Security researchers are telling a story of Internet of Things (IoT) Doom, but it might not be exactly the doom you expect: Last week at 44Con in London, a researcher showed off a hack of a vulnerability in a Canon Pixma printer that made it possible to remotely modify the printer's firmware so that its LED indicator screen could run the classic first-person-shooter game, Doom.
The presentation wasn't all fun and games: The proof-of-concept attack showed how possible it would be to easily update the printer with a Trojan for spying on printed documents or other malicious software to establish a foothold into a network.
According to Mike Jordon, head of research at UK-based Context, who presented the hack, the web-enabled interface that these printers use to show information about the printer's ink levels and settings has no user authentication to control who can connect to it.
"At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what?" writes Jordan. "The issue is with the firmware update process. While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware."
Canon has no protection to prevent bad actors from manipulating the firmware update process for malicious ends. There is no signing, and at best there is weak encryption protecting the firmware file. The encryption utilizes repeating patterns, which made it easy enough for Jordon and his team to break in order to carry out their attack.
"Although the printer is not actually on the Internet, this is possible because the malicious web page initiates requests from the user’s browser which is on the same network as the printer," says Jordon.
According to Canon, it is currently working on a fix for the problem, and it says all future Pixma products will have authentication for their interfaces. While Jordon and his colleagues at Context say they aren't aware of anyone in the wild using this type of attack, they hope to build awareness so that security can be built into these devices before the bad guys start to take advantage.