It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.
Brother printer vulnerabilities allow attackers to access printers, pivot into networks
Security researchers at Rapid7 published a report that highlights eight vulnerabilities affecting hundreds of Brother printers, scanners, and label makers. According to the researchers, “Additionally, 46 printer models from FUJIFILM Business Innovation, 5 printer models from Ricoh, 2 printer models from Toshiba Tec Corporation, and 6 models from Konica Minolta, Inc. are affected by some or all of these vulnerabilities.”
The ugliest vulnerability in the report allows a remote attacker to discover a device serial number, which can then be used to generate the default administrative password for the device. If the device is still using a default password, the attacker can reconfigure the device. This series of vulnerabilities also tees up yet more exploits, allowing an attacker to leak credentials from additional services on the network. Read more.
What you can do
- If you have a Brother printer that you connect to a Wi-Fi network, see if your model is affected here.
- While the administrative password vulnerability cannot be patched, seven of the eight vulnerabilities in this report may be patched through firmware updates. You can fix up your printer with Brother’s firmware update tool.
- This series of vulnerabilities underscores the importance of changing your password instead of keeping the default. This is not only true for your printer but essentially anything you connect to your network.
- Many Brother printers can be used offline — if you have one, just plug it right into your computer’s USB port. (This is a big reason why I own one!) Unless you strictly need to connect wirelessly, keeping the device offline is also an easy move.
Updates from our team
- Meet us at SRCCON! My colleague Davis Erin Anderson will be presenting at SRCCON next Thursday. If you're planning to be there, stop by her session, “Your DIY secure comms plan,” to learn how you can build your own plan to ensure conversations with sources stay safe and secure. A free zine is included! https://2025.srccon.org/
- Are you a documentary filmmaker? Sign up for our fifth annual Digital Security Clinic for Filmmakers. This four-session virtual training course will take place once a week between July 15 and Aug 5. To participate, register here!
- Reminder for U.S.-based southern border journalists: The deadline is tomorrow! In partnership with the Centre For Investigative Journalism in the U.K., our Source Protection Program has joined forces with ACOS Alliance and the Electronic Frontier Foundation to offer two opportunities for intensive safety and security training this August for journalists covering immigration, migration, and related issues on the border. This training program is designed to strengthen the safety skills of participants and will cover digital, physical, psychosocial, and legal safety. Apply by July 3 to be considered for participation. We have two options for training dates and location: Aug. 15 in Albuquerque, New Mexico (one full day), and Aug. 18-19 in El Paso, Texas (two full days). The training is for U.S.-based journalists only. Space will be allocated according to need, training is free to participants, and limited travel grants may be available. Space is limited, so don’t wait! Apply here.
Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.
Best,
Martin
–
Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation