Firmware updates - Revision history

Admin: /* Epson */

2017-07-03T15:46:28Z

‎Epson

84.153.135.37: /* Results */

2017-01-31T09:04:53Z

‎Results

84.153.135.37: /* Brother */

2017-01-31T08:58:10Z

‎Brother

84.153.135.37: /* Canon */

2017-01-31T08:56:33Z

‎Canon

84.153.135.37: /* Ricoh */

2017-01-31T08:53:10Z

‎Ricoh

Admin at 15:24, 28 January 2017

2017-01-28T15:24:40Z

Admin at 12:10, 23 January 2017

2017-01-23T12:10:04Z

Admin at 10:26, 23 January 2017

2017-01-23T10:26:06Z

Admin: Created page with "The dangers of malicious firmware updates are well-known and have been discussed early by ''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection f..."

2017-01-23T10:14:20Z

Created page with "The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection f..."

New page

The dangers of malicious firmware updates are well-known and have been discussed early by <ref>''[https://www.cs.cornell.edu/~kozen/papers/acsac.pdf Malicious Code Detection for Open Firmware]'', F. Adelstein, M. Stillerman and D. Kozen, Computer Security Applications Conference, 2002. Proceedings. 18th Annual, IEEE, 2002, p. 403-412</ref> and <ref>''[http://ceur-ws.org/Vol-190/paper11.pdf Phishing with Consumer Electronics: Malicious Home Routers]'', A. Tsow, MTW 190, 2006</ref>. In contrast to other networked devices however, '''it is common for printers to deploy firmware updates as ordinary print jobs'''. This opens up a wide gateway for attackers because access to printing functionality is usually a low hurdle. One can only speculate about the motivation for such insecure design decisions but it seems logical that historic reasons play a role: Printers used to be connected by parallel or USB cable. Without network connectivity, security played a less important role and without a password-protected web server or similar functionality the printing channel was the only way to send data to the device.

Firmware modification attacks against network printers have been demonstrated by <ref name="cui2011print">''[http://ids.cs.columbia.edu/sites/default/files/CuiPrintMeIfYouDare.pdf Print Me If You Dare: Firmware Modification Attacks and the Rise of Printer Malware]'', A. Cui and J. Stolfo, 2011</ref> for HP devices, by <ref name="jordon2014wrestling">''[https://www.contextis.com/resources/blog/hacking-canon-pixma-printers-doomed-encryption/ Hacking Canon Pixma Printers – Doomed Encryption]'', M. Jordon, 2014</ref> for the Canon PIXMA series and by <ref name="heiland2011patched">''[http://foofus.net/goons/percx/Xerox_hack.pdf From Patched to Pwned: Attacking Xerox's Multifunction Printers Patch Process]'', D. Heiland, 2011</ref> and <ref name="weidenbach2016pwn">''[https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/xerox_phaser_6700_white_paper.pdf PWN Xerox Printers (… again): About Hardware Attacks and (In) Secure Cloning]'', P. Weidenbach and R. Ernst, Fraunhofer FKIE, 2016</ref> for various Xerox models. As a countermeasure, printer manufacturer started to digitally sign their firmware <ref name="hp2012rfu">''[http://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c03102449 Security Bulletin HPSBPI02728 SSRT100692 Rev. 6]'', HP Inc., 2012</ref>.

== Vendors ==

To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.

=== HP ===

Firmware can be downloaded from [http://support.hp.com support.hp.com] or directly from [ftp://ftp.hp.com/pub/networking/software/pfirmware/ ftp.hp.com] via FTP. 419 files in HP's traditional remote firmware update (<code>.rfu</code>) format and 206 newer ‘HP FutureSmart’ binaries (<code>.bdl</code>) can be retrieved. The <code>.rfu</code> files contain proprietary PJL commands like <code>@PJL UPGRADE SIZE=…</code>, indicating that firmware updates are deployed as normal print jobs. This has been demonstrated by <ref name="cui2011print"/> and caused HP to digitally sign all their printer firmware since March 2012 <ref name="hp2012rfu"/>.

=== Canon ===

Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.

=== Epson ===

Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms.

=== Dell ===

Firmware can be obtained from [http://downloads.dell.com downloads.dell.com] and from [ftp://ftp.us.dell.com/printer ftp.us.dell.com/printer]. Files can be unpacked using ''unp'' and the included <code>.zip</code> files can be extracted with a variant of ''unzip''. Dell does not produce any printing devices, but rebadges the products of other vendors. Therefore a wide variety of firmware files, including 18 <code>.hd</code> files containing <code>@PJL FIRMWARE=…</code>, 25 <code>.prn</code> files containing <code>@PJL ENTER LANGUAGE=DOWNLOAD</code> and 30 <code>.fls</code>/<code>.fly</code> files containing <code>@PJL LPROGRAMRIP</code> were found. Regarding protection mechanisms, Dell has not released any publicly available information.

