Several hundred different Brother printer models have unpatchable vulnerability

[thewayne]

Well.

What's going on is slightly complicated, and not necessarily a big deal, depending. There are eight flaws found in Brother systems, and they all boil down to one fairly serious vulnerability. A flaw was discovered in how Brother generates the default system administrator password based on the serial number of the printer: if the serial number of the printer is known, you can reverse engineer the password. And here's the problem: if you have not changed that password, THEN you are vulnerable to all sorts of potential mischief! And that's where all the other flaws come into play.

Now, if you changed the default password when you installed your printer, then you're fine. Nothing to worry about. Everything's great. If you didn't, then you need to change it ASAP and patch your printer right now!

This flaw also affects 59 printer models from Fujifilm, Toshiba, Ricoh, and Konica Minolta. I'm assuming they use either Brother engines or the same algorithm for generating admin passwords.

The flaw affects 689 printers, the article provides a link with all of the models listed. Since the default password was built into the printer's read-only memory, it can't be patched. Brother is changing the way they generate the password. But again, if you've changed the default password, you're good. The other flaws are patchable, I don't know if patches are out yet but I'm sure they will be available soon if not already.

https://www.theverge.com/news/694877/brother-printers-security-flaw-password-vulnerability

Comments

[warriorsavant]

The fact that a printer needs a password is a flaw in and of itself. Plug the thing in, let it work. Wireless usually screws up without any flaws. It's an example of a simple technology that's been serious screwed up by making it complex for no reason. Well, I suppose the reason has to do with selling your data, and selling aftermarket items like over-priced ink cartridges.

[dewline]

Yeah. I'd agree with all of this.

[thewayne]

I can't disagree with you on one hand, it would be nice if printers didn't need lots of configuration options and could just be 'plug in and forget about it'.  The problem is that if they're connected to a business network, they can be used as a launch point to infiltrate the network for nefarious purposes - and have been used as such.  So the administrative interface needs a password, just like your router does, because so many printers these days support wireless printing.

[devilc]

FFFFFFFFFFF!

[tfcocs]

Thanks for the link. I am a fan of Brother laser printers, so this will make for some interesting reading.

[thewayne]

I'm quite a fan of them, too, and this will not dissuade me from using them or recommending them.  They're still leagues above HP for being customer friendly.

[disneydream06]

Well, HP printers suck and now Brother.
Are there any good/safe ones out there? :o :o :o
Hugs, Jon

[thewayne]

It's not a problem if you changed the password, and just like a wireless router, you should have changed it on setup.  I'm still a supporter of Brother and wouldn't hesitate to buy one.

[delibby]

I'm pretty sure I didn't change a password on my printer. But since I can't currently get it connected to the wifi and have to carry a computer to it and plug in a cable, I'm guessing I'm pretty safe.

I keep thinking I should boot into Windows and fight my way through, I just haven't cared enough to do it. the printer is 9 years old, but still prints perfectly.

[thewayne]

If it's not networked via WiFi or Ethernet, it's safe.  My Samsung laser is supposed to support WiFi, but I lost the CD, and HP gobbled up Samsung's printer division so support for it does not exist.  So I'm doing like you: most of the time it was plugged into my iMac, currently the cable is just loose to be plugged into our laptops (with an adapter as our laptops are now USB-C rather than USB-A).  My next printer will be WiFi, definitely.  Probably a Brother multifunction color laser.  About $400 at Best Buy.  My Samsung is close to your age, it's on its second toner cartridge.

[silveradept]

This particular flaw could have quite the issue, if we find out that a lot of us haven't changed passwords from the default. Something I do wonder, though, is why manufacturers of devices with default passwords aren't required to have some routine run upon first boot and login, and after every factory reset, that requires the default password to be changed. If you don't give the user the choice to leave the defaults, then it seems like security on the devices improves greatly.,

[thewayne]

The same problem exists for WiFi routers: many don't force changing the admin password on initial startup, someone figures out the generation algo, and instant bot army.  Part of the problem goes back to the '70s and the premise that the DARPAnet was built upon: trust.  They never saw that bad guys would abuse the system the way it has been.  And part of it is sheer laziness or lack of skill or management backing ("Must ship NOW!").

[silveradept]

I would much rather have that Internet that ran on trust and that routinely found ways of excluding people who break the trust than what we have now, but since we don't have that, it seems important that we manage those things accordingly and make sure that if there's a weak password, it's there because the user chose it instead of because it's the default. (And then keep working diligently to make it possible for even weak passwords to exist safely.)

[thewayne]

I have weak passwords, but I use them on web sites of trivial value.  For sites that need strong passwords, they get them, and those passwords never get used on multiple sites.  I really hate these emails that I get from "monitoring services" telling me that the password for my main email account has been compromised because they never tell you what site it was for.  I'm not going to go around changing all of my passwords because it was invariably the weak one that was found.