My bucket list: Spend a week traipsing around Antarctica, execute Oscar Peterson's A Little Jazz Exercise as well as Marian Petrescu, and play Doom on a printer.
OK, that last one may have been added retroactively, but I checked it off just the same. The fellow who took the time to hack a printer and make it play one of the defining games of the 20th century did so not on a whim, but to make a point about Internet security.
It took security wonk Michael Jordon four months to figure out how to get Id Software’s storied hell-and-brimstone shooter running on a Canon Pixma printer. The Pixma printers are all-in-one contraptions with built-in wireless, Internet connectivity, and tiny LCD screens. Jordon, who works for U.K. security researcher Context Information Security, wanted to show how Pixma printers could be discreetly modified via the Internet to run custom code.
The Pixma uses a browser interface that lets you glean diagnostic info or send the printer basic instructions, from checking ink levels to printing test pages. A hacker accessing these features might, at worst, send an endless stream of "print test page" commands, depleting your ink and wasting your paper, right?
Not so fast, says Jordon.
A more egregious security hole emerges when you look at how Canon handles firmware updates, the process by which the printer's internal read-only memory---low-level software that tells the printer how to behave when it's powered on---is reprogrammed. Firmware updates happen infrequently, and unless users are experiencing the specific problem the firmware update is intended to solve, most don't even know about them.
But firmware updates can be manually triggered at any time, and Jordon found Canon's updates change the printer's web proxy and DNS settings. If you could fiddle with that by accessing an Internet-connected printer---locating it with a "vulnerable devices" web-scanning tool like SHODAN, then hacking its encryption scheme---Jordon says you could redirect where the printer looked for control software updates, telling it to download whatever you like.
This, in theory, could provide a backdoor into someone's network.
Even if the printer's not directly connected to the Internet, Jordon says its lack of authentication requirements makes it vulnerable to what's known as a "one-click attack," whereby someone on the same network as the printer could locate the printer's IP using a port scanner, then initiate a cross-site request forgery attack to modify the printer's configuration.
"So what protection does Canon use to prevent a malicious person from providing a malicious firmware? In a nutshell---nothing," Jordon writes in his explanatory blog post "Hacking Canon Pixma Printers - Doomed Encryption."
Instead of using a login and password ("the correct way to do it," writes Jordon), Canon employs "weak encryption," which Jordon was able to brute-force hack, allowing him to roll his own firmware and turn the printer into a Trojan horse for "[spying] on documents being printed or...used as a gateway into [a user's] network."
Or play a vintage first-person shooter.
The colors look a little goofy once the game's up and running, and though Jordon doesn't explain why, he says the game was tricky to get up and running "due to it needing all the operating system dependencies to be implemented in Arm without access to a debugger."
But there you have it: Doom in a place where creator John Carmack and pals probably never dreamed it might one day go.
Jordon says his firm contacted Canon in March, and the company promised a fix for models launched from the second half of 2013 forward. In the meantime, Context cautions against connecting your printer to the Internet, and says to keep your device's firmware up to date. (Unless you want to play Doom on it, that is.)
