We have a well-equipped home office and of course, in that office, we have a combi-device – printer, scanner and a fax machine (hey, they were popular once!).
I installed Nessus Essentials to scan my network recently and it reported some issues with SNMP on the printer.
It’s not a big deal to change the settings on the printer. I got my browser ready and pointed it to the printer IP address. SNMP should be in Network Configuration – so I clicked it.
At this point, my progress stuttered. I could not remember the password at all and failed out after a number of attempts.
It was at that point it hit me. I should read. Brother, bless their cotton socks, put some helpful text into their web server to stop me calling them or searching the Internet:
Of course the default username/password of admin/access worked! I have to say that I did not install this printer and would rather have it telling me the password when I log in (around every 2 years) than change it……it is on an internal, double-NATted network so I think it’s a reasonable default to leave (there are numerous other controls in place to block access to the network).
The takeaway, of course, is to estimate what percentage of those implementing these devices on many different network are doing when they deploy the devices. I would guess 80/20 split with the 80% leaving the default credentials in place.
The username/password issue is not the worst I can see; the TCP/IP stack on the device suffers from the Ripple20 vulnerability. That’s a bunch of 2020 vulnerabilities….and the last firmware for the printer is from 2014. These things last for a long time so there must be a lot of similar machines in similar states out there. That also need patching…..if patches existed.
Having had a long, long discussion with Canon many years ago about vulnerabilities on their MFDs, I can tell you that was difficult. They sent me to the marketing department – I told my CIO that Canon printers cannot be patched due to the attitude of the company and within 2 years, there were printers from a different manufacturer.
