Standards nerd and technology enthusiast, Terence Eden, has analyzed the Brother printers' default password scandal in light of the UK computer security legislation.
So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.
The UK law in question is The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023. Brother might also have crossed the line in California which had already outlawed default passwords from 2020 onward.
Previously:
(2025) Massive Privacy Concern: Over 40,000 Security Cameras Are Streaming Unsecured Footage Worldwide
(2024) Secure Boot is Completely Broken on 200+ Models From 5 Big Device Makers
(2022) An Update to Raspberry Pi OS Bullseye
(2018) Weak Passwords to be Banned in California
« Mexican Drug Cartel Hacker Spied on FBI Official's Phone to Track and Kill Informants | Fedora: Proposal for the Removal of i686 Withdrawn »
Related Stories
Submitted via IRC for Bytram
Weak passwords to be banned in California
Default passwords such as "admin" and "password" will be illegal for electronics firms to use in California from 2020.
The state has passed a law that sets higher security standards for net-connected devices made or sold in the region.
It demands that each gadget be given a unique password when it is made.
Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm.
The Information Privacy: Connected Devices bill demands that electronics manufacturers equip their products with "reasonable" security features.
This can mean a unique password or a start-up procedure that forces users to generate their own code when using the gadget for the first time.
The bill also allows customers who suffer harm when a company ignores the law to sue for damages.
Raspberry Pi OS "Bullseye" is getting some changes to improve its robustness. Gone is the default user 'pi' with the default password of 'raspberry'. On first-boot, a setup wizard walks through setting a normal user with a regular password, though there are still options for headless installation. Among other improvements, it is now also possible to do the setup with a bluetooth mouse/keyboard exclusively. The old way required at least a wired mouse, if not also a wired keyboard, to connect first.
There are also mechanisms to preconfigure an image without using Imager. To set up a user on first boot and bypass the wizard completely, create a file called userconf or userconf.txt in the boot partition of the SD card; this is the part of the SD card which can be seen when it is mounted in a Windows or MacOS computer. This file should contain a single line of text, consisting of username:encrypted- password – so your desired username, followed immediately by a colon, followed immediately by an encrypted representation of the password you want to use.
Since it is a full general-purpose computer, other distros and even other operating systems are available for the Raspberry Pi. Slackware, LInux Mint, and Devuan are all among the distros which run well. FreeBSD, OpenBSD, and NetBSD also support at least some Raspberry Pi models. However, the official guides and tutorials all point to Raspberry Pi OS, which is a Debian derivative.
Previously:
(2022)
Long Interview with Eben Upton About Long Term Plans for RPi (journal entry)
(2022) Can't Get Hold of a Shiny New Raspberry Pi? Blame the Bots
(2022) Raspberry Pi 64-bit Armbian Gets New Release
(2021) Raspberry Pi Launches .com Website, Eyes Retail Expansion in Africa
(2021) The Ongoing Raspberry Pi Fiasco
Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
The threat of such BIOS-dwelling malware was largely theoretical and fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that gains and maintains stealthy root access by subverting key protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren't only feasible; they were also powerful. In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.
Keenly aware of Mebromi and its potential for a devastating new class of attack, the Secure Boot architects hashed out a complex new way to shore up security in the pre-boot environment. Built into UEFI—the Unified Extensible Firmware Interface that would become the successor to BIOS—Secure Boot used public-key cryptography to block the loading of any code that wasn't signed with a pre-approved digital signature. [...]
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it's not clear when it was taken down.
Arthur T Knackerbracket has processed the following story:
14,000 vulnerable feeds found in the U.S.
A major privacy concern involving more than 40,000 security cameras worldwide has been revealed by Cybersecurity firm Bitsight. According to the company's TRACE research division, these cameras are live-streaming video feeds that are fully exposed to the internet — meaning that one can gain access without needing any sort of authentication, encryption, or even a basic password. In most cases, a person can access real-time footage from these exposed cameras simply by knowing their IP address.
Bitsight initially flagged the issue back in 2023, but recent research suggests that the situation “hasn’t gotten any better.” According to the latest research, these vulnerable cameras are not limited to one region or industry. The United States has close to 14,000 cameras that are potentially exposed, with states like California, Texas, Georgia, and New York having the highest numbers. Next on the list is Japan, with 7,000 exposed cameras, followed by Austria, Czechia, and South Korea, each of which have close to 2,000 vulnerable devices.
It is true that not every camera hooked up to the internet is a cause for concern, and some livestreams are set up intentionally to showcase scenes, like a beach or a birdhouse, for public viewing. However, some of these vulnerable cameras have been found in more private environments — including residential setups monitoring front doors, backyards, and even living rooms.
Cameras in office spaces, factories, as well as public transportation systems were also found. Bitsight researchers were able to observe sensitive spaces, monitor foot traffic, and, in some cases, even see details written on whiteboards — all in real time. The majority of the exposed devices are said to be using HTTP, while the rest stream through RTSP (Real-Time Streaming Protocol), which is a common protocol for controlling and managing streaming media over IP networks.
