Millions of Brother Printers Are Full of Hackable Bugs

Brother makes some solid, reliable printers. Indeed, for several years running, The Verge named it the best printer you should buy. Unfortunately, the company’s devices appear to be riddled with new zero-day bugs that could allow a savvy cybercriminal to hijack them.

The vulnerabilities were discovered by cybersecurity firm Rapid7, which published a blog about the bugs last week. The blog explains that, after some research, Rapid7’s cyber pros came across a total of eight new zero-day vulnerabilities in the machines. The vulnerabilities are all different, though there is one that is pretty bad. CVE-2024-51978 is an authentication bypass vulnerability that could allow a hacker to nab the printer’s password. Researchers break it down like so:

A remote unauthenticated attacker can leak the target device’s serial number through one of several means, and in turn generate the target device’s default administrator password. This is due to the discovery of the default password generation procedure used by Brother devices. This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device’s unique serial number, during the manufacturing process. Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models.

Researchers originally contacted Brother Industries last year, and the printing company and security researchers have been in touch since then, working to mitigate the issues. The bugs are also impacting several other printer brands, including Fujifilm, Ricoh, Toshiba, and Konica Minolta, according to researchers.

Dark Reading notes that millions of devices appear to be impacted. Luckily, researchers note that there is no evidence that the bugs are being exploited in the wild. Brother has also issued patches for the vulnerabilities.

In addition to installing patches, users are also encouraged to change their default administrator password. That should stop the bad bug, CVE-2024-51978, which would have allowed an intruder to hijack the machine. If you don’t do that, researchers warn that an attacker could “use this default administrator password to either reconfigure the target device, or access functionality only intended for authenticated users.”

Gizmodo reached out to Brother Industries for more information. In a statement shared Wednesday, the company said: “Brother would like to thank Rapid7 for their efforts in discovering the issues. We have informed our customers about the mitigation on our website.”