Firmware updates

The dangers of malicious firmware updates are well-known and have been discussed early by and . In contrast to other networked devices however, it is common for printers to deploy firmware updates as ordinary print jobs. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security was less important and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.

Firmware modification attacks against network printers have been demonstrated by for HP devices, by for the Canon PIXMA series and by and for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware .

Vendors

To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by . The results are as follows.

HP

Firmware can be downloaded from or directly from via FTP. 419 files in HP's traditional remote firmware update (.rfu) format and 206 newer ‘HP FutureSmart’ binaries (.bdl) can be retrieved. The .rfu files contain proprietary PJL commands like @PJL UPGRADE SIZE=…, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by and caused HP to digitally sign all their printer firmware since March 2012 .

Canon

Firmware is available at . Canon however requires a valid device serial number to download any firmware. According to , who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.

Epson

Firmware can be downloaded from and via FTP from . Files come as WinZip self-extracting .exe files and can be unpacked using unp. The contained .efu files can be analyzed using Binwalk which extracts the actual firmware. One can obtain 49 .rcx files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine .prn files containing PJL commands (@PJL ENTER LANGUAGE=DOWNLOAD). Epson has not published any information on protection mechanisms. Firmware released before 2016 did not apply code signing and could be manipulated as shown by . They ‘believe huge amounts of the devices produced since 1999 […] could be vulnerable’.

Dell

Firmware can be obtained from and from . Files can be unpacked using unp and the included .zip files can be extracted with a variant of unzip. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 .hd files containing @PJL FIRMWARE=…, 25 .prn files containing @PJL ENTER LANGUAGE=DOWNLOAD and 30 .fls/.fly files containing @PJL LPROGRAMRIP were found. Regarding protection mechanisms, Dell has not released any publicly available information.

Brother

Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension .djf and contain @PJL EXECUTE BRDOWNLOAD, while 9 .blf files contain @PJL ENTER LANGUAGE=PCL. Brother has not released any publicly available information on protection mechanisms.

Lexmark

Samsung

Xerox

Ricoh

Kyocera

Konica

Results

How to test for this attack?

The security of code signing is based on keeping the private key a long-term trade secret. There are however still printers in the wild which are potentially vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can flip a single bit and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfied by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.

Other attack scenarios include:

• Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version which has known security weaknesses.

• Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).