While adding a scan destination to one of my customer’s printers on their LAN I was astonished to find it didn’t require any authentication to view the address book and status page of the printer.
This took me on a rabbit hole of not actually doing the work I was supposed to but instead.. searching for similar printers that have been connected to the wider internet for no reason.
The biggest culprit I can find are Kyocera printers…
A simple Google Search for “Host Name” “Last Updated” “Auto-refresh” 2015 (modify the year to be the current year!) brings up hundreds of the things. (Adding the current year to the end means you only get ones that Google has seen recently and also weeds out a lot of other documents containing similar terms, such as instruction manuals).
Most seemed to even have windows file sharing open so printing to \\ip.address\lp1 is trivial.
I expect many also have their admin password as default.
What worries me is the leak of e-mail addresses from the web interface along with the type of printer. It would be trivial for someone to scrape all the addresses open on the internet and craft “scan from your printer” emails along with very accurate details such as the correct model of printer, name of the printer, IP of it etc.. to trick people into opening malicious attachments.
A direct request to /basic/AddrBook_Addr_NewCntct_Prpty.htm?arg1=1&arg2=0&arg3=&arg4=1&arg5=1&arg6=1 on the printer IP (+1 to the arg variables to go higher up in the address book) returns a page with the address book entry name and email address and, if entered on the printer, samba details!
Another search term (possibly overlaps my original search above)
A few SHARP printers open to the internet.. Not sure why there is a huge difference in the number of these type being open to the internet, possibly the Kyocera are cheaper devices so there are more of them?