Advisory ID: SYSS-2023-011  
Product: PIXMA TR4550  
Manufacturer: Canon  
Affected Version(s): 1.020 / 1.080  
also affects many other Canon inkjet printer  
Tested Version(s): 1.020 / 1.080  
Vulnerability Type: Insufficient or Incomplete Data Removal  
within Hardware Component (CWE-1301)  
Insufficiently Protected Credentials  
Risk Level: Low  
Solution Status: Fixed  
Manufacturer Notification: 2023-04-06  
Solution Date: 2023-07-31  
Public Disclosure: 2023-08-03  
CVE Reference: No CVE ID from Canon PSIRT  
Author of Advisory: Manuel Stotz, SySS GmbH  
The Canon PIXMA TR4550 is an entry-level 4-in-1 printer equipped with  
Wi-Fi connectivity.  
The manufacturer describes the product as follows (see [1]):  
"Ready to adapt to your smart home office environment, this efficient  
4-In-One printer requires minimal space but gives maximum support to  
your projects. Whether scanning a document, copying an ID, faxing an  
invoice or printing posters, PIXMA TR4550 has the functionality to keep  
up with your business needs. Equipped with smart Wi-Fi connectivity to  
optimise management of functions and features, this front-loading  
4-In-One printer is the compact solution that saves space, streamlines  
ink usage and brings productivity to the forefront."  
The unprotected storage of credentials and insufficient data removal  
during a factory reset allows sensitive data to be read out afterward.  
Vulnerability Details:  
The Canon PIXMA TR4550 stores sensitive data, such as the SSID and the  
Wi-Fi pre-shared key (PSK), unencrypted in its persistent storage  
Resetting the product to factory settings (via 'Setup', 'Device  
settings', 'Reset setting' and 'All data') does not securely delete this  
sensitive information.  
Proof of Concept (PoC):  
SySS could successfully perform a proof-of-concept attack via the  
following steps:  
* Configure and establish a Wi-Fi connection.  
* Reset all data (Setup, Device settings, Reset setting, All data).  
* Disassemble the printer and locate the EEPROM on the PCB.  
* Create an EEPROM memory dump.  
* Search and locate the configured SSID and PSK in the memory dump.  
Canon PSIRT published its security advisory "Vulnerability  
Mitigation/Remediation for Inkjet Printers (Home and Office/Large  
Format)" (CP2023-003)[3] describing how sensitive information should be  
deleted concerning the affected printers[5].  
Disclosure Timeline:  
2023-04-06: Vulnerability reported to manufacturer  
2023-04-12: Canon PSIRT creates ticket  
2023-04-27: Update from Canon concerning ongoing analysis  
2023-05-15: Canon confirms security issue  
2023-05-23: Agreement on public disclosure date  
2023-07-17: Canon PSIRT informs about scheduled publication of their  
security advisory  
2023-07-31: Canon PSIRT publishes their security advisory "Vulnerability  
Mitigation/Remediation Format Inkjet Printers (Home and  
Office/Large Format)" (CP2023-003)[3]  
2023-08-03: Public release of SySS security advisory  
[1] Product website for Canon PIXMA TR4550  
[2] SySS Security Advisory SYSS-2023-011  
[3] CP2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers   
(Home and Office/Large Format)  
[4] List of affected printers  
[5] SySS Responsible Disclosure Policy  
This security vulnerability was found by Manuel Stotz of SySS GmbH.  
E-Mail: manuel.stotz (at)  
Public Key:  
Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
Creative Commons - Attribution (by) - Version 3.0