Canon Printer Hacked To Run Doom Video Game

wiredog writes Security researcher Michael Jordon has hacked a Canon's Pixma printer to run Doom. He did so by reverse engineering the firmware encryption and uploading via the update interface. From the BBC: "Like many modern printers, Canon's Pixma range can be accessed via the net, so owners can check the device's status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device. 'The web interface has no user name or password on it,' he said. That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found."

So it runs Doom ?

[MondoGordo]

How much paper does that use ?

Re:So it runs Doom ?

[cp5i6]

You're missing the point.

It's connected to the net. check. It's got enough cpu power to run a proper app. check. It's got no security. check. It's got enough storage for a decently sized program. check.

You know what the next logical step is?

installing DDoS zombies on these printers.

Re:

[damn_registrars]

I'm pretty sure he was making a joke, there.

Re:

[TWX]

I'd be much more impressed if they wrote a Pong client that ran on the multicolor LCD screen, so that two players could use some of the control panel buttons to move their paddles!

(see what I did there?!)

Re:

[dissy]

While I'm sure it was intended as a joke, we do (sadly) have that answer...

Just about 200 pages: http://oi61.tinypic.com/11tbbr... [tinypic.com]

Re:

[amiga3D]

Use it as a torrent client?

Screw Torrent.

[Anonymous Coward]

Use it as Tor Relays.

It doesn't even have to be an exit node, but thousands of added Tor nodes running no logging and providing hop services for in-network traffic would be a huge boon for the privacy of all users. Best part, if you kept the cpu usage down, you could keep a print daemon running on them so the end users of the printer weren't affected, and allow anyone sympathetic to run it with valid deniability.

"PC load jibs?!! WTF DOES THAT MEAN?!!"

[Thud457]

No, John. You are the DDoS zombies.

Re:So it runs Doom ?

[OhSoLaMeow]

You know what the next logical step is?

Beowulf clusters of Canon printers?

Re:So it runs Doom ?

[lucm]

The guy will upload 3D printer firmware, and demons from Doom will come out of the printer.

RUN

Re:So it runs Doom ?

[gstoddart]

You know what the next logical step is?

It involves the internet ... so I'll assume some form of pornography.

Re:So it runs Doom ?

[Anonymous Coward]

Ooh. Printer porn.

Ms. Canon: I love the way you jam the paper inside me.
Mr. Epson: Ooh, baby, my fuser's so hot for you.
Ms. Canon: Yeah. That's the way. Fill me full of black ink.

Eww.

Re:

[Waccoon]

So that's why the damn cartridges run out so fast.

Re:

[TWX]

It involves the internet ... so I'll assume some form of pornography.

That takes me back...

I was one of the first kids in my neighborhood to regularly BBS and to have a color inkjet printer, I used to sell individual printed pages for $0.50 each...

no, that is the point

[swschrad]

one page per screen, the bad guys are gonna get you early. but it sells a lot of ink, so Canon doesn't mind.

Re:So it runs Doom ?

[tippe]

Well duh, the next logical step is obviously to add sound by modulating the movement of the print head somehow (sort of like how you could on old HP ScanJet scanners in order to play music). Who'd want to play doom on their printer unless it also had sound?

Re:

[tepples]

You know what the next logical step is?

Lawsuit from Zenimax perhaps?

Re:

[ziggystarsky]

You know what the next logical step is?

Not quite yet.

A "security researcher" has four months of over spare time. check.

Yes, I think I got it now!

Re:

[The Grim Reefer]

But can it play Crysis?

So it runs Doom ?

[pesho]

I guess this depends on the frame rate.

Re:

[nblender]

8 pages per minute, 500 sheets in the tray ...

Sounds like hours of fun.

Another...

[Anonymous Coward]

Another headline I never expected to read.

Re:

[cusco]

There is no evidence that anyone is attacking printers via the route Mr Jordon found.

Yet. They left "yet" off the end of that sentence.

Re:

[GameboyRMH]

I guess IDCLIP toggles the wireless capability...

I'm not surprised

[Quantum Apostrophe]

Canon has the worst, abysmal software to run their devices. I don't know how they manage to make it so complex and large.

Re:

[Narcocide]

Before you just sign off and assume that 30MB is a completely acceptable install size for a single printer driver or a single group of drivers from a single printer manufacturer simply because HP somehow manages to waste a whole order of magnitude more space, compare that to the installed size of the Linux CUPS printing subsystem and its ENTIRE DRIVER SET FOR ALL SUPPORTED DEVICES.

Re:

[fulldecent]

> ENTIRE DRIVER SET FOR ALL SUPPORTED DEVICES

Cliff hanger! How big is it?

