Credit: Context IS
Canon Pixma printer’s security flaws highlighted by security researcher, who was able to run the video game Doom on the device’s hardware.
BBC News reported that security researcher Michael Jordon took four months to hack into a Canon Pixma printer and run the Doom videogame on its hardware, with the hack demonstrating security issues many printers have.
The Canon Pixma range, as with most other printers, can be accessed via the internet to enable users to check on the device’s status, but Jordon, who works for Context Information Security, found that this function had not been adequately secured by Canon as he explained that “the web interface has no user name or password on it”; meaning that anyone would be able to access the device’s status once they find it using a search engine.
The article states that “thousands of potentially vulnerable Pixma printers” are “already discoverable online” via search engines such as Shodan, although “there is no evidence that anyone is attacking printers” using the same method as Jordon.
Jordon found that the issue with the printer’s remote access feature was that hackers would be able to update the printer’s firmware via the interface, despite the firmware being encrypted, as “it was possible to crack this protection system to reveal the core computer code”. It was also found that by “reverse engineering” Canon’s encryption system, Jordon was able to write his own firmware which “the printer should accept […] as authentic”. As a result, he was able to run the 1993 videogame, Doom, on the printer.
Jordon explained that while the printer’s colour palette wasn’t quite up to scratch, “the game is recognisably Doom”, adding that “the printer has a 32-bit Arm processor, 10mb of memory and even the screen is the right size […] I had all the bits, but it was a coding problem to get it all running together”.
Months of coding was involved in order to get the game running, as “the printer’s firmware lacked functions provided by the operating system on any PC or other device it was running on” and so the game needed to be converted “so it coped with the internal idiosyncrasies of the printer”.
Jordon said: “The colour palette is still not quite right […] but it proves the point and it runs quite quickly, though it’s not optimised.”
Canon commented on Jordon’s blog about the work that it intended “to provide a fix as quickly as is feasible” to prevent further hacks to its Pixma printers; with this reportedly set to involve “adding a user name and password field to the web interface for future Pixma printers and issuing an update for existing owners to add the same feature”.
The Recycler has reported on numerous printer security breaches in the past, with HP forced to issue a critical security update to patch a security problem with its LaserJet Pro printers last year and the OEM recently launching a portfolio of printer products and services designed to offer devices with the same level of security as PCs and servers.