Canon printer website

Hacking Canon Pixma Printers - Doomed Encryption

canon2This blog post is another in the series demonstrating current insecurities in devices categorised as the ‘Internet of Things’. This instalment will reveal how the firmware on Canon Pixma printers (used in the home and by SMEs) can be modified from the Internet to run custom code. Canon Pixma wireless printers have a web interface that shows information about the printer, for example the ink levels, which allows for test pages to be printed and for the firmware to be checked for updates.

Figure 1 - Web Interface Pixma MG6450

This interface does not require user authentication allowing anyone to connect to the interface. At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what? The issue is with the firmware update process. While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware. So what protection does Canon use to prevent a malicious person from providing a malicious firmware? In a nutshell - nothing, there is no signing (the correct way to do it) but it does have very weak encryption. I will go into the nuts and bolts of how I broke that later in this blog post. So we can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network. For demonstration purposes I decided to get Doom running on the printer (Doom as in the classic 90s computer game). It was not straight forward due to it needing all the operating system dependences to be implemented in Arm without access to a debugger, or even multiplication or division. But that's a blog for another day.canon3 Here’s the video (sorry the colours aren't perfect):

But would anyone put their printer’s web interface on the Internet? Well we sampled 9000 of the 32000 IPs that Shodan indicated may have a vulnerable printer. 1822 of those IPs responded and 122 we believe have a vulnerable firmware version (around 6%). We therefore estimate there are at least 2000 vulnerable models connected directly to the Internet.

Even if the printer is not directly accessible from the Internet, for example behind a NAT on a user’s home network or on an office intranet, the printer is still vulnerable to remote attack. The lack of authentication makes it vulnerable to a cross-site request forgery attacks (CSRF) that modify the printer’s configuration. A colleague (thanks Paul Stone) demonstrated this by making a web page that first scans the local network for vulnerable printers (using a technique called JavaScript port scanning). Once the printer’s IP address has been found, the web page sends a request to the web interface to modify the proxy configuration and trigger a firmware update. Although the printer is not actually on the Internet, this is possible because the malicious web page initiates requests from the user’s browser which is on the same network as the printer.

Canon figure 4Context contacted Canon back in March of this year and we provided them with the information about this issue. They have informed us that future versions of the printer will have username and password authentication on the web interface. See at the end of the blog for their full response.

This blog post contains a description of how the encryption was broken. I will follow this blog up with a description of how I went from the ability to modify the firmware, to actually running custom code which could use the wireless network stack, manipulate the memory and update the screen as shown in the video. The firmware does not run an operating system but is a single lump of compressed ARM code which makes for an interesting reverse engineering challenge, particularly with no debugger or console and when it takes 10 minutes to update the printer, which we don’t want to brick.

How the encryption was broken

In this section of the blog I will go into the nerdy details of how the encryption was broken.

Let’s start by looking at the encrypted firmware, it looks like this:

Figure 2 - Encrypted Firmware

You can see repeating patterns (one pattern highlighted above) in the encrypted firmware meaning that the encryption is not industry best practice. The repeating pattern gives us a clue as to the length of the key. In this case the pattern is 0x30 long; therefore the key is either 0x30 or a factor of it. Also by looking at the character frequency it is clear that this is not good crypto:

canon5 Figure 3 - Character Frequency Analysis of Encrypted firmware (vertical axis is frequency, horizontal byte 0-0xff)

If we assume that the encryption algorithm is at least based on a XORing of a key with the plain text, then what we have is a basic XOR encryption:

Figure 4 - Basic XOR Encryption

If this is the case then the blocks are as follows:

P0 ^ K = C0 P1 ^ K = C1 Pn ^ K = Cn

While we don’t know what the key is, what we can do is remove the key from the encrypted data by XORing the first line of the data with the rest of the data. Therefore:

P0 ^ K ^ C0 = 0
P1 ^ K ^ C0 = P1 ^ P0
Pn ^ K ^ C0 = Pn ^ P0

This means that the first block is zero and the rest of the blocks are its original plain text XORed with the plain text of the first block, hence no key. If we can work out the plain text of the first block then we will get the full decryption. If we look at the results we get his:

Figure 5 - Encrypted firmware with first block XORed with the rest

Doom Printer canon7
Canon USA Inc. Canon Pixma iX6520 Inkjet Printer (4895B002)
Office Product (Canon USA Inc.)
  • Compatible with Individual/Combo CLI-226 Ink Tanks (Cyan, Magenta, Yellow, Black) & PGI-225 XL Pigment Black Ink Tanks. Only Replace The Ink That Runs Out!
  • Print amazing 4 x 6 borderless photos in approximately 37 seconds
  • The new Full HD Movie Print turns your favorite HD movie clips captured with your compatible Canon EOS Digital SLR or PowerShot cameras
  • Compact and stylish deisgn fits in any office setting. Supports various types of media from 4 x6 to 13 x19
  • Create posters and business documents easily with the new Solutions Templates on the exclusive website
You might also like
Canon Printer Mp287 Maindboard Tidak Bisa Di reset ata
Canon Printer Mp287 Maindboard Tidak Bisa Di reset ata ...
Canon Printer Ip 2770 Cara Mengatasi blink 3x
Canon Printer Ip 2770 Cara Mengatasi blink 3x
Canon Canon Crg-118c Imageclass Mf8350 Cyan Toner 4000 Yield Professional Grade High Quality Available New
CE (Canon)
  • (CRG-118C) imageCLASS MF8350 Cyan Toner (4, Yield).
  • Manufactured to the Highest Quality Available.
  • Exceptional customer service and unparalleled product expertise.
  • 100% safe & secure shopping; Superior customer service.
  • No returns after 90 days.
Canon Printer Mp 287 Cara Mengatasi Eror P 22
Canon Printer Mp 287 Cara Mengatasi Eror P 22
Canon Printer Mp 287 Cara Pasang Sistem Infus
Canon Printer Mp 287 Cara Pasang Sistem Infus
Canon imageCLASS LBP6670dn Printer and Canon GENUINE Catridge 119II High Yield Black
CE ()
  • Print at blistering 35 page-per-minute speed
  • Print from variety of applications with PCL and Adobe Postscript support
  • Print right from your iOS or Android device with the Canon Mobile Printing app
  • Canon s GENUINE supplies combines both the toner and drum to provide excellent print quality, and can help extend the life of the machine.
Canon Canon Ink, CL-241 XL Color Cartridge
CE (Canon)
  • CANON Pixma MG2120, CANON Pixma MG3120, CANON Pixma MG4120, CANON Pixma MX372, CANON Pixma MX432, CANON Pixma MX439, CANON Pixma MX512, CANON Pixma MG3140, CANON...
  • Typical Print Yield : 400 Yield, Manufacturer Website Address : .usa.canon.com, Print Color : Color, Print Technology : Inkjet
  • Brand Name : Canon, Support OEM Brand : CANON, Type : OEM, Product Type : Ink Cartridge
  • Ink Type : Dye, Product Model : CL-241XL/ 5208B001, Manufacturer Part Number : 5208B001, Support OEM MPN# : 5208B001
Web Clip Collection 25,000 Images, Buttons, Arrows, Alphabet & Bullets : Productivity (Animated & Non-Animated Clips + MIDI Format Music Clips) [CD-Rom]
Office Product (SoftKey)
  • Over 15,300 GIF/JPEG Format Non-Animated Clips
  • Over 8,600 GIF Animated Clips
  • Over 1, MIDI Format Music Clips
  • Select From Over 50 Unique Styles
  • PLATFORM: Windows 95 +
Related Posts