Security researchers have demonstrated a hack that allowed them to get into the web interface of a Canon Pixma printer before modifying its firmware to run the classic 90s computer game Doom.
The proof-of-concept demo by security researchers at Context Information Security, which involved remotely accessing the web interface on the printer, also allowed them to exhaust the ink of the printer by printing out hundreds of documents.
The hack was only possible because the printer's firmware used basic XOR Encryption
The printer hack was presented at 44Con in London on Friday by Mike Jordon, head of research at Context. More details of the techniques used along with a supporting video can be found in a blog post here.
The same tactics could easily be applied to either plant a trojan on the printer to spy on documents being printed or to establish a compromised gateway into a corporate network associated with the pox-ridden printer.
The Context team has previously hacked into other so-called Internet of Things (IoT) products – including a smart light bulb, IP camera, network attached storage device and even a child’s internet-enabled toy rabbit – hacks which, collectively, raise yet more concerns about the flaky state of IoT security.
"This latest example further demonstrates the insecurities posed by the emerging Internet of Things as vendors rush to connect their devices," said Context’s Jordon. "The printer’s web interface did not require user authentication, allowing anyone to connect to it. But the real issue is with the firmware update process.
"If you can trigger a firmware update you can also change the web proxy settings and the DNS server; and if you can change these then you can redirect where the printer goes to check for a new firmware update and install custom code – in our case a copy of Doom.”
Context sampled 9,000 of the 32,000 IP addresses that the Shodan (the Internet of Stuff's search engine) indicated may have a vulnerable printer. Out of these IPs, 1,822 responded and 122 indicated that they might be running a firmware version that could be compromised. “Even if the printer is not connected directly to the internet, [instead being] behind a NAT on a user’s home network or on an office intranet, for example, it is still vulnerable to remote attack,” Jordon warned.
Context contacted Canon in March of this year. In a statement supplied to Context, Canon said it was in the process of developing a fix as well as generally improving the security of its printer products to make them more secure.
We thank Context for bringing this issue to our attention; we take any potential security vulnerability very seriously. At Canon we work hard at securing all of our products, however with diverse and ever-changing security threats we welcome input from others to ensure our customers are as well protected as possible. We intend to provide a fix as quickly as is feasible. All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.
Context recommends that wireless printers or any other Internet of Things devices are not connected to the wider internet.
“We are not aware of anyone actively using this type of attack for malicious purposes but hopefully by raising awareness, we can encourage vendors to increase the security of this new generation of devices,” Jordon concluded, adding “it is important to always install the latest available firmware.” ®