NewSky Security Discovers More than 1,000 Misconfigured Lexmark Printers

NewSky Security researchers discovered a misconfiguration in over a thousand Lexmark printers that are accessible over the Internet. These are printers used by universities, businesses and the U.S. government. The misconfiguration is allowing unauthorized individuals to access the printers via the internet without a password.

NewSky Security considers it gross negligence of the users not to configure the administrative password. Because of the lack of security, it is easy to attack the printers even for people with little skill. Unauthorized individuals can remotely access and control the printer, even change its password, put a backdoor and capture print jobs.  

Researchers were able to find the misconfigured Lexmark printers using the search engine Shodan. They found 1,475 unique IPs and 1,123 of the printers lack security. Only 24% of the printers redirected to a login page. Any attacker with no impressive hacking skills can easily take control of these poorly configured printers. The Lafayette Consolidated Government owns one of the unsecured printers. Many of the printers belong to universities. NewSky is trying to reach out and alert the organizations regarding this problem.

Printer security is largely neglected by many end users. It’s not the first time that the NewSky researchers discovered printer misconfigurations. Many Brother printers were also misconfigured in October. Other brands of Internet-enabled printers are probably misconfigured as well.  If your organization is buying internet-enabled printers, don’t forget to configure them correctly to keep them hidden from the public internet. Change default passwords and replace with strong admin passwords. Close open ports and stop unnecessary services.

About Christine Garcia 1295 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA