Printer security sucks — but Michael Jordon's work on hacking the firmware of the standalone Canon Pixma printer is a more playful example of that suckitude than ever seen before.
Jordon's work demonstrates an over-the-Internet attack that pwns the printer so thoroughly that it could run the classic first person shooter Doom.
A more egregious security hole emerges when you look at how Canon handles firmware updates, the process by which the printer’s internal read-only memory—low-level software that tells the printer how to behave when it’s powered on—is reprogrammed. Firmware updates happen infrequently, and unless users are experiencing the specific problem the firmware update is intended to solve, most don’t even know about them.
But firmware updates can be manually triggered at any time, and Jordon found Canon’s updates change the printer’s web proxy and DNS settings. If you could fiddle with that by accessing an Internet-connected printer—locating it with a “vulnerable devices” web-scanning tool like SHODAN, then hacking its encryption scheme—Jordon says you could redirect where the printer looked for control software updates, telling it to download whatever you like.
This, in theory, could provide a backdoor into someone’s network.
Even if the printer’s not directly connected to the Internet, Jordon says its lack of authentication requirements makes it vulnerable to what’s known as a “one-click attack,” whereby someone on the same network as the printer could locate the printer’s IP using a port scanner, then initiate a cross-site request forgery attack to modify the printer’s configuration.
Play Doom on a Printer—Thanks to a Serious Security Flaw [Matt Peckham/Wired]