When you think you’ve seen it all, something comes out of the blue and knocks your socks off, as it happened in a 44 CON Information Security Conference which took place in London last Friday, September 12th. A talented hacker present at the conference offered the attendance a mind-blowing example of Web-accessible devices vulnerability. He kicked off by rolling an unsigned code on a Canon printer via its default Web interface. Michael Jordon, now a Context Information Security consultant sentenced the device’s encryption to its “doom,” via the pirate code, and continued with installing, then playing the first-person shooter Doom on a stock Canon Pixma MG6450 printer.
The small display of the printer could only render a small and blurry image of the game, but the id Software’s 1993 hit was surely playable. Jordon learned this was possible due to a security fault in Pixma printers’ Web interfaces which did not require any authentication code to access. He relates how he came to this conclusion in Context’s blog report: “You could print out hundreds of test pages and use up all the ink and paper, so what?” Upon a little more in depth research he realized that devices could be easily rigged in order to recognize any code as legitimate firmware. On such a Pixma printer with an exposed Web interface, skilled users should be able to easily modify the Web proxy settings and the DNS server. From that point on, the device’s encryption can be hacked in eight steps culminating with the insertion of unsigned, plain-text files.
Taking this into account, the possibilities to do a lot more damage are highly plausible. Playing a 90’s video game is just a small piece of the cake as Jordon writes: “We can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network.” It is a wake up call for all printing devices users that should be taken very seriously in the future to avoid any data hijacking by unwanted third parties. To avoid these major inconveniences, you should not leave your printer connected to the internet and always update to current firmware provided by the manufacturer. After this “accidental” discovery, Cannon and Context are working together to finding solutions for this major security issue.
Cannon made an official announcement in this sense, stating that all affected Pixma models will be receiving the necessary update to solve the problem. In the meantime, Context advises users to “not put your wireless printers on the Internet, nor any other ‘Internet of Things’ device.” The security company isn’t aware of any active exploits aimed at printers, “but hopefully we can increase the security of these types of devices before the bad guys start to.”