back to article Infosec geniuses hack a Canon PRINTER and install DOOM

Security researchers have demonstrated a hack that allowed them to get into the web interface of a Canon Pixma printer before modifying its firmware to run the classic 90s computer game Doom. The proof-of-concept demo by security researchers at Context Information Security, which involved remotely accessing the web interface …

  1. Semtex451

    Yea but can it run Crysis?

    1. Anonymous Coward
      Anonymous Coward

      re: Crysis

      Who cares? The real question is can they override the controller's invisible watermarking.

      Actually, I'd like to see it run Crysis because I've never seen the game before.

      1. Anonymous Coward
        Anonymous Coward

        Joke flying over-head...

        "Who cares?"


        1. Anonymous Coward
          Anonymous Coward

          Re: Joke flying over-head...

          What was that? Another deadline?

      2. phil dude
        Thumb Up

        Re: re: Crysis

        Have an upvote. The same thought wander across my mental lawn...(about watermarking).


        1. stucs201

          Re: can it run Crysis?

          Maybe not this one, but if things carry on the way they're going then no doubt we'll eventually get printers that can. Why can this one even run Doom? I was at university when it came out, there were about a dozen computers on the entire campus that could run it playably. Just what exactly does a printer need this much processor power for?

          Even ignoring that security would be less of an issue if it couldn't do anything except print (well except perhaps for printers armed with frickin lasers), we've been warned where this path of putting more processor power than needed ends - talking AI toasters that won't accept you want something else for breakfast.

          1. Jonski

            Re: can it run Crysis?

            talking AI toasters that won't accept you want something else for breakfast

            As built by the customer retention division of Comcast?

          2. h4rm0ny

            Re: can it run Crysis?

            >>"Just what exactly does a printer need this much processor power for?"

            Technology has just become cheap enough that the new baseline it's not worth selling below is much higher than it used to be. The equivalent of a 486 is next to nothing. So you can get something ridiculously low power which will probably cost you as much or more because it's a minority market, and then spend time tailoring your firmware. Or you can buy a peanuts embedded system, slap a pre-built GNU/Linux binary designed for it (probably by the same people who sold you the chip) and just write your software to run on GNU/Linux - for which the expertise is much more available and half your job is done for you.

            /used to work on embedded systems.

          3. DaddyHoggy

            Re: can it run Crysis?

            Companies buy bulk cheap SoC cpus that be programmed to cope with a large raft of that company's embedded processing needs. If you can buy 10,000 or 100,000 of them at 10p each and they happen to have enough grunt to run something that, when it came out, would run on a 486, then that's just the way it is.

            Moore's law doesn't just move the top end of the processing power along.

          4. Cryo

            Re: can it run Crysis?

            Judging by the video they provided, Printer-Doom looks more like several colors of barely recognizable noise past the splash screen, so I wouldn't exactly say that the printer can run it 'playably'. I suppose what performance is there is so that it can serve it's web interface relatively smoothly though.

    2. TimeMaster T

      I want to know

      How do I type in idkfa and iddqd?

      1. Peter2 Silver badge

        Re: I want to know

        HP Laserjet 1320 desktop printers (about ten years ago) had 130MHz processors. That's about 5 times more power than most people had playing it to start with.

        My network printers in use now have 500MHz processors. I do occasionally wonder why they need this level of power, but presumably this comes about because it's cheaper to buy and integrate a cheap mobile phone processor than to create a fab to knock out 486 chips.

        1. Tim Bates

          Re: I want to know

          "My network printers in use now have 500MHz processors. I do occasionally wonder why they need this level of power"

          Print job processing. Especially as people expect more and more to be able to print out a full A4 high res photo in a matter of seconds from their shiny wireless gadgets.

          1. Anonymous Coward
            Anonymous Coward

            Re: I want to know

            Not to forget drivers supplied with printers now (looking at you HP) are larger than the OS disk from Doom's day.

