Employees of ‘WeWork,’ the shared workspace real estate company, have demonstrated the number one problem with IoT security, and this is nothing else than the users themselves. As TechCrunch details on a relevant report, the password that an employee at a WeWork office in London had set for the printer was “9999.” That’s a four-digit password that’s easy to guess and ridiculously quick to brute-force, but one would need to know the username too. In this case, that was also “9999,” so the circle of insecurity was completed.
This account was actually used and shared among various high-ranking WeWork employees, like community managers, location managers, etc. These employees would use the particular account to print stuff for themselves or visitors of the offices who didn’t have their own accounts. Thus, not only the credentials were very weak, but also the practice was extremely improper.
The discovery of this was made by a customer of WeWork, Jake Elsley, who noticed that an employee of the company had left the particular account logged in. While the man couldn’t access document contents for the files that had been pushed to printing, he could read filenames. Additionally, he could access the printing web portal and fiddle with the pending print jobs.
Since that story saw the light, WeWork immediately changed the password and initiated an investigation to prevent such incidents in the future. However, this indicates the level of caution that most people care to maintain when it comes to IoT security. The WeWork employees who have set the credentials and used the printer account on a daily basis have illustrated this indifference in the clearest possible way.
In August 2020, a team of researchers hijacked 28,000 printers in an effort to raise awareness on printer security. As they said, the total number of unsecured printers that were connected to the internet was around 447,000, so they only hacked a sample of that. Merely searching on the Shodan engine and using an automated take-over script enables people to send whatever message they want. Even entirely comical things like urging people to subscribe to specific YouTube channels.
Using a strong password for accessing your printer should be the first step to securing the device. Other measures include applying firmware and driver updates, setting up a firewall that prevents remote access, and setting the printer to access requests only through specific ports that are known to be safe.