Infosec geniuses hack a Canon PRINTER and install DOOM Security researchers have demonstrated a hack that allowed them to get into the web interface of a Canon Pixma printer before modifying its firmware to run the classic 90s computer game Doom. The proof-of-concept demo by security researchers at Context Information Security, which involved remotely accessing the web interface …
Maybe not this one, but if things carry on the way they're going then no doubt we'll eventually get printers that can. Why can this one even run Doom? I was at university when it came out, there were about a dozen computers on the entire campus that could run it playably. Just what exactly does a printer need this much processor power for?
Even ignoring that security would be less of an issue if it couldn't do anything except print (well except perhaps for printers armed with frickin lasers), we've been warned where this path of putting more processor power than needed ends - talking AI toasters that won't accept you want something else for breakfast.
>>"Just what exactly does a printer need this much processor power for?"
Technology has just become cheap enough that the new baseline it's not worth selling below is much higher than it used to be. The equivalent of a 486 is next to nothing. So you can get something ridiculously low power which will probably cost you as much or more because it's a minority market, and then spend time tailoring your firmware. Or you can buy a peanuts embedded system, slap a pre-built GNU/Linux binary designed for it (probably by the same people who sold you the chip) and just write your software to run on GNU/Linux - for which the expertise is much more available and half your job is done for you.
/used to work on embedded systems.
Companies buy bulk cheap SoC cpus that be programmed to cope with a large raft of that company's embedded processing needs. If you can buy 10,000 or 100,000 of them at 10p each and they happen to have enough grunt to run something that, when it came out, would run on a 486, then that's just the way it is.
Moore's law doesn't just move the top end of the processing power along.
Judging by the video they provided, Printer-Doom looks more like several colors of barely recognizable noise past the splash screen, so I wouldn't exactly say that the printer can run it 'playably'. I suppose what performance is there is so that it can serve it's web interface relatively smoothly though.
HP Laserjet 1320 desktop printers (about ten years ago) had 130MHz processors. That's about 5 times more power than most people had playing it to start with.
My network printers in use now have 500MHz processors. I do occasionally wonder why they need this level of power, but presumably this comes about because it's cheaper to buy and integrate a cheap mobile phone processor than to create a fab to knock out 486 chips.
"My network printers in use now have 500MHz processors. I do occasionally wonder why they need this level of power"
Print job processing. Especially as people expect more and more to be able to print out a full A4 high res photo in a matter of seconds from their shiny wireless gadgets.
Most mfp based machines are using 1gz and up processors these days, yes they usually run a Linux variant because its free or cheap, and use most of it for image processing. It takes a fair amount of grunt to render full colour prints fast, never mind network scanning.our mid range machines run a 1.2 gz chip, 2 gb of ram and have a dual 160 gb hdd array in raid 0, this has been a standard on 50 ppm mfp's for 5 years now.
"...plant a trojan on the printer..."
Corporations with poor decision making skills could have their board room printer hacked. Any document entitled "Minutes" could have the word "not" inserted and/or removed where required to reverse the sense of all formal decisions. Thus all corporate decisions would be reversed in the hacked printer firmware used to print the Minutes. Overnight, from 95% bad decisions to 95% correct decisions. Amazing!
This one simple ~500 byte hack, applied to a few dozen printers around the world, may end the recession that has been gripping the world economy.
"I was expecting 3 frames-per-minute, except on really dark frames where it would be 1fpm..."
So about what we experienced when playing it on a 486SX?
Sadly, regardless of graphic detail, no subsequent game has ever re-created the frisson of genuine fear that I sometimes felt when playing the original Doom.
It can still do it now (yes I play occasionally, there is still an active community developing custom WAD files).
You think you've dealt with everything, are wandering around picking up bonuses and ammo peacefully.... and suddenly there's a baron of hell roaring in your face.
Don't blame the XOR. If I were to use a one-time pad to apply a sequence of bytes to my data using XOR, my code would be unbreakable. Therefore XOR is not a weak link. You'd have trouble managing such keys to cover unlimited data, but that isn't the XOR's fault.
You might as well say that the processor can't be expected to do much, because it's only manipulating a bag of bits using very simple operations.
What WOULD make the BOFH proud would be able to intercept the stream from the 'print payroll job', and make some necessary changes, those that increase his pay, and those that diminish the boss' pay.
This could really stump the bean counters.
"Shit, the (payroll) numbers are right, but why do the checks came out WRONG?"
No I think it just means that older models weren't vulnerable to this issue but that a change they made in the second half of 2013 means that any models since then are vulnerable. Hence they will be providing an update to such vulnerable models and making sure that new models are not vulnerable.
"The proof-of-concept demo by security researchers at Context Information Security [...] allowed them to exhaust the ink of the printer by printing out hundreds of documents."
Now it seems that my printer may have been hacked, and it wasn't just Canon's rapacious ink cartridge greed.
Changing the firmware on a device you own is a very sensible feature. This opens the road to alternative firmware images with new features. Or image that remove misfeatures like yellow dots with the serial number printed on every sheet. (some printers do that)
Maybe in the future printer manufacturers decide to print ads on their consumer printers, just like we have mobile phones displaying ads today. (maybe this will be sold as a feature against dried in print heads)
The big point is, you don't own hardware you cannot decide what software runs on it. Installing different firmware is no bug, it's a feature. And with technology becoming a bigger and bigger part of our lives, it becomes more and more important.
Does this mean that older Pixmas can't be hacked in this way, or that older Pixmasa are unaffected by Canons plans to release Firmware updates to address this issue, (because Canon doesn't have any plans to release firmware updates for older models)?
About a decade ago I was hacking remote printers that were stupidly addressable from the internet. This still happens a lot in small offices. It still brings smiles to my face thinking about all those "bad' print jobs I sent..
Honestly, it's trivial to break most of them. Whether it's to change a bit of code to forward a copy of all printed / scanned documents without anyone knowing or to just updating the control panel to display pretty much whatever you want - all remotely.
A) A little frustrated and scared, as another vulnerable network endpoint is found
B) This could be a great way to improve the user experience associated with the average office printer. I for one would find a user interface where you figuratively chain-sawed other user's jobs out of the queue, so you can get your stuff printed.
Simultanously, the browser developers and Key registries are conspiring to block short encryption/authentication key lengths. Which is what you still want in your made-to-a-price internet-enabled-teddy-bear.
If you want to have an encrypted/authenticated IOTs for places where it doesn't matter, you need an approriate light-weight encryption/authentication system.
Back in the day, if your printer didn't contain twice the RAM of any machine on your network, you were doing it wrong. Some of those postscript renders at 600dpi took up a lot of space, and more processing power always helped get through work quicker too.
Of course, the other way to DOS a printer was with an infinitely recursive PS job. Or, as the title says, turn on the duplexer which was almost guaranteed to cause a paper jam.
Why 500mhz CPU? Because the 133mhz CPU was not fast enough even when the LJ 1320 was new; almost the first Google result is a review complaining how the printer just sits there whenever any complex or graphics-intensive page is sent to it, because the CPU is not fast enough to keep up with the print engine. Making the printer driver do all the work and send bands to the printer, you don't need a fast CPU, the computer's drawn everything out; using Postscript or PCL, the printer does almost all the work and you do.
Internet of Things -- I made sure to turn this "Print from wherever!!!" stuff off on the HPs I've admined. This would tunnel out to some HP web site, which I think would let you print by just knowing the printer serial number -- which I assume are issued consecutively. There didn't appear to be any way to require a password. I find it most troubling that many companies are now taking products that were meant to either run standalone, or on a LAN, and just giving them methods to bust out of a NAT and be fully online. I would venture quite a bit of these devices firmware *originally* assumed direct connection via USB or parallel port (or no connection whatsoever depending on the device), then use on a (assumed non-hostile) LAN, and so are not hardened in any way whatsoever.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
