Friday Hacker Blogging: Get Doom Running On a Canon PIXMA Printer

Doom
View Post

Back in 2014 security researcher found a vulnerability in Canon PIXMA printers. They demonstrated the vulnerability by installing the 1990’s game Doom on the printer.

Canon wireless Pixma printers can be accessed through a web page, for instance to see printer information like ink levels or to update the firmware.

Says the hacker at Context (emphasis added):

This interface does not require user authentication allowing anyone to connect to the interface. At first glance the functionality seems to be relatively benign, you could print out hundreds of test pages and use up all the ink and paper, so what? The issue is with the firmware update process. While you can trigger a firmware update you can also change the web proxy settings and the DNS server. If you can change these then you can redirect where the printer goes to check for a new firmware. So what protection does Canon use to prevent a malicious person from providing a malicious firmware? In a nutshell – nothing, there is no signing (the correct way to do it) but it does have very weak encryption. I will go into the nuts and bolts of how I broke that later in this blog post. So we can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network. For demonstration purposes I decided to get Doom running on the printer (Doom as in the classic 90s computer game).

And Doom it was:

Canon acknowledged the issue and provided the following statement regarding this issue:

“We thank Context for bringing this issue to our attention; we take any potential security vulnerability very seriously.  At Canon we work hard at securing all of our products, however with diverse and ever-changing security threats we welcome input from others to ensure our customers are as well protected as possible.

We intend to provide a fix as quickly as is feasible.  All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”  

It is a good practice to never connect a printer to the Internet.

If you want to dive deeper into the hacking and learn how Canon’s encryption was broken read the article at Context. This post can be used to discuss about whatever topic you want.

Friday Hacker Blogging: digiKam 7.1 Released, Fully Supports Canon CR3 Format

Digikam 7.1
View Post

The open source and free software digiKam 7.1 has been released. Full support for the Canon CR3 format has been added.

Release notes for digiKam 7.1 are here.

When you buy an expensive camera, such as the latest Canon devices, you should expect the image provided to be seriously pre-processed by the camera firmware and ready to use immediately. This is true for JPEG, but not RAW files, where the format changes for every new camera released, as it depends on the camera’s sensor data. This is also the case for the Canon CR3: the RAW format produced by this camera has required intensive reverse-engineering that the digiKam team cannot always support well. This is why we use the powerful Libraw library to post-process the RAW files on the computer. This library includes complex algorithms to support all kinds of different RAW file formats, including the Canon CR3.

You can download digiKam 7.1 for 64-bit or 32-bit systems from their website.

As usual you can use this post to discuss about whatever you want.

Friday Hacker Blogging: How To Watch Star Wars In Linux Terminal (and update on Canon hacker attack)

Star Wars In Lunux
View Post

For the Friday Hacker blogging series here is something that’s as fun as it is useless, but it will appeal to all those hardcore Star Wars fans.

You can watch Star Wars in Linux terminal (not just Linux, every *nix flavor will likely work). We are not talking about a digitally remastered version here, no high res graphics or else. In fact there are no graphics in a modern meaning. All you have to do is to enter the following command in your terminal:

telnet towel.blinkenlights.nl

You can stop the “movie” with ctrl-j, and then type quite to exit.

Should you not have telnet on your system you can easily install it. For instance on Ubuntu or Debian: 

sudo apt install telnet

Here are two screenshots.

Ready for Star Wars in Linux terminal?

Canon Ransomware Attack

Here is also an update on the ransomware attack against Canon. See here for an update or if you don’t know what a ransomware attack is. The Maze ransomware gang updated their leak site and now it states that “0.2%” of Canon data was published. Previously it was 5%. We do not know yet what exactly that means. Also, we obtained a copy of the leaked Canon data and can confirm it does not contain sensible sensitive or otherwise critical information.

Screenshot from the Maze leaks site

You can use the Friday Hacker Blogging post to discuss whatever topic you want. Please be respectful and polite.

