Doom on my Printer?

At recent security conference picked up a Context Information Security flier about hacking Canon Pixma Printers.

The flier gives a little more context than the article linked.

Basically some people are exposing the printer’s web interface to the Internet. It has no username and password, so aside from being able to print stuff on your printer, remote users could tell it to fetch a software update, which would install any correctly encrypted software. So they broke the weak encryption used and installed the computer game Doom.

Whilst it is a very impressive technical feat, the main threat here (aside from vandalism) is that devices on your network which can be remotely programmed might be used by attackers to obtain access to your network, or maintain a surreptitious presence on your network after the bad guys gained access once, or gain a presence by compromising lots of devices and waiting for one to be moved to some where more sensitive.

I double checked my Canon Pixma was on my encrypted WiFi network (so only trusted individuals could have accessed mine), and updated my own firmware, you then need to set a password. Note the Canon administrator password interface strips non-alphanumerics on setting password (doh), but not when you attempt to login (double doh), so if you set a password with non-alphanumberic, you need to omit them to login again. Also your password may be weaker than you expect if you didn’t read the password restrictions or try it after setting it.

The Canon Pixma like so many modern consumer electronic devices is desparate to support your needs to maximise it’s market appeal, be it LAN printing, WiFi printing, from Windows, or Apple, or Linux devices, Google printing (particularly for Chrome OS), from E-mail, via IPv4 or IPv6. You name it, Canon Pixma supports it. Indeed it provides a plethora of options which would take a long time to assess, lock down, or otherwise secure. Other than putting it on a secure encrypted network, the average user has little chance of securing a device like this against knowledgable attackers.

Security is not high on Canon’s agenda, the password is still optional, and the device is typical of the IT industry rather than being an outlier with poor security. Aside from the above – I bought it because it was reviewed as the best print quality in its price bracket; its a great little printer just don’t be exposing it to untrusted computer networks.

Most security conscious organisation place printers on carefully isolated networks , and restrict access to and from so only the needed minimum set of network traffic is permitted.

20 years ago I was scanning the internal network of a large business, and was able to take remote control of a large number of networked printers, to remotely set admin passwords, and install software of my choosing. In the intervening 20 years things haven’t really changed, but the printers are now far more capable devices, they are all networked (many wirelessly), and have a more diverse supplier base [the good business printers were nearly all from Hewlett Packard 20 years ago].