Vulnerabilities in the image transfer protocol used in digital cameras enabled a security researcher to infect with ransomware a Canon EOS 80D DSLR over a rogue WiFi connection.

A host of six flaws discovered in the implementation of the Picture Transfer Protocol (PTP) in Canon cameras, some of them offering exploit options for a variety of attacks.

The final stage of an attack would be a complete takeover of the device, allowing hackers to deploy any kind of malware on the camera.

On devices that support a wireless connection, the compromise can occur through a rogue WiFi access point. Otherwise, a hacker could attack the camera through the computer it connects to.

Six vulnerabilities in the Picture Transfer Protocol

After jumping through some hoops to get the firmware in a non-encrypted form, security researcher Eyal Itkin from Check Point were able to analyze how PTP is implemented in Canon's cameras.

They scanned all the 148 supported commands and narrowed the list to 38 of them that receive an input buffer.

Below is a list of the vulnerable commands and their unique numeric opcode. Not all of them are required for unauthorized access to the camera, though.

CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C) CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9) CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C) CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4) CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD) CVE-2019-5995 – Silent malicious firmware update

The second and the third bugs are in commands related to Bluetooth, although the target camera module does not support this type of connection.

"We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer." - Eyal Itkin

A wireless connection cannot be used while the camera is connected via USB to a computer. Nevertheless, Itkin could test and adjust his exploit code that leveraged the second vulnerability until he achieved code execution over a USB connection.

However, this did not work when switching to a wireless connection as the exploit script broke, causing the camera to crash. One explanation is that "sending a notification about the Bluetooth status, when connecting over WiFi, simply confuses the camera. Especially when it doesn’t even support Bluetooth."

This drove the researcher to dig deeper and find the other vulnerable commands and a way to exploit them in a meaningful way over the air.

Using firmware's crypto functions

He discovered a PTP command that permits remote firmware updates without any interaction from the user. Reverse engineering revealed the keys for verifying the legitimacy of the firmware and for encrypting it.

A malicious update built this way would have the correct signatures and the camera would take it for legitimate since it passes verification.

The effort paid off as Itkin was not only able to build an exploit that worked over both USB and WiFi but also found a way to encrypt files on the camera's storage card: using the same cryptographic functions used for the firmware update process.

The video below shows successful exploitation of vulnerabilities in Picture Transfer Protocol and infecting a Canon EOS 80D camera with ransomware. At the end, the owner of the camera would see the ransom note from the attacker:

While this may not be a threat for users that connect their camera only to trusted WiFi networks, an attacker could target visitors of popular touristