Canon Pixma printer hacked to run Doom, proving security flaw

doom canon pixma printer security flaw context information security michael jordon

Context Information Security analyst Michael Jordon recently demonstrated a security flaw in Canon’s Pixma printers that allowed him to direct a printer to remotely access his server and install a working copy of Doom to its LED display.

This has to be the best method of proving a security flaw I’ve ever heard of.

“Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates,” explains Jordon.

However, he found that the interface doesn’t need any sort of authentication to access. Off the bat the worst anyone could do would be print off hundreds of test pages and use up all of the printer’s ink. Jordon found you could do much more, though. The interface lets you trigger the printer to update its firmware. It also lets you change where the printer looks for the firmware update.

In theory, you could create a custom firmware that spies on everything that printer prints, it can even be used as a gateway into the network it’s tied into.

To show off what he’d learned Jordon opted for something far more deadly: “I decided to get Doom running on the printer.”

You can see it running here.

Canon offers very little protection against this, Jordon says. “There is no signing (the correct way to do it) but it does have very weak encryption.”

“If you can run Doom on a printer, you can do a lot more nasty things,” Jordon told the Guardian. “In a corporate environment, it would be a good place to be. Who suspects printers?”

Canon are already working on a fix and have said that “All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”