Internet Of Things Devices Are Doomed
Security researchers hack Canon printer firmware to run the classic 90s video game Doom as well as to wreak havoc with other manipulations.
September 15, 2014
Security researchers are telling a story of Internet of Things (IoT) Doom, but it might not be exactly the doom you expect: Last week at 44Con in London, a researcher showed off a hack of a vulnerability in a Canon Pixma printer that made it possible to remotely modify the printer's firmware so that its LED indicator screen could run the classic first-person-shooter game, Doom.
The presentation wasn't all fun and games: The proof-of-concept attack showed how possible it would be to easily update the printer with a Trojan for spying on printed documents or other malicious software to establish a foothold into a network.
According to Mike Jordon, head of research at UK-based Context, who presented the hack, the web-enabled interface that these printers use to show information about the printer's ink levels and settings has no user authentication to control who can connect to it.
"At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what?" writes Jordan. "The issue is with the firmware update process. While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware."
Canon has no protection to prevent bad actors from manipulating the firmware update process for malicious ends. There is no signing, and at best there is weak encryption protecting the firmware file. The encryption utilizes repeating patterns, which made it easy enough for Jordon and his team to break in order to carry out their attack.
The Context team used Shodan to sample about 9,000 of the 32,000 IP addresses that the scanner indicated could have a vulnerable printer. Among those addresses that responded, about 6 percent had a vulnerable firmware version, leading Jordon to estimate about 2,000 vulnerable models are likely directly connected to the Internet. The lack of authentication makes it possible to attack, not only those printers directly connected to the Internet, but even those not directly accessible, such as ones behind NAT on a home network or on an office intranet. His team was able to do so by scanning local networks using JavaScript port scanning through cross-site request forgery attacks that modified printer configurations.
"Although the printer is not actually on the Internet, this is possible because the malicious web page initiates requests from the user’s browser which is on the same network as the printer," says Jordon.
According to Canon, it is currently working on a fix for the problem, and it says all future Pixma products will have authentication for their interfaces. While Jordon and his colleagues at Context say they aren't aware of anyone in the wild using this type of attack, they hope to build awareness so that security can be built into these devices before the bad guys start to take advantage.
About the Author
You May Also Like