Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/15/2014
02:20 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Internet Of Things Devices Are Doomed

Security researchers hack Canon printer firmware to run the classic 90s video game Doom as well as to wreak havoc with other manipulations.

Security researchers are telling a story of Internet of Things (IoT) Doom, but it might not be exactly the doom you expect: Last week at 44Con in London, a researcher showed off a hack of a vulnerability in a Canon Pixma printer that made it possible to remotely modify the printer's firmware so that its LED indicator screen could run the classic first-person-shooter game, Doom.

The presentation wasn't all fun and games: The proof-of-concept attack showed how possible it would be to easily update the printer with a Trojan for spying on printed documents or other malicious software to establish a foothold into a network.

According to Mike Jordon, head of research at UK-based Context, who presented the hack, the web-enabled interface that these printers use to show information about the printer's ink levels and settings has no user authentication to control who can connect to it.

"At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what?" writes Jordan. "The issue is with the firmware update process.  While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware."

Canon has no protection to prevent bad actors from manipulating the firmware update process for malicious ends. There is no signing, and at best there is weak encryption protecting the firmware file. The encryption utilizes repeating patterns, which made it easy enough for Jordon and his team to break in order to carry out their attack.

The Context team used Shodan to sample about 9,000 of the 32,000 IP addresses that the scanner indicated could have a vulnerable printer. Among those addresses that responded, about 6 percent had a vulnerable firmware version, leading Jordon to estimate about 2,000 vulnerable models are likely directly connected to the Internet. The lack of authentication makes it possible to attack, not only those printers directly connected to the Internet, but even those not directly accessible, such as ones behind NAT on a home network or on an office intranet. His team was able to do so by scanning local networks using JavaScript port scanning through cross-site request forgery attacks that modified printer configurations.

"Although the printer is not actually on the Internet, this is possible because the malicious web page initiates requests from the user’s browser which is on the same network as the printer," says Jordon.

According to Canon, it is currently working on a fix for the problem, and it says all future Pixma products will have authentication for their interfaces. While Jordon and his colleagues at Context say they aren't aware of anyone in the wild using this type of attack, they hope to build awareness so that security can be built into these devices before the bad guys start to take advantage.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
12/6/2014 | 6:16:55 AM
Re: Old hack, new hack
Re: As IoT becomes more ubiquitous in our lives and new products come to market, so do added security risks and the opportunities for hackers to cause mischief -- and much much more serious harm. 

 

Indeed, Marilyn!  Murder, for instance...
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:39:26 AM
Re: Old hack, new hack
Yep. there's lot of work to be done securing the IoT. But there are a lot of smart people who are trying to figure it out. We can only hope the manufacturers will pay attention to them.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
9/17/2014 | 9:31:29 AM
Re: Old hack, new hack
Agreed, for years manufacturers have allowed little flaws to fly by because they had a firewall to protect them.  However, in the IoT a firewall won't necessarily be between the device and the rest of the world.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/16/2014 | 4:11:51 PM
Re: Fortunately...
You nailed it hhendrickson274: "Technology has a lovely way of proving pundits on both sides very wrong." Even the security researchers presenting findings at Black Hat about hacking"things" like cars and Nest thermostats aren't advocating that people give them up. Will the IoT cause security problems? Yes. Will we fix some of those vulnerabilities? Probably. Will "things" ever be totally secure? Unlikely. What else is new? 
hhendrickson274
50%
50%
hhendrickson274,
User Rank: Strategist
9/16/2014 | 12:47:51 PM
Re: Fortunately...
And nobody will ever want a TV in every room of their house either.  Technology has a lovely way of proving pundits on both sides very wrong.  It may not be the IoT that the tech companies are talking about, but more and more things are connecting to the Internet every day.  From thermostats (why would someone want to do that, you say?) to fridges to TVs, media players, and even the electric grid.  If it's on the network, it's open for attack.  And until manufacturers start paying attention to security in the design of their products, it will only continue to get worse not better.  Ask yourself, when was the last time you updated the firward on your printer, router, etc.?  Was it when you got it and first plugged it in?  And are you technology literate, where most users don't even think about the need to update all those devices.
HarveySummers
50%
50%
HarveySummers,
User Rank: Apprentice
9/16/2014 | 9:43:33 AM
On the other hand...
On some printers, running Doom would be a big improvement.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/16/2014 | 8:12:11 AM
Re: Old hack, new hack
The reason to call attention to these potential vulnerabilities now is to raise awareness among consumers -- and more importantly -- manufacturers. As IoT becomes more ubiquitous in our lives and new products come to market, so do added security risks and the opportunities for hackers to cause mischief -- and much much more serious harm. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/16/2014 | 2:42:19 AM
Old hack, new hack
These sort of printer hacks have been around for quite some time.  Networked printers are notoriously hackable because printer manufacturers don't think of their devices as hackable.

Ditto for IoT, unfortunately.  Who would hack a toaster?  Well, hackers, of course!
Andrew Binstock
50%
50%
Andrew Binstock,
User Rank: Apprentice
9/15/2014 | 7:00:56 PM
How important?
The researchers are simply doing what crackers do: poring over software trying to find a small toehold by which they can insert the tip of a crowbar and pry open a weakness.

Unless companies spend millions hiring developers to do just this kind of penetration testing, all software-bearing devices are and will remain vulnerable. And even with extensive pen testing, every software rev presents a new set of opportunities.

We're going to have to accept this is part of the risk of IoT. Actually, it'll probably be the biggest obstacle to widespread IoT adoption. That is, after lack of IPv6 adoption, lack of standards, lack of an important problem to solve. :-)
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
9/15/2014 | 4:13:37 PM
Fortunately...
...the Internet of Things is not going to be anywhere near as big as the tech industry hopes. So air conditioning hacks should be few and far between, even if the vulnerabilities turn out to be abundant.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11494
PUBLISHED: 2020-04-02
An issue was discovered in slc_bump in drivers/net/can/slcan.c in the Linux kernel through 5.6.2. It allows attackers to read uninitialized can_frame data, potentially containing sensitive information from kernel stack memory, if the configuration lacks CONFIG_INIT_STACK_ALL, aka CID-b9258a2cece4.
CVE-2020-7619
PUBLISHED: 2020-04-02
get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
CVE-2020-7620
PUBLISHED: 2020-04-02
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
CVE-2020-7621
PUBLISHED: 2020-04-02
strong-nginx-controller through 1.0.2 is vulnerable to Command Injection. It allows execution of arbitrary command as part of the '_nginxCmd()' function.
CVE-2020-7623
PUBLISHED: 2020-04-02
jscover through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary command via the source argument.