If you can hack a wireless printer to play one of the most famous videogames of all time, what else can you do with it?
And if printer hardware can be reprogrammed by hackers to perform functions far beyond its intended use, what does it say about other the other devices that make up “the internet of things”?
Those are the obvious concerns raised by security researcher Michael Jordon, who was able to install a playable version of Doom on a wireless Canon Pixma printer to raise concerns about poor security on internet-enabled devices.
Jordon, who works for Context Information Security, was able to exploit weaknesses in how the Canon Pixma printer is accessed via the web. To his dismay, he found that the printer’s web interface did not require a user to enter a password.
Now many users may think that that’s not a problem. After all, the web interface on a Canon Pixma printer is only normally used to relay the printer’s status, or to advise when it is about to run out of ink.
But the printer’s web interface also allows users to trigger updates to install new firmware.
As Jordon explains in a blog post:
“The issue is with the firmware update process. While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware. So what protection does Canon use to prevent a malicious person from providing a malicious firmware? In a nutshell – nothing, there is no signing (the correct way to do it)”
Jordon realised that it was possible to create his own custom firmware update, that could be installed on any vulnerable web-enabled Canon Pixma printer.
If you had malicious intentions, it would be possible to create a malicious update as a gateway into an organisation’s network, or to spy on the content of documents as they are printed.
Jordon had different ideas, though. In a masterstroke example of how to capture the media’s attention, he made the firmware update install the classic Doom first person shooter.
As you can imagine, it’s easy to have a goal like that but somewhat more difficult to achieve it.
Jordon discovered that although Canon Pixmas did not cryptographically sign their firmware updates, they did use “very weak encryption” (which he was able to crack).
Furthermore, porting the Doom computer game’s code to run on the printer’s ARM processor without access to a debugger was an additional challenge, as it required him to work around the printer’s idiosyncrasies.
Fortunately for us all, Jordon was able to finally get his printer version of Doom up-and-running two days before the 44Con hacking conference in London.
During his research, Jordon discovered thousands of potentially vulnerable Pixma printers online, although it’s important to stress that there is no evidence that anyone is exploiting them through this method at the present time.
For its part, Canon says that it is working on a fix which will make it mandatory to enter a username and password to access Pixma’s web interface in future:
“We thank Context for bringing this issue to our attention; we take any potential security vulnerability very seriously. At Canon we work hard at securing all of our products, however with diverse and ever-changing security threats we welcome input from others to ensure our customers are as well protected as possible.”
“We intend to provide a fix as quickly as is feasible. All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”
All fun and larks aside, the research proves an important point. Internet-enabled devices must take security seriously, or risk being exploited.
If we don’t, we all running the risk of being (umm…) doomed.
This article originally appeared on the Optimal Security blog.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.