ARM Wrestling a Printer: How to Mod Firmware

PRESENTATION SLIDES (PDF)

How secure is encrypted, embedded ARM firmware? This talk discovers how an encrypted firmware image may be hijacked to run custom malware, demonstrated using a Canon printer. This talk will explain the full process, from breaking the encryption, identifying and understanding the flash file format, reverse engineering the binaries, bootloader, compression, and ARM instructions, patching the binary, development of an ARM backdoor, reversing the functionality to steal printed documents and scanned files, and finally rebuilding the firmware to create a malicious image which may be uploaded it to the printer. The entire process is carried out from without the need for authentication, and this work can be deployed simply by being on the same LAN/WLAN as the printer, or deployed via CSRF in the case of internet connected printers. All the above takes place on an ARM device which has no a full OS, no debugger and no console. In the final demo I will show how far you really can take a printer.

Cannon PIXMA printers allow the proxy settings to be changed without authentication and manual triggering of the firmware update process. As the proxy settings can be changed, the printer can be configured to connect to a malicious website which can provides a malicious firmware image. The original firmware is an encrypted (but not signed), compressed SRecord format image. This presentation will explain the whole end-to-end process of how to reverse engineer the firmware and modify it to create a trojanised version that can send documents being printed or scanned to the internet, or provide a backdoor into a corporate network.

The presentation will cover the following in order:

  • Diverting the firmware update mechanismb
  • Identifying the encryption
  • Heuristic determination of the file format and key
  • Deconstruction of the SRecord firmware format
  • Reversing the binary files to determine what they are and how the bootloader works
  • From the bootloader, understanding the compression technique used and decompressing the main binary
  • Reversing the main binary to understand how it works and how it can be patched to include custom code
  • Reversing the main binary to understand how the internal functions of the printer work
  • Creation of ARM shell code which calls out over the internet for commands
  • Demonstration of a scanned or printed document sent to the internet

CONFERENCE
Location: Track 2 Date: October 15, 2014 Time: 10:30 am - 11:30 am Michael Jordon