=== Brother ===

Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.

=== Lexmark ===

Firmware is available from [http://support.lexmark.com support.lexmark.com] and can be unpacked using ''unp''. 63 <code>fls</code> files could be obtained containing the PJL header <code>@PJL LPROGRAMRIP</code> to install the firmware. Lexmark's security whitepaper claims ‘packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security measure comes from requiring that all firmware packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid [...] the firmware is discarded’ <ref>''[http://media.lexmark.com/www/doc/en_US/Security_White_Paper_Final_Q12014.pdf Security Features of Lexmark Multi-Function and Single Function Printers]'', Lexmark International, 2013, p. 6</ref>.

=== Samsung ===

Firmware can be downloaded from [http://www.samsung.com/us/support/download www.samsung.com/us/support/download]. Retrieved files either come as zip archives or Windows executables which can be run in wine and further unpacked using ''unp''. This way, 33 <code>.hd</code> files starting with <code>@PJL FIRMWARE</code> and associated <code>.prn</code> files containing <code>@PJL DEFAULT SWUPGRADE=ON</code> could be obtained. Samsung has not released any publicly available information on protection mechanisms.

=== Xerox ===

Firmware is publicly available at [http://www.support.xerox.com www.support.xerox.com]. Downloaded files come in zip format and can be unpacked using ''unzip''. Firmware files are in different formats: 16 <code>.hd</code> files including <code>@PJL FIRMWARE=…</code>, 36 PostScript files for older devices and 35 <code>.dlm</code> files which is the format used by currently used by Xerox and includes digital signatures. A flaw in the deployment process however was found by <ref name="heiland2011patched"/> and extended by <ref name="weidenbach2016pwn"/>, leading to remote code execution – the private key and the tool used for code signing was contained in the firmware itself.

=== Ricoh ===

The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.

=== Kyocera ===

Kyocera does not release firmware to end-users. In a publicly available Kyocera dealer forum however, firmware downloads for various models are linked: [ftp://ftp.kdaconnect.com ftp.kdaconnect.com]. Files can be unpacked using ''unp'' and contain mountable ''cramfs''<ref>''[http://sourceforge.net/projects/cramfs/ cramfs – A Linux filesystem designed to be simple, small, and to compress things well]'', D. Quinlan</ref> and ''squashfs''<ref>''[http://squashfs.sourceforge.net/ squashfs – A compressed read-only filesystem for Linux]'', P. Lougher and R. Lougher</ref> images as well as proprietary binary formats. Firmware is deployed as a print job with <code>!R! UPGR'SYS';EXIT;</code> prepended – the ''upgrade'' command of the ''PRESCRIBE'' page description language <ref>''[http://kyoceradocumentsolutions.co.th/news/products/img_document/fs19k_rev11.pdf Kyocera Laser Printer FS-1900 Service Manual]'', Kyocera Corp., 2001, ch. 3-19</ref>. Kyocera has not released any publicly available information on protection mechanisms.

=== Konica ===

Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.

== Results ==

Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as no reasoned statement on the individual manufacturers' protection mechanisms can be made. An in-depth analysis of firmware modification attacks should be part of future academic research. A summary of file headers or types for all obtained firmware files is given below:

