Printer giant Canon is to provide a security fix âas quickly as is feasibleâ after a researcher exploited vulnerabilities in one of its wireless PIXMA products to run the classic shoot âem up game Doom on its colour display.
Security researcher Michael Jordon told the BBC in an interview, âRunning Doom: thatâs real proof you control the thing. The web interface has no username and password on it.â
Digital Trends said that the vulnerability, which allows access to printer controls via an unsecured web page, highlighted the problems not just of printer security, but that of the entire emerging âinternet of things.â
Canon said that all new products would have a fix added as soon as possible, and that the fix would retroactively apply to products launched from 2013 onwards.
âAt Canon we work hard at securing all of our products, however with diverse and ever-changing security threats we welcome input from others to ensure our customers are as well protected as possible,â the firm said.
Printer security: Deeper worries?
A search using Shodan (a specialist search engine which finds specific types of devices connected to the internet), revealed thousands of unsecured machines connected directly to the internet.
âThis interface does not require user authentication allowing anyone to connect to the interface. Â At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what?â Jordon writes.
He said that the problems (and the opportunity to run Doom) arose when you use the online interface to update the firmware, and raised serious printer security issues.
Persuading the printer to run Doom took âmonthsâ, he admits, but the issue is a serious one. Even printers not directly connected to the internet can fall victim, he said, by persuading their owners to click on a bogus link.
Vulnerable to remote attack
Jordon writes, âEven if the printer is not directly accessible from the Internet, for example behind a NAT on a userâs home network or on an office intranet, the printer is still vulnerable to remote attack.â
âA colleague (thanks Paul Stone) demonstrated this by making a web page that first scans the local network for vulnerable printers (using a technique called JavaScript port scanning). Once the printerâs IP address has been found, the web page sends a request to the web interface to modify the proxy configuration and trigger a firmware update.â
The post Printer security: Canon offers ‘fix’ after researcher plays Doom appeared first on We Live Security.