Advisory ID: SYSS-2023-011 Product: PIXMA TR4550 Manufacturer: Canon Affected Version(s): 1.020 / 1.080 also affects many other Canon inkjet printer models[4] Tested Version(s): 1.020 / 1.080 Vulnerability Type: Insufficient or Incomplete Data Removal within Hardware Component (CWE-1301) Insufficiently Protected Credentials (CWE-522) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2023-04-06 Solution Date: 2023-07-31 Public Disclosure: 2023-08-03 CVE Reference: No CVE ID from Canon PSIRT Author of Advisory: Manuel Stotz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Canon PIXMA TR4550 is an entry-level 4-in-1 printer equipped with Wi-Fi connectivity. The manufacturer describes the product as follows (see [1]): "Ready to adapt to your smart home office environment, this efficient 4-In-One printer requires minimal space but gives maximum support to your projects. Whether scanning a document, copying an ID, faxing an invoice or printing posters, PIXMA TR4550 has the functionality to keep up with your business needs. Equipped with smart Wi-Fi connectivity to optimise management of functions and features, this front-loading 4-In-One printer is the compact solution that saves space, streamlines ink usage and brings productivity to the forefront." The unprotected storage of credentials and insufficient data removal during a factory reset allows sensitive data to be read out afterward. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Canon PIXMA TR4550 stores sensitive data, such as the SSID and the Wi-Fi pre-shared key (PSK), unencrypted in its persistent storage (EEPROM). Resetting the product to factory settings (via 'Setup', 'Device settings', 'Reset setting' and 'All data') does not securely delete this sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS could successfully perform a proof-of-concept attack via the following steps: * Configure and establish a Wi-Fi connection. * Reset all data (Setup, Device settings, Reset setting, All data). * Disassemble the printer and locate the EEPROM on the PCB. * Create an EEPROM memory dump. * Search and locate the configured SSID and PSK in the memory dump. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ..
Support the originator by clicking the read the rest link below.