In addition to raising privacy and surveillance concerns, these exposed devices pose serious security risks. Information collected by Bitsight’s Cyber Threat Intelligence team suggests that users are openly discussing the feeds on dark web forums, where users are sharing tools and techniques to gain unauthorized access, and even selling access, to unprotected video streams.
Users and organizations are advised to double-check on how their cameras are configured: Disable remote access if not in use, update to the latest firmware, and make sure the device is protected behind a firewall or connected to a secure network. A simple way to check whether your camera is exposed or not is by accessing it from outside your home network. If you are able to view the camera feed without logging into a secure app or using a VPN (Virtual Private Network), it’s likely open to anyone on the internet. Additionally, one should replace any default usernames and passwords as many camera devices ship with a default set of credentials that are easy to crack.
(Score: 3, Interesting) by VLM on Wednesday July 02, @06:16PM (2 children)
If you read the bill
I realize there's two sometimes opposing viewpoints, the "as the law is written" vs "as the law is interpreted in practice" but it seems if you don't do something crazy like enable your router's SSH port on the WAN side or use UPNP to open a remote access port for your gadget, it'll be OK enough as authentication would only be enabled inside your local area network and 1798.91.04.(B) specifies outside the lan not inside the lan.
Also 1798.91.06.(h) is hilarious.
(Score: 3, Funny) by Anonymous Coward on Wednesday July 02, @09:02PM
yes, it'll be okay as long as the average consumer doesn't behave unwisely with their network. 🙄
(Score: 2) by JoeMerchant on Thursday July 03, @01:47AM
Trusting your LAN is not the "zero trust" model... but it certainly is better than opening the device via UPNP to the internet by default.
🌻🌻🌻 [google.com]
(Score: 2) by looorg on Wednesday July 02, @09:40PM (1 child)
Brothers are the once making, or rebranding, those shitty ink-jet printers. That are super cheap, but the ink cartridges costs a fortune by comparison or per print. They are basically a scam in an onto itself. So I'm not surprised that they would skimp on security and just use a default password on all devices.
(Score: 4, Informative) by DaTrueDave on Thursday July 03, @02:37AM
Brother makes the best and most trouble-free consumer laser printers on the market. I didn't think anyone still bought inkjets except as disposable printers...
(Score: 1, Insightful) by Anonymous Coward on Thursday July 03, @01:14AM (3 children)
Won't that make tons of other stuff illegal too like pfSense and other stuff?
https://docs.netgate.com/pfsense/en/latest/usermanager/defaults.html [netgate.com]
Personally I don't see the problem with default passwords assuming you can change them. Is this some kind of clickbait?
FWIW I have a Brother laser printer (and I don't enable the WiFi/network stuff) and it doesn't seem to have the enshittification stuff that printers from other vendors have. But I dunno about the newer ones...
And while we're talking about internet connected devices, why even bring up printers with passwords? How is that even a scandal - I mean their passwords can be changed unlike some Cisco stuff which had hardcoded backdoors[1]? How about those smart TVs which are more likely to be recording your voices etc and sending stuff to the Internet?
[1] Cisco actually have a far far worse track record for backdoors than Huawei. Maybe they should ban Cisco instead.. 🤣 Seriously, go compare CVEs:
https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/ [bleepingcomputer.com]
https://www.tomshardware.com/news/cisco-backdoor-hardcoded-accounts-software,37480.html [tomshardware.com]
https://www.techtarget.com/searchsecurity/news/252449317/Hardcoded-credentials-continue-to-bedevil-Cisco [techtarget.com]
(Score: 2) by PiMuNu on Thursday July 03, @08:20AM
They are using the banhammer on worst of IoT crapware.
As most know, the banhammer is a crude tool that often misses its target.
(Score: 2) by canopic jug on Friday July 04, @04:47PM (1 child)
Here's another one regarding Cisco's hard-coded credentials: Cisco Warns of Hardcoded Credentials in Enterprise Software [securityweek.com], also described as CVE-2025-20309.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Saturday July 05, @01:56PM
"Once is happenstance. Twice is coincidence. Three times is enemy action"
But with Cisco... It's more than 5 times and it's already 2025...
I'd ban Cisco products from my organization.
As for Huawei there was this: https://www.cvedetails.com/cve/CVE-2016-8754/ [cvedetails.com]
But they don't seem to do the backdoor aka hardcoded credential stuff as much as Cisco.
Their code looks about as crap as most though: https://www.theregister.com/2020/10/01/huawei_uk_security_code_review_panel/ [theregister.com]
Any bets on whether Cisco's code is better? 🤣
(Score: 2) by JoeMerchant on Thursday July 03, @01:50AM
We're taking an old product that had no network access and activating the ethernet port for some new functionality.
As such, we did a security review and found that our old scheme of having a single fixed (not published) password for all devices wasn't up to snuff with the latest applicable standards, so... tomorrow morning I'm creating a backlog item to implement the code to make the password(s) editable.
The reviews and documentation is going to take roughly 10x the man-hours as the change itself, but then, I'm paid by the hour not the task.
🌻🌻🌻 [google.com]