Are Brother's Insecure Printers Illegal in the UK?

Another day, another security disaster! This time, multiple printers from Brother have an unfixable security flaw. That's bad, obviously, but is it illegally bad⁰?

Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

1. The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

2. Passwords must be—

   a. unique per product; or

   b. defined by the user of the product.

3. Passwords which are unique per product must not be—

   a. based on incremental counters;

   b. based on or derived from publicly available information;

   c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

   d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

1. In this Part “relevant connectable product” means a product that meets conditions A and B.

2. Condition A is that the product is—

   A. an internet-connectable product, or

   B. a network-connectable product.

3. Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

5. Computers

   1. Products are excepted under this paragraph if they are computers which are—

      a. desktop computers;

      b. laptop computers;

      c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt¹. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly².

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.