Friday Hacker Blogging: Maze Ransomware Gang Releases 5% Of Stolen Canon Data

Friday Hacker Blogging
View Post

Every Friday from now on I’ll make a post on a random topic about Linux, computer and information security, coding and hacking, and more infosec stuff.

You can use the Friday Hacker Blogging post to discuss the topic, or discuss whatever photography news or topic you want. Please be respectful, same rules as usual apply for comments.

The first post in the Friday Hacker Blogging series is a follow up to the hacker attack against Canon USA by the Maze ransomware gang. Numerous Canon services have been affected, including Canon’s email, Microsoft Teams, the Canon USA website, and other internal applications, and 10TB of data was stolen. Bleeping Computer describes the Maze gang and how they work:

Maze is an enterprise-targeting human-operated ransomware that compromises and stealthily spreads laterally through a network until it gains access to an administrator account and the system’s Windows domain controller.

During this process, Maze will steal unencrypted files from servers and backups and upload them to the threat actor’s servers.

Once they have harvested the network of anything of value and gain access to a Windows domain controller, Maze will deploy the ransomware throughout the network to encrypt all of the devices.

If a victim does not pay the ransom, Maze will publicly distribute the victim’s stolen files on a data leak site that they have created.

Ransomware gangs often use a controlled leak of stolen data as a mean to scare the victims and motivate them to pay the ransom. It seems such a controlled leak hit Canon too.

It’s again Bleeping Computer reporting that a 2.2 GB archive called “STRATEGICPLANNINGpart62.zip” was released on the Maze data leak site. Bleeping Computer has been told it contains marketing materials and videos, as well as files related to Canon’s website. However, it seems that the leak does not contain financial or employee information, or other sensitive data.

Leaked Canon data, image courtesy of Bleeping Computer

It’s still an ongoing story and I will keep you posted.

Btw, the idea for Friday Hacker Blogging was inspired by Schneier on Security’s Friday Squid Blogging. As I wrote above, you can use this post to discuss the topic, or about whatever photography news you want. Just be polite and respectful.

Canon Has Been Hacked And Hit By Ransomware, 10TB Data Stolen

Coronavirus Covid-19 Ransomware Chipmaking
View Post

Canon has been attacked by the Maze ransomware group. Many Canon sites are affected.

As BleepingComputer reports, numerous Canon services have been affected, including Canon’s email, Microsoft Teams, the Canon USA website, and other internal applications. These Canon related domains have been affected:

www.canonusa.com
www.canonbroadcast.com
b2cweb.usa.canon.com
canondv.com
canobeam.com
canoneos.com
bjc8200.com
canonhdec.com
bjc8500.com
usa.canon.com
imagerunner.com
multispot.com
canoncamerashop.com
canoncctv.com
canonhelp.com
bjc-8500.com
canonbroadcast.com
imageland.net
consumer.usa.canon.com
bjc-8200.com
bjc3000.com
downloadlibrary.usa.canon.com
www.cusa.canon.com
www.canondv.com

BleepingComputer was able to obtain a partial screenshot of the ransom note:

Reports BleepingComputer about Maze and the attack against Canon:

After contacting the ransomware operators, BleepingComputer was told by Maze that their attack was conducted this morning when they stole “10 terabytes of data, private databases etc” as part of the attack on Canon […]

Maze is an enterprise-targeting human-operated ransomware that compromises and stealthily spreads laterally through a network until it gains access to an administrator account and the system’s Windows domain controller.

During this process, Maze will steal unencrypted files from servers and backups and upload them to the threat actor’s servers.

Once they have harvested the network of anything of value and gain access to a Windows domain controller, Maze will deploy the ransomware throughout the network to encrypt all of the devices.

If a victim does not pay the ransom, Maze will publicly distribute the victim’s stolen files on a data leak site that they have created.

Maze has claimed responsibility for other high-profile victims in the past, including LG, Xerox, Conduent, MaxLinear, Cognizant, Chubb, VT San Antonio Aerospace, the City of Pensacola, Florida, and more.

The Canon USA site is still down. It seems this attack is not related to the image.canon outage of a few days ago. Canon released a statement to BleepingComputer, saying they are “currently investigating the situation.”