Researchers at NCC Group have uncovered 35 “significant” vulnerabilities in models from six popular enterprise printer brands.
The risk mitigation consultancy tested kit produced by HP, Ricoh, Xerox, Lexmark, Kyocera and Brother – with security advisories for each published as of today.
It claimed to have been able to find the flaws using “basic tools,” some of which date back 30-40 years. The firm added that some bugs were uncovered within mere minutes.
They include buffer overflows, cross-site scripting, denial of service, information disclosure and other flaws as well as hard-coded credentials and broken access controls.
All of the vulnerabilities discovered have now been patched or are in the process of being fixed and system administrators are urged to update the affected models to the latest firmware.
“Because printers have been around for decades, they’re not typically regarded as enterprise IoT, yet they are embedded devices that connect to sensitive corporate networks, and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT,” argued Matt Lewis, research director at NCC Group.
“Building security into the development lifecycle would mitigate most, if not all, of these vulnerabilities. It’s therefore important that manufacturers continue to invest in and improve cybersecurity, including secure development training and carrying out thorough security assessments of all devices.”
Lewis added that corporate IT can also improve the resilience of any connected devices in the organization, by making small changes such as altering default settings, developing and enforcing secure printer configuration guides and, of course, applying regular firmware updates.
Last year, researchers found two vulnerabilities in HP all-in-one printers which could enable hackers to attack corporate networks simply by sending a specially crafted fax.