(Mac users are used to the bloated CUPS version that includes all the graphics)

Re:

[Narcocide]

Well I too have a bunch of optional stuff that objectively speaking, I REALLY don't need, like bluetooth support (not to mention all the extra drivers and the development headers for compiling stuff, and a bunch of filters packages that I don't even know what they're for, in both 64-bit and 32-bit format due to compiling multi-arch stuff on this system) but I'm still sitting on a total install base of a bit less than 17MB. If Canon actually needs 30MB just for their own drivers and presumably the printing

Re:

[sexconker]

> ENTIRE DRIVER SET FOR ALL SUPPORTED DEVICES

Cliff hanger! How big is it?

(Mac users are used to the bloated CUPS version that includes all the graphics)

Double cliffhanger: How many devices does it actually support? How old are they? How many of those devices's features does it actually support?

Re:

[Narcocide]

To be fair, you do partially have a point there; the official Canon printer drivers certainly support more of their own printers than CUPS does. I can tell you that without even looking at Canon's official driver install. However, the total amount of printers supported by CUPS, since it includes a sampling of most major manufacturer's printers (and all of the features of most of said printers) utterly dwarves what any one manufacturer supports currently in their own drivers in Windows. Yes, the average a

Re:

[Anonymous Coward]

I'm not assuming 30MB is acceptable. Windows drivers for some printers don't even reach 1MB, so I understand what you're saying.

However, saying that the software for Canon printers is horrid is just untrue, because I work with quite a few such printers and it rarely gives me trouble, even in networked environments. And less than 30MB is certainly better than what most other manufacturers are doing.

I can also give you one good explanation for why the package is ~30MB rather than much less: there are dozens o

Re:

[Anne Thwacks]

The Linux drivers require a version of Libtiff from 1993, and have never been updated - ever.

Please, when can we have a hack that makes these printers print in Linux?

Or *BSD support?

Or Android support?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Reziac]

Or with the average laser printer, plug in printer, don't bother with the install disk, select whatever is the nearest version of the HPLJ that Windows happens to have handy. (This also works for older inkjets and some pin-impact printers.)

As to TFA, didn't you know that no device is complete until it can play DOOM? :D

But yeah, methinks if software started from the perspective of the douchebag, 90% of the hacks would go away and the rest wouldn't be worth the trouble.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Reziac]

I hadn't heard about the CoD incident, but ... [goes off, looks it up] holy shit, that's douchery of a high order. Tho I'm not sure the cops had much less douchery... I mean, 60 officers, WTF? I guess he can count himself fortunate they didn't overhear game gunfire and react by opening fire themselves.

If I had to wipe and reinstall Windows with any regularity, yeah, I'd be looking for a different OS. I don't spend all that time and effort getting it all just how I want it, only to have to replace it and sta

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Reziac]

Any idea what the problem was, or maybe just trying to juggle two styles of driver access?

Now that you mention it, I'll have to check driver types when I have my old WinME setup handy again -- once I'd beaten it into submission, it ran 24/7 as the media-watching and image-editing box for two solid years without once needing a reboot (tho got restarted a couple times for twiddling hardware). Only got retired cuz I added an XP dual boot that took over the same jobs.

If mine had any VxD drivers, it woulda been

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Reziac]

Oh, then my WinME definitely had some VxD drivers, cuz I recall it fishing a Win95 driver out of several options via pawing thru INI files (I can't recall if this was for the SCSI card or the sound card), and the Matrox vidcard definitely had the old type. Whether it had any of the WdM type, then ... dunno. Mainboard was a Tyan server board which was rock solid (and did not have the rollover bug -- didja know that's actually in the hardware, and in only about half the hardware -- Windows just triggered it),

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Quantum Apostrophe]

" all that crap on the CD"

So you're agreeing that Canon can write crap? So what makes you think that somehow just the driver part is magically not crap? Every piece of software from a Japanese hardware company is universally garbage.

Their user interfaces are also ridiculous. Just fucking awful.

It's on the network...

[damn_registrars]

... can you run multiplayer doom if you have several of these printers? Maybe make the printer print out red when you're hit?

Mochol Jordon

[kruach aum]

So hackfrustrated, very hype, much wow

Surprising

[DaMattster]

I'm surprised that the Pixma has that kind of power that it can run Doom. It's a pretty funny hack actually.

Re:

[Njorthbiatr]

And now to hack into the other printers to do just that...

Re:

[denis-The-menace]

I'm sure it being used to detect if you are scanning currency.

Re:

[skids]

Unless you have a use for the waste heat, you're better off with systems with better performance-per-watt. These are usually low wattage chips, but they can't do much math-wise.

Re:

[Megane]

Wasn't Doom released in the era of the 25MHz 486 with 1-4 megs of RAM and 640x480 VGA with no acceleration? It probably helps if the screen is only 320x240 QVGA. It depends on which CPU is in use, but something designed to print a full page at 150-ish DPI should have more than enough RAM and CPU. The front panel alone has 2 megabytes of RAM, and a 45MHz LVDS interface for display data, as per its recent hackaday appearance:

http://hackaday.com/2014/09/11... [hackaday.com]

Re:Surprising

[UnknownSoldier]

> 25MHz 486 and 640x480 VGA with no acceleration?

Before you get flamed ...

Dos Doom used @ 320x200 in ModeY, Quake supported Michael Abrash's ModeX [wikipedia.org] @ 320x240.

Doom95 which ran on Windows 95 supported different resolutions.

I played it on my 386SX 16 MHz with the screen shrunk down a few levels. It was silky smooth on the Pentium 90 MHz, and the Pentium Pro 200 MHz (obviously) as was Quake.

Reference: http://doom.wikia.com/wiki/Asp... [wikia.com]

Re:

[Megane]

Dos Doom used @ 320x200 in ModeY, Quake supported Michael Abrash's ModeX [wikipedia.org] @ 320x240.

Well it's only been a few decades, and I was mostly a Mac user back in the day. I did remember enough about VGA that as I posted, I was wondering where the hell all the color came from, because I was sure that 640x480 was only 16 colors. Oh the joys of cramming a frame buffer through a tiny chunk of a mere 1 megabyte addressing space. But at least I got the approximate CPU range right.

And FWIW, shrinking the screen down (and a coprocessor in the cartridge) was how they got it to run on SNES.

Sigh.

[ledow]

I really shouldn't be getting my tech news from sites that are basically a day behind BBC News.

Re:

[JackieBrown]

I come here more for the comments than expecting breaking news.

Re:

[Richy_T]

For real fun, rogue DHCP server.

Re:

[skids]

Prefabricated boards with attached motors, sensors, and often WiFi? Rip that out for robot guts. Screw the Raspberry Pis, arduinos, and whatnot.

Re:

[Reziac]

Your sig is amazingly appropriate. Now you know how to upgrade your project. ;)

Re:

[tepples]

They should simply turn DOOM into official menu option.

Doom is free software with non-free assets. How much would Zenimax charge per copy to license the assets?

Re:

[ArcadeMan]

After all this time, why hasn't someone or a group came up with alternate assets and make them available for free?

Freedoom

[tepples]

There is Freedoom [github.io]. But I imagine that people want to play authentic Doom with the levels that they used to speedrun back in the day, not a knock-off.

Re:

[Richy_T]

Combine it with the Doom mod for killing processes and you could make killing print jobs a fun option.

Re:

[towermac]

The problem is, the DOOM thing happens to my office printers far less often than me needing to quickly get into the thing and fix it or figure out what the user's issue is.

The account/password thing not helping me out there. It wasn't broken before, Canon. It will make no difference to office security, but will eventually cost you sales. (Well, you sucked already at printers, so maybe not a lot of sales.)

Re:

[xvan]

Aw, heck. They're "fixing" it the wrong way. The right way to deal with DOOM running on a printer's LCD is not to remove this feature. They should simply turn DOOM into official menu option.

It's not like it hasn't been proposed [unm.edu] before [sourceforge.net].

Cannon Releasing a Fix

[FrankieBaby1986]

From the article:

"The colour palette is still not quite right," he said. "But it proves the point and it runs quite quickly, though it's not optimised."

Mr Jordon has no plans to fine tune the demonstration and do that optimisation or take on more work to get the game beyond its loading screen, given how much trouble it took to get it working at all.

"I'm so sick of it," he said. "I'm done."

On a blog entry about Mr Jordon's work, Canon said it intended "to provide a fix as quickly as is feasible".

This will involve adding a user name and password field to the web interface for future Pixma printers and issuing an update for existing owners to add the same feature.

It looks like Cannon is planning to release a fix to correct the color palette and get the game optimized! Even better they are going to add accounts to the game for scores and going to release this for all previous purchasers of the printer! Sweet!

:p

Re:

[TuxWithoutPants]

"to provide a fix as quickly as is feasible" Sounds duke nukem-ish, so we'll see correct color palette in 12 years?

The Difference

[Jonathan A]

http://www.smbc-comics.com/?id... [smbc-comics.com]

we are doomed I tell you

[Anonymous Coward]

Doomed - printers mean any one can use that subversive technology called print.

Logical consequence ...

[PPH]

... of this technology [cartoonstock.com]

Don't fix it!

[cyn1c77]

From TFA:

Canon said it planned to fix the loopholes on future printers to make them harder to subvert.

Why would you want to subvert someone from installing Doom on your printer?

People are stupid

[gweihir]

Really. A printer belongs behind a firewall and has no business having a public IP in the first place. This is neither a new risk not in any way surprising. Asking the manufacturer to secure the printer is not going to work.