of being accessed by unauthorized individuals and may result in leakage of sensitive information.
Already Hacked/Confirmed MFP Vulnerabilities
MFPs connected to the internet and exposed to attack surfaces can be hacked by attackers at any time and in reality, many servers among these exposed MFPs are already hacked. If you search by combining the string ‘Hacked’ and port 631(IPP) on Criminal IP, you can find hacked MFPs. Upon connecting to the corresponding MFPs, you can see that the string on the upper left corner is changed to ‘Hacked by XXXX.’ For your information, there is a printer hacking toolkit called PRET(Printer Exploitation Toolkit) which became infamous for hacking HP printers back in 2020.
Businesses have been taking measures to prevent potential cyber attacks on MFPs, such as conducting security checks, raising security awareness, and deleting stored files. However, despite these efforts, many institutions and small businesses still face security issues related to MFPs. This ongoing problem of decreased security awareness particularly concerns small businesses and institutions, and it extends to individuals who use MFPs at home and have personal IP addresses.
Since the entry into the Information Age, there have been numerous information security policies on personal information delivery, such as using encrypted and disposable emails. However, security policies on MFPs, where these important data are through, remain a task to be solved.
Therefore, security checks on these MFPs must be conducted and the issue of their entire functions being accessible without authentication, in particular, must be corrected as soon as possible. (It is a relief that some of the MFPs found on Criminal IP at least required login authentication to view the registration information menu.)
Additionally, since most MFPs are externally exposed without an Access Control List (ACL), it is important for businesses and institutions to conduct attack surface management regularly.
Source: Criminal IP