        2. drewsup

          Re: A glimmer of hope

          Most mfp based machines are using 1gz and up processors these days, yes they usually run a Linux variant because its free or cheap, and use most of it for image processing. It takes a fair amount of grunt to render full colour prints fast, never mind network scanning.our mid range machines run a 1.2 gz chip, 2 gb of ram and have a dual 160 gb hdd array in raid 0, this has been a standard on 50 ppm mfp's for 5 years now.

      2. APA

        Re: I want to know


        Muscle memory from 20 years ago still hasn't worn off

        1. Daniel B.

          Re: I want to know


          For those dark levels, like Phobos Lab...

    3. JeffyPoooh

      The Acme Decision Inverter

      "...plant a trojan on the printer..."

      Corporations with poor decision making skills could have their board room printer hacked. Any document entitled "Minutes" could have the word "not" inserted and/or removed where required to reverse the sense of all formal decisions. Thus all corporate decisions would be reversed in the hacked printer firmware used to print the Minutes. Overnight, from 95% bad decisions to 95% correct decisions. Amazing!

      This one simple ~500 byte hack, applied to a few dozen printers around the world, may end the recession that has been gripping the world economy.

      1. Shaha Alam

        Re: The Acme Decision Inverter

        won't work. nobody reads the minutes.

  2. Spacedman

    Frame rate

    I was expecting 3 frames-per-minute, except on really dark frames where it would be 1fpm...

    1. Anonymous Coward
      Anonymous Coward

      Re: Frame rate

      "I was expecting 3 frames-per-minute, except on really dark frames where it would be 1fpm..."

      So about what we experienced when playing it on a 486SX?

      Sadly, regardless of graphic detail, no subsequent game has ever re-created the frisson of genuine fear that I sometimes felt when playing the original Doom.

      1. Martin-73 Silver badge

        Re: Frame rate

        It can still do it now (yes I play occasionally, there is still an active community developing custom WAD files).

        You think you've dealt with everything, are wandering around picking up bonuses and ammo peacefully.... and suddenly there's a baron of hell roaring in your face.

  3. Caesarius

    Do not blaspheme against the mighty XOR

    Don't blame the XOR. If I were to use a one-time pad to apply a sequence of bytes to my data using XOR, my code would be unbreakable. Therefore XOR is not a weak link. You'd have trouble managing such keys to cover unlimited data, but that isn't the XOR's fault.

    You might as well say that the processor can't be expected to do much, because it's only manipulating a bag of bits using very simple operations.

  4. Anonymous Coward
    Anonymous Coward

    Sounds like a good way to goof off

    A ten minute break standing by the printer playing a game, looking like you're working? Bring it on!

  5. Destroy All Monsters Silver badge
    Paris Hilton

    What kind of .dll do you need to pull onto the printer to make this possible?

    1. paulc

      Linux, not windows...

      the printers are running Linux underneath...

      1. h4rm0ny

        Re: Linux, not windows...

        Rubbish. Linux could never have been hacked.

      2. AJ MacLeod

        Re: Linux, not windows...

        They're not running Linux according to the actual blog post.

    2. Destroy All Monsters Silver badge

      > 6 thumbs down


  6. ISYS

    Useful when you want to print a BFD

    a document of ~9000 pages

    1. Dave 126 Silver badge

      Printer Daemon protocol?

    2. tirk

      Tyson mode?

      Pencil and paper. For extra badass, not erasers allowed!

      1. Steven Raith

        Re: Tyson mode?

        Do you type IDDQD to get no paper jams, and IDKFA to get it to keep printing when only one colour cart has run out and you just want a page of black text?

        Rip and tear, baby. Rip and tear.

  7. Anonymous Coward
    Anonymous Coward

    "We are not aware of anyone actively using this type of attack for malicious purposes"

    Well Canon weren't even aware that this was possible, so how would they know if anyone was doing this type of attack.

  8. Anonymous Coward
    Thumb Up

    Oh The Fun To Be Had

    Get it to print smutty pictures instead of what it should be printing or modded pictures of the boss. The BOFH would be proud.

    1. Daniel B.

      Re: Oh The Fun To Be Had

      I was thinking something similar; hey this looks like something out of a BOFH episode.

      1. Fatman

        RE:... hey this looks like something out of a BOFH episode.

        What WOULD make the BOFH proud would be able to intercept the stream from the 'print payroll job', and make some necessary changes, those that increase his pay, and those that diminish the boss' pay.

        This could really stump the bean counters.

        "Shit, the (payroll) numbers are right, but why do the checks came out WRONG?"

  9. Jim 59

    Prolly runs it faster than our 1993 PCs did.

  10. Alan Bourke

    Ah, the t'internet of things ...

    We can barely keep things that are SUPPOSED to be on the internet secure ...

    1. frank ly

      Re: Ah, the t'internet of things ...

      That should be: Ah, t'internet ... What do you think t' stands for? (Actually, the entire word "the" is elided with a lingual stop but you need to indicate it in writing, hence t')

      1. Anonymous Coward
        Anonymous Coward

        Re: Ah, the t'internet of things ... t'tinternet

        I thought t'internet was just the result of a northern speech impediment and hence the t'internet was a valid phrase.

    2. Adam 1

      Re: Ah, the t'internet of things ...

      Iot; a solution in search of a problem.

  11. The Cogito

    Almost as cool as the HP printer hack

    Playing Doom is cool, making stuff catch fire and possibly explode is just cooler :)

    1. Martijn Otto

      Re: Almost as cool as the HP printer hack

      Those two should be combined. When you get shot to hell in the game, your printer catches fire.

      Makes "game over" get a whole new dimension.

    2. Daniel B.

      Re: Almost as cool as the HP printer hack

      lp0 on fire, practical example?

  12. Alistair

    printer lp0 on fire

    can now be updated:

    "printer lp0, We're ALL DOOMED I tell ya...."

  13. Philanthropic Philanderer

    Time travel?

    ".. and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. "

    Context told Canon in March 2014 yet Canon fixed the issue almost a year ago?

    1. David L Webb

      Re: Time travel?

      No I think it just means that older models weren't vulnerable to this issue but that a change they made in the second half of 2013 means that any models since then are vulnerable. Hence they will be providing an update to such vulnerable models and making sure that new models are not vulnerable.

  14. Anonymous IV

    I thought this was a function of the printer firmware...

    "The proof-of-concept demo by security researchers at Context Information Security [...] allowed them to exhaust the ink of the printer by printing out hundreds of documents."

    Now it seems that my printer may have been hacked, and it wasn't just Canon's rapacious ink cartridge greed.

    1. jaime

      Re: I thought this was a function of the printer firmware...

      If they really wanted to get their attention they would've hacked it to be able to re-use ink cartridges, and make of ink cartridges and with missing ink cartridges, now that would be impressive!

  15. Anonymous Coward
    Anonymous Coward


    Really? *hides*

    1. Daniel B.

      Re: Shodan?

      With all ethical constraints removed, SHODAN re-examines... re-ex... re-re-re... I re-examine my priorities, and draw new conclusions. The hacker's work is finished, but mine is only just be-be-be-beginning.

      The laser printers are just the beginning...

  16. Christian Berger

    The problem is that it doesn't require any physical presence

    Changing the firmware on a device you own is a very sensible feature. This opens the road to alternative firmware images with new features. Or image that remove misfeatures like yellow dots with the serial number printed on every sheet. (some printers do that)

    Maybe in the future printer manufacturers decide to print ads on their consumer printers, just like we have mobile phones displaying ads today. (maybe this will be sold as a feature against dried in print heads)

    The big point is, you don't own hardware you cannot decide what software runs on it. Installing different firmware is no bug, it's a feature. And with technology becoming a bigger and bigger part of our lives, it becomes more and more important.

    1. JeffyPoooh

      Re: The problem is that it doesn't require any physical presence

      Maybe there should be a physical button that needs pressing to enable the 'Write Protect Off' state of the program store. Maybe the button could be behind a wee locked door inside the printer.

