How secure is encrypted, embedded ARM firmware? This talk discovers how an encrypted firmware image may be hijacked to run custom malware, demonstrated using a Canon printer. This talk will explain the full process, from breaking the encryption, identifying and understanding the flash file format, reverse engineering the binaries, bootloader, compression, and ARM instructions, patching the binary, development of an ARM backdoor, reversing the functionality to steal printed documents and scanned files, and finally rebuilding the firmware to create a malicious image which may be uploaded it to the printer. The entire process is carried out from without the need for authentication, and this work can be deployed simply by being on the same LAN/WLAN as the printer, or deployed via CSRF in the case of internet connected printers. All the above takes place on an ARM device which has no a full OS, no debugger and no console. In the final demo I will show how far you really can take a printer.
Cannon PIXMA printers allow the proxy settings to be changed without authentication and manual triggering of the firmware update process. As the proxy settings can be changed, the printer can be configured to connect to a malicious website which can provides a malicious firmware image. The original firmware is an encrypted (but not signed), compressed SRecord format image. This presentation will explain the whole end-to-end process of how to reverse engineer the firmware and modify it to create a trojanised version that can send documents being printed or scanned to the internet, or provide a backdoor into a corporate network.
The presentation will cover the following in order: