Context hacks Canon IoT printer

Security researchers have hacked into a Canon printer used by many small businesses, raising fresh concerns about IoT security

Security researchers have succeeded in remotely accessing the web interface on a Canon Pixma printer and modifying the firmware to run the classic 1990s computer game Doom.

The news comes amid growing concerns by researchers about the security of IP-enabled devices making up the internet of things (IoT).

The researchers at Context Information Security were also able to use up ink by printing test pages via the web interface.

They claimed they could easily have installed Trojan malware to spy on documents being printed.

The techniques used to compromise the printer and potentially establish a gateway into the printer’s network were presented at security conference 44Con in London.

The Context team has previously hacked into other internet-connected products – including a smart light bulb, IP camera and a network-attached storage (NAS) device, raising concerns about IoT security.

“This latest example further demonstrates the insecurities posed by the emerging internet of things as suppliers rush to connect their devices,” said Mike Jordon, head of research at Context.

More on the internet of things

“The printer’s web interface did not require user authentication, allowing anyone to connect to it. But the real issue is with the firmware update process,” he said.

Jordon explained that by triggering a firmware update, attackers can also change the web proxy settings and the DNS server.

“If you can change these, then you can redirect where the printer goes to check for a new firmware update and install custom code – in our case a copy of Doom,” he said.

Context sampled 9,000 of the 32,000 IPs that the website Shodan indicated may have a vulnerable printer.

Out of these IPs, 1,822 responded and 122 indicated that they may have a firmware version that could be compromised – around 6%.

“Even if the printer is not connected directly to the internet behind a NAT [network address translation] on a user’s home network or on an office intranet, for example, it is still vulnerable to remote attack,” said Jordon.

The lack of authentication also makes the printer vulnerable to a cross-site request forgery attacks (CSRF) that modify the printer’s configuration.

Context contacted Canon in March 2014 and provided the supplier with information about this issue. The printer manufacturer responded by saying it would provide a fix as quickly as possible.

“All Pixma products launching from now onwards will have a username/password added to the Pixma web interface, and models launched from the second half of 2013 onwards will also receive this update. Models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context,” the Canon statement said.

Jordon said his team is not aware of anyone actively using this type of attack for malicious purposes.

“But hopefully by raising awareness, we can encourage suppliers to increase the security of this new generation of devices,” he said, adding that it is important to always apply the latest available firmware.

Jordon said further details of the printer hack are available in a Context blog post.

The attack surface of an IoT system may be substantially larger than that of traditional PCs

Beecham Research

Earlier this week, Beecham Research published a report calling on industry to take immediate action on security for the internet of things.

Industry must act now on security for the internet of things before it is too late, said the authors of the report.

There are currently insufficient security capabilities in the emerging IoT standards to manage the long lifecycles expected in many IoT devices, such as heating systems, the report said.

The authors of the report believe the attack surface of an IoT system may be substantially larger than that of traditional PCs, and that the complexity of ensuring multiple suppliers’ systems work together will lead to a greater probability of exploits being available.

They said pressure must be applied to drive greater system robustness, ensure that interoperability is applied across the industry and deliver standards that can be measured and certified.

Read more on Privacy and data protection