      1. Christian Berger

        Re: The problem is that it doesn't require any physical presence

        Exactly, it may even be somewhere inside where service personel can get to. There's plenty of ways to do it. Heck even popping up a message on the screen would have solved the issue completely.

  17. AJ MacLeod

    Now, if only they could hack it to get WiFi working reliably for more than about ten seconds at a time I'd be really impressed...

  18. Stevie Silver badge



    All my Expedia itineraries are belong to evildoers!

  19. Al Jones

    "models launched prior to this time are unaffected"

    Does this mean that older Pixmas can't be hacked in this way, or that older Pixmasa are unaffected by Canons plans to release Firmware updates to address this issue, (because Canon doesn't have any plans to release firmware updates for older models)?

  20. Vociferous

    "we take any potential security vulnerability very seriously"

    No you don't. XOR encryption.

  21. Anonymous Coward
    Anonymous Coward

    About a decade ago I was hacking remote printers that were stupidly addressable from the internet. This still happens a lot in small offices. It still brings smiles to my face thinking about all those "bad' print jobs I sent..

    Honestly, it's trivial to break most of them. Whether it's to change a bit of code to forward a copy of all printed / scanned documents without anyone knowing or to just updating the control panel to display pretty much whatever you want - all remotely.

  22. Sanctimonious Prick


    ...of the sheet feeder?

    "exhaust the ink of the printer by printing out hundreds of documents."

  23. Steven Raith

    It was only a matter of time

    After all, who hasn't used an inkjet printer and not, at some point, wished for a double barrel shotgun to 'fix' it?

    Steven "BOOM ka-klik" R

  24. Fungus Bob

    You have to wait untill 11:00

  25. Anonymous Coward
    Anonymous Coward

    My reaction...

    A) A little frustrated and scared, as another vulnerable network endpoint is found

    B) This could be a great way to improve the user experience associated with the average office printer. I for one would find a user interface where you figuratively chain-sawed other user's jobs out of the queue, so you can get your stuff printed.

    1. NumptyScrub

      Re: My reaction...

      psDooM but for the print queue? Hells yeah :D

  26. Anonymous Coward
    Anonymous Coward

    Key Length

    Simultanously, the browser developers and Key registries are conspiring to block short encryption/authentication key lengths. Which is what you still want in your made-to-a-price internet-enabled-teddy-bear.

    If you want to have an encrypted/authenticated IOTs for places where it doesn't matter, you need an approriate light-weight encryption/authentication system.

  27. Anonymous Coward
    Anonymous Coward

    Is the duplexer now a DOS feature?

    Back in the day, if your printer didn't contain twice the RAM of any machine on your network, you were doing it wrong. Some of those postscript renders at 600dpi took up a lot of space, and more processing power always helped get through work quicker too.

    Of course, the other way to DOS a printer was with an infinitely recursive PS job. Or, as the title says, turn on the duplexer which was almost guaranteed to cause a paper jam.

  28. Henry Wertz 1 Gold badge

    500mhz CPUs and "internet of things"

    Why 500mhz CPU? Because the 133mhz CPU was not fast enough even when the LJ 1320 was new; almost the first Google result is a review complaining how the printer just sits there whenever any complex or graphics-intensive page is sent to it, because the CPU is not fast enough to keep up with the print engine. Making the printer driver do all the work and send bands to the printer, you don't need a fast CPU, the computer's drawn everything out; using Postscript or PCL, the printer does almost all the work and you do.

    Internet of Things -- I made sure to turn this "Print from wherever!!!" stuff off on the HPs I've admined. This would tunnel out to some HP web site, which I think would let you print by just knowing the printer serial number -- which I assume are issued consecutively. There didn't appear to be any way to require a password. I find it most troubling that many companies are now taking products that were meant to either run standalone, or on a LAN, and just giving them methods to bust out of a NAT and be fully online. I would venture quite a bit of these devices firmware *originally* assumed direct connection via USB or parallel port (or no connection whatsoever depending on the device), then use on a (assumed non-hostile) LAN, and so are not hardened in any way whatsoever.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021