{| class="wikitable"
|-
! Vendor !! Extension !! Quantity !! File header or type
|-
| rowspan="2" | HP
| rfu || 419 || @PJL UPGRADE SIZE=…
|-
| bdl || 206 || FutureSmart binary format
|-
| rowspan="3" | Epson
| rcx || 49 || SEIKO EPSON EpsonNet Form
|-
| prn || 9 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| brn || 7 || Unknown binary, includes config file
|-
| rowspan="6" | Dell
| fls, fly || 30 || @PJL LPROGRAMRIP
|-
| prn || 25 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 18 || @PJL FIRMWARE=…
|-
| brn || 3 || Unknown binary, includes config file
|-
| ps || 2 || PostScript (title: ''Firmware Update'')
|-
| pjl || 1 || @PJL ENTER LANGUAGE=FLASH
|-
| rowspan="2" | Brother
| djf || 79 || @PJL EXECUTE BRDOWNLOAD
|-
| blf || 9 || @PJL ENTER LANGUAGE=PCL
|-
| rowspan="2" | Lexmark
| fls || 63 || @PJL LPROGRAMRIP
|-
| bin, fls || 6 || Unknown binary format
|-
| rowspan="2" | Samsung
| hd || 33 || @PJL FIRMWARE=…
|-
| fls, hd0 || 4 || @PJL DEFAULT P1284VALUE=…
|-
| rowspan="10" | Xerox
| ps || 36 || PostScript (title: ''Firmware Update'')
|-
| dlm || 35 || Xerox Dynamic Loadable Module
|-
| prn, bin || 20 || @PJL ENTER LANGUAGE=DOWNLOAD
|-
| hd || 16 || @PJL FIRMWARE=…
|-
| brn || 10 || Unknown binary, includes config file
|-
| bin || 10 || @PJL SET JOBATTR="@SWDL"
|-
| fls, hd, hde || 8 || @PJL DEFAULT P1284VALUE=…
|-
| fls, xfc || 4 || @PJL ENTER LANGUAGE=XFLASH
|-
| pjl || 3 || @PJL FSDOWNLOAD [name].rpm
|-
| axf || 3 || RISC OS AIF executable
|-
| rowspan="3" | Ricoh
| brn || 15 || @PJL FWDOWNLOAD…
|-
| bin || 14 || @PJL RSYSTEMUPDATE SIZE=…
|-
| fls || 4 || @PJL LPROGRAMRIP
|-
| rowspan="4" | Kyocera
| cramfs, img || 98 || cramfs image
|-
| bin, squashfs || 79 || squashfs image
|-
| bin, kmmfp || 41 || u-boot legacy uImage
|-
| efi, kmpanel || 13 || proprietary image format
|-
| rowspan="4" | Konica Minolta
| bin || 38 || unknown binary, additional checksum file
|-
| ps || 20 || PostScript (title: ''Softload printer modules'')
|-
| ftp, prn || 11 || @PJL ENTER LANGUAGE=FIRMUPDATE
|-
| upg || 1 || @PJL ENTER LANGUAGE=UPGRADE
|-
|}

'''How to test for this attack?'''

The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering.

Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, you can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy, and writing malicious firmware with a correct checksum can be a time-consuming project.

''Other attack scenarios include:''

* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses.
* Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).
* Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547].

'''Who can perform this attack?'''

Anyone who can print, for example through [[USB drive or cable]], [[Port 9100 printing]] or [[Cross-site printing]].

----

@@ Line 17: / Line 17: @@
 === Epson ===
-Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not released any publicly available information on protection mechanisms.
+Firmware can be downloaded from [http://epson.com epson.com] and via FTP from [ftp://download.epson-europe.com/ download.epson-europe.com]. Files come as WinZip self-extracting <code>.exe</code> files and can be unpacked using ''unp''<ref>''[http://unp.bencastricum.nl/ UNP executable file restore utility]'', A. Karwath</ref>. The contained <code>.efu</code> files can be analyzed using ''Binwalk''<ref>''[http://binwalk.org/ Binwalk firmware analysis tool]'', C. Heffner</ref> which extracts the actual firmware. One can obtain 49 <code>.rcx</code> files of unknown format (‘SEIKO EPSON EpsonNet Form’) and nine <code>.prn</code> files containing PJL commands (<code>@PJL ENTER LANGUAGE=DOWNLOAD</code>). Epson has not published any information on protection mechanisms. Firmware released before 2016 did not apply code signing and could be manipulated as shown by <ref>''[https://os-s.de/advisories/OSS-2016-19_epson-mfp.pdf] Epson WorkForce Lack Of Firmware Signing / CSRF'', R. Spenneberg</ref>. They ‘believe huge amounts of the devices produced since 1999 […] could be vulnerable’.
 === Dell ===

@@ Line 53: / Line 53: @@
 == Results ==
-Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however, is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:
+Out of ten analyzed manufacturers, nine use [[PJL]] commands for all or at least some of their firmware update procedures which is a strong indicator that updates are deployed as ordinary print jobs. The remaining manufacturer – Kyocera – applies the ''PRESCRIBE'' page description language. One can therefore claim that it is common in the printing industry to install new firmware over the printing channel itself and name a '''major design flaw''' present in almost any printer device: '''data and code over the same channel'''. Exploitation of this issue however is hard as for most manufacturers no reasoned statement on protection mechanisms can be made. An in-depth analysis of firmware modification attacks should therefore be part of future research. A summary of file headers or types for all obtained firmware files is given below:
 {| class="wikitable"
@@ Line 149: / Line 149: @@
 '''How to test for this attack?'''
-The security of code signing is based on keeping the private key a long-term trade secret. There are however potentially still printers in the wild which are vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfified by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.
+The security of code signing is based on keeping the private key a long-term trade secret. There are however still printers in the wild which are potentially vulnerable to malicious firmware – either because they have not yet been updated or because proprietary checksum algorithms are sold as cryptographically secure digital signature schemes. It certainly must be pointed out that analyzing firmware can be hard if vendors do not document their firmware formats and update routines. Usually this requires some reverse engineering. Testing the feasibility of firmware modification attacks therefore is not trivial. In a simple test, one can '''flip a single bit''' and check if the modified firmware is still accepted by the printer device. If not, either a checksum or a digital signature is verfied by the printer. Finding the difference is not always easy and writing malicious firmware (with a correct checksum) can be a time-consuming project.
 ''Other attack scenarios include:''
-* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version, which has known security weaknesses.
+* Even if the firmware is signed, one may be able to downgrade to a certain (signed) firmware version which has known security weaknesses.
 * Even if the firmware is signed, it can sometimes be mounted to gain further information (especially Konica Minolta firmware is easly mountable).
 * Just because firmware is signed doesn't mean its secure. Using ''binwalk''/''grep'' etc. one may find components with known vulnerabilities like [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7547 CVE-2015-7547].

