On Friday, a hacker presenting at the 44CON Information Security Conference in London picked up on the vulnerability of web-accessible devices and demonstrated how to run unsigned code on a Canon printer through the standard web interface. After describing the device’s encryption as “damned,” Context Information Security consultant Michael Jordon made his point by installing and running the first-person shooting classic Demise on a standard Canon Pixma MG6450.
Sure, the printer’s tiny menu screen can display a choppy and discolored but playable version of id Software’s 1993 hit, the result of Jordon’s discovery that Pixma printers’ Web interfaces required no authentication to access. “You could print hundreds of test pages and use up all the ink and paper, so what?” Jordon wrote on Context’s blog report about the discovery, but after some more poking around, he found that the devices could also be easily redirected to accept any code as legitimate firmware.
The web interface of a vulnerable Pixma printer allows users to change web proxy settings and DNS server. From there, an enterprising hacker can crack the device’s encryption in eight steps, the last of which contains unsigned firmware files in plain text. The hacking capabilities go far beyond enabling jerky gaming in the early 1990s: “We can therefore create our own custom firmware and update someone’s printer with a Trojan image that spies on documents being printed or used as gateway to their network,” Jordon wrote.
Running out of ink? Just type “IDDQD”
It’s a solid reminder that the most seemingly innocuous devices on a home or work network can become gateways to all sorts of exploits beyond the ones made public at hacking conferences. Years ago, for instance, a series of Hewlett-Packard printers fell victim to their own remote access hack, though HP denied the researchers’ claim that it could be used to set printers on fire.
The Canon exploit, meanwhile, could reach far and wide if affected users don’t pay attention to upcoming firmware updates to fix the problem. Shortly before the exploit became public, Context scanned the Internet for vulnerable Pixma printers whose web interfaces were accessible. The group was able to log in for six percent of them; according to that estimate, “at least 2,000 vulnerable models” are currently online, ready to receive Demise (or something scarier).
Jordan’s post goes into less detail about the version of Demise he started working with Pixma printers; in an interview with the BBC, he clarified that the printer had a 32-bit ARM processor and 10 MB of memory, but the ARM version of Demise to work took months of his free time. As a result, he told the BBC he was “so tired” of working on the game port and wouldn’t optimize it further (sorry, printer gamers!).
Context contacted Canon after discovering the exploit in March this year, and the companies have been in active discussions ever since. Immediately after the presentation, Canon issued a statement saying that all affected Pixma models in the wild will receive a firmware update to add a login prompt. In the meantime, Context recommends users “don’t put your wireless printers on the Internet, nor any other ‘Internet of Things’ device.” The security company is not aware of any active exploits targeting printers, “but hopefully we can improve the security of these types of devices before the bad guys start.”