Printer manufacturer Canon is warning that sensitive Wi-Fi settings don’t automatically get wiped during resets, so customers should manually delete them before selling, discarding, or getting them repaired to prevent the settings from falling into the wrong hands.
“Sensitive information on the Wi-Fi connection settings stored in the memories of inkjet printers (home and office/large format) may not be deleted by the usual initialization process,” company officials wrote in an advisory on Monday. They went on to say that manual wiping should occur “when your printer may be in the hand of any third party, such as when repairing, lending or disposing the printer.”
Like many printers these days, those from Canon connect to networks over Wi-Fi. To do this, users must provide the SSID name, the password preventing unauthorized access to the network, and in some cases, additional information such as Wi-Fi network type, the local network IP address, the MAC address, and network profile.
It would be reasonable to assume that performing a simple factory reset that returns all settings to their defaults would be enough to remove these settings, but Monday’s advisory indicated that isn’t necessarily the case. In the event this information is exposed, malicious actors could use them to gain unauthorized access to a network hosting a Canon printer.
Instead of relying on the reset function, Canon users must:
- Reset all settings (Reset settings ‐> Reset all)
- Enable the wireless LAN
- Reset all settings one more time
For Canon printers without a dedicated reset function, users should:
- Reset LAN settings
- Enable the wireless LAN
- Reset LAN settings one more time
The advisory lists nearly 200 models that are affected. A list of them is available here.
https://arstechnica.com/?p=1958242