@@ Line 25: / Line 25: @@
 === Brother ===
-Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters, one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code> while nine <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.
+Firmware cannot be easily downloaded. Instead a Windows binary needs to be run which checks for available printers and requests download links for the latest firmware from a web service. By guessing correct parameters one is able to get the links for 98 files. Firmware files do not need to be unpacked as they already come in raw format. 79 files have the extension <code>.djf</code> and contain <code>@PJL EXECUTE BRDOWNLOAD</code>, while 9 <code>.blf</code> files contain <code>@PJL ENTER LANGUAGE=PCL</code>. Brother has not released any publicly available information on protection mechanisms.
 === Lexmark ===

@@ Line 13: / Line 13: @@
 === Canon ===
-Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number which to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.
+Firmware is available at [http://www.canon.com/support/ www.canon.com/support]. Canon however requires a valid device serial number to download any firmware. According to <ref name="jordon2014wrestling"/>, who were able to modify firmware for the Canon PIXMA series, ‘there is no signing (the correct way to do it) but it does have very weak encryption’. According to email correspondence with a Canon technical support representative, ‘firmware does have to be digitally signed by Canon in order for it to be accepted by the printer’.
 === Epson ===

@@ Line 41: / Line 41: @@
 === Ricoh ===
-The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.
+The ‘Firmware Download Center’ at [https://support.ricoh.com support.ricoh.com] is not open to the general public. Fortunately the interweb contains direct links to a couple of driver/firmware download pages so one is able to obtain 31 firmware files using a simple Google search (<code>site:support.ricoh.com firmware</code>). Files can be unpacked using ''unp''. 14 <code>.bin</code> files contain <code>@PJL RSYSTEMUPDATE SIZE=…</code> while 15 <code>.brn</code> files are associated with a <code>settings.ini</code>, including <code>@PJL FWDOWNLOAD</code> and <code>USERID=sysadm, PASSWORD=sysadm</code>. Ricoh does not provide any up-to-date information on protection mechanisms. In a whitepaper dating back to 2007, Ricoh claims that ‘only service technicians have a password and dedicated account for making firmware updates’ <ref>''[http://www.tsrc.ricoh-usa.com/pwhp/Network_Security_v1.7.pdf Network Security White Paper for Digital Multifunction and Printing Devices]'', Ricoh Corp., 2007, p. 10</ref>.
 === Kyocera ===

@@ Line 49: / Line 49: @@
 === Konica ===
-Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.
+Although not actively promoted, firmware for Konica Minolta printers can be downloaded from [http://download6.konicaminolta.eu download6.konicaminolta.eu]. Newer Internet-connected devices have the capability to perform firmware updates themselves. Compressed files come in different formats and can be unpacked using ''unp'', ''unzip'' and ''tar'' which results in 38 proprietary <code>.bin</code> files, 20 PostScript based ‘softload printer modules’ for older devices and 14 files of different extensions containing PJL commands like <code>@PJL ENTER LANGUAGE=FIRMUPDATE</code>. The Konica Minolta security whitepaper claims that firmware is verified using a ‘hash value’ <ref>''[http://www.biz.konicaminolta.com/product_security_policy/pdf/security_white_paper_version8_0_7.pdf Konica Minolta Security White Paper]'', Konica Minolta, Inc., 2015, p. 26</ref>. It may be doubted that such a scheme is cryptographically secure.
 == Results ==

@@ Line 5: / Line 5: @@
 == Vendors ==
-To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''[http://homepages.rub.de/jens.mueller-2/publications/2016-exploiting-network-printers.pdf Exploiting Network Printers]'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.
+To give an overview of firmware deployment procedures 1,400 firmware files for the top 10 printer manufacturers have been downloaded and systematically categorized by <ref>''Exploiting Network Printers'', J. Müller, 2016, p. 56-58</ref>. The results are as follows.
 === HP ===