Researchers at Context Information Security have successfully managed to remotely access the web interface on a Canon Pixma printer and modify firmware from the Internet to run the classic 90s computer game Doom.
The researchers also used up ink by printing out hundreds of copies of random documents. Had they had more sinister implications, they could have easily uploaded an infected image file to the printer that they then could have used to spy on what documents were being printed and establish a gateway into the printer’s network.
FREE Download: CISO Data Breach Guide
The techniques used to compromise the printer were recently presented at 44Con in London by Mike Jordon, head of research at Context. An article and video detailing the findings can be found here: http://www.contextis.co.uk/resources/blog/hacking-canon-pixma-printers-doomed-encryption/.
Besides printers, security teams at Context have successfully hacked into other Internet of Things (IoT) products – including a smart light bulb, IP camera, network attached storage (NAS) device, and even a child’s internet rabbit toy–exploits which raise even more concerns about IoT security.
“This latest example further demonstrates the insecurities posed by the emerging Internet of Things as vendors rush to connect their devices,” said Context’s Mike Jordon. “The printer’s web interface did not require user authentication, allowing anyone to connect to it. But the real issue is with the firmware update process. If you can trigger a firmware update, you can also change the web proxy settings and the DNS server; if you can change these, then you can redirect where the printer goes to check for a new firmware update and install custom code – in our case, a copy of Doom.”
Context sampled 9,000 of the 32,000 IPs that the web site Shodan (http://www.shodanhq.com) indicated may have a vulnerable printer. Out of these IPs, 1,822 responded, and 122 indicated that they may have a firmware version that could be compromised (around 6%). “Even if the printer is not connected directly to the Internet behind a NAT on a user’s home network or on an office intranet, for example, it is still vulnerable to remote attack,” adds Jordon.
Context contacted Canon in March of this year for comments. Canon provided the following statement that has since been published in Context’s blog:
“We thank Context for bringing this issue to our attention; we take any potential security vulnerability very seriously. At Canon we work hard at securing all of our products; however, with diverse and ever-changing security threats, we welcome input from others to ensure our customers are as well protected as possible. We intend to provide a fix as quickly as is feasible. All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update. Models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”
Context recommends that wireless printers or any other potential IoT devices remain unconnected to the Internet. “We are not aware of anyone actively using this type of attack for malicious purposes. Hopefully by raising awareness, we can encourage vendors to increase the security of this new generation of devices,” says Jordon. “And of course it is important to always apply the latest available firmware.”
For more information, visit www.contextis.com.
Launched in 1998, Context has a client base that includes some of the world’s most high profile blue chip companies, alongside government organisations. An exceptional level of technical expertise underpins all Context services, while a detailed and comprehensive approach helps clients to attain a deeper understanding of security vulnerabilities, threats or incidents. Many of the world’s most successful organisations turn to Context for technical assurance, incident response and investigation services. Context is also at the forefront of research and development in security technology. As well as publishing white papers and blogs addressing current and emerging security threats and trends, Context consultants frequently present at open and closed industry events around the world. Context delivers a comprehensive portfolio of advanced technical services and with offices in the UK, Germany and Australia, is ideally placed to work with clients worldwide.