Canon printer hacked to run Doom video game
A wireless Canon Pixma printer has been hacked to run classic video game Doom.
The hack was carried out by security researcher Michael Jordon, and it took four months to get the game running on the hardware.
He said he had undertaken the project to demonstrate the security problems surrounding devices that would form the "internet of things".
Canon said it planned to fix the loopholes on future printers to make them harder to subvert.
Like many modern printers, Canon's Pixma range can be accessed via the net, so owners can check the device's status. However, Mr Jordon, who works for Context Information Security, found Canon had done a poor job of securing this method of interrogating the device.
"The web interface has no user name or password on it," he said.
That meant anyone could look at the status of any device once they found it, he said. A check via the Shodan search engine suggests there are thousands of potentially vulnerable Pixma printers already discoverable online. There is no evidence that anyone is attacking printers via the route Mr Jordon found.
At first glance, the remote access feature did not look like a problem, until Mr Jordon realised it was possible to update the printer's controlling software, known as firmware, via the interface too.
Although the firmware was encrypted, research revealed it was possible to crack this protection system to reveal the core computer code. Reverse engineering the encryption system used by Canon also meant that if Mr Jordon wrote his own firmware the printer should accept it as authentic.
It was then Mr Jordon conceived the idea of getting the 1993 game running on the printer.
"Running Doom, that's real proof you control the thing," he told the BBC.
"The printer has a 32-bit Arm processor, 10 meg of memory and even the screen is the right size," said Mr Jordon. "I had all the bits, but it was a coding problem to get it all running together."
The biggest problem, he said, had been that the printer's firmware lacked functions provided by the operating system on any PC or other device it was running on. A version of Doom does exist that runs on Arm processors, but a lot of coding and experimentation was needed to convert this so it coped with the internal idiosyncrasies of the printer.
Writing code and getting it running sucked up months of Mr Jordon's spare time, and he finally got it to run two days before he was due to give a speech about the work at the UK's 44Con hacker conference.
"The colour palette is still not quite right," he said. "But it proves the point and it runs quite quickly, though it's not optimised."
Mr Jordon has no plans to fine tune the demonstration and do that optimisation or take on more work to get the game beyond its loading screen, given how much trouble it took to get it working at all.
"I'm so sick of it," he said. "I'm done."
On a blog entry about Mr Jordon's work, Canon said it intended "to provide a fix as quickly as is feasible".
This will involve adding a user name and password field to the web interface for future Pixma printers and issuing an update for existing owners to add the same feature.