On Friday, a hacker presenting at the 44CON Information Security Conference in London picked at the vulnerability of Web-accessible devices and demonstrated how to run unsigned code on a Canon printer via its default Web interface. After describing the device's encryption as "doomed," Context Information Security consultant Michael Jordon made his point by installing and running the first-person shooting classic Doom on a stock Canon Pixma MG6450.
Sure enough, the printer's tiny menu screen can render a choppy and discolored but playable version of id Software's 1993 hit, the result of Jordon discovering that Pixma printers' Web interfaces didn't require any authentication to access. "You could print out hundreds of test pages and use up all the ink and paper, so what?" Jordon wrote at Context's blog report about the discovery, but after a little more sniffing, he found that the devices could also easily be redirected to accept any code as legitimate firmware.
A vulnerable Pixma printer's Web interface allows users to change the Web proxy settings and the DNS server. From there, an enterprising hacker can crack the device's encryption in eight steps, the final of which includes unsigned, plain-text firmware files. The hacking possibilities go far beyond enabling choppy, early '90s gaming: "We can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network," Jordon wrote.