The Internet of Things (IoT) is something of a buzz-phrase right now, and locking down the IoT is certainly something that vendors across both security and hardware industries are talking up. The problem with the publicity surrounding stories of 'things' that have been hacked is that, well, they never really have much potential impact right here, right now, to you or your business. So someone managed to break into an Internet-connected baby monitoring device and make creepy announcements over it, or there's the potential to control an Internetified self-driving car in the future; neither of which fill me with dread about the security of my data as is, it has to be said.
However, maybe you and I are missing the point. Maybe we need to broaden our definition of what things this Internet of them actually comprises. How about printers, for example? Stand up if you have a printer which isn't connected to your network and the Internet beyond? I'm guessing there are lots of you still sitting down, I certainly am. There's part of the IoT right there which represents a very real threat to your security posture, and you probably didn't know it.
Researchers at Context Information Security knew it, and proved it. They remotely accessed a web interface on a Canon Pixma printer, they modified the printer firmware from the comfort of the Internet and then used this modified printing device to play a game of Doom on the built-in screen. If that's not scary enough for you, and more of why it should be in a moment, then consider that they also remotely printed hundreds of documents in order to exhaust the ink supply. There's a novel example of a denial of service attack right there, and if aimed at your small or home office I imagine one that would be of very real concern. They could, had they chosen to do so, have installed a Trojan instead of a game of Doom and used it to remotely record documents being printed and establish a gateway into the printer network.
You can check out the full details of the hack and what the researchers were able to do, and how they did it, here. Canon, meanwhile, has promised to provide a fix "as quickly as is feasible" and has stated that "all PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context."
Context recommends that wireless printers or any other Internet of Things devices are not connected to the Internet. Seriously though, who is going to disconnect something that is designed to be connected to the Internet and was probably bought for that functionality? Some printers, and the latest HP devices spring to mind, are specifically being targeted through TV advertising to appeal to consumers wanting to use the 'Instant Ink' subscription based cartridge replacement service. A service which depends entirely, and requires as part of the terms of use, an always on Internet connection to remotely monitor usage. This is a real cake and/or eat it situation; you want the functionality and cost savings, you have to accept the risk. Which doesn't mean you cannot mitigate that risk, of course.
Trey Ford, Global Security Strategist at Rapid7, told us that while Michael Jordan (who presented the research to a conference last week) "delivered a slam-dunk proof of concept, using a simple unauthenticated web interface on the Canon Pixma printer, and managed to optimize Doom run on the 32bit ARM hardware using only 10 MB of memory" this was no gimmick. "Michael managed to upload modified code which bypassed the Canon security checks, and get the game running" Ford reminds us "this is one of the most clever proof of concept exploits I’ve ever seen." Michael Belton, security assessment lead at Rapid7 continues "the larger concern around printer firmware involves the potential to modify it such that the adversary can create backdoors in the device, use the device as a place to launch attacks against the larger network, or specify that all data sent to the printer be stored at the adversary's preferred location. Once the firmware is lost, all bets are off. The fact that this critical functionality is not secure out-of-the-box is a serious flaw in the manufacturer's design."