Context Security Hacks Canon Printer

Context Security has hacked a Canon Pixma printer, modified it’s firmware and run a game of Doom on it.

As well as killing aliens with BFGs, the white hat hackers were able to use up ink, as we’ve all done, by printing out hundreds of documents. They could also, if they had wanted to, have installed a Trojan on the machine that could have read any document that passed through it.

Context Security said that all this should cause concerns about the security of the Internet of Things.

The attack was shown off at a security event called 44Con in London this morning by Context head of security Mike Jordon.

“This latest example further demonstrates the insecurities posed by the emerging Internet of Things as vendors rush to connect their devices,” said Jordon.

“The printer’s web interface did not require user authentication, allowing anyone to connect to it. But the real issue is with the firmware update process. If you can trigger a firmware update you can also change the web proxy settings and the DNS server; and if you can change these then you can redirect where the printer goes to check for a new firmware update and install custom code – in our case a copy of Doom.”

Context has already told Canon about this. In a statement, the hardware firm thanked Context.

“We thank Context for bringing this issue to our attention; we take any potential security vulnerability very seriously. At Canon we work hard at securing all of our products, however with diverse and ever-changing security threats we welcome input from others to ensure our customers are as well protected as possible. We intend to provide a fix as quickly as is feasible,” Canon said.

Canon added that the Pixma web interface will requre a username and password for logging on, from now on. “This action will resolve the issue uncovered by Context,” it added.

Context is hammering on a number of Internet of Things devices including lightbulbs, children’s toys and a NAS. It has advised, and this might a bit be hard to swallow, that Internet of Things devices should not be connected to the internet.


0 replies

Leave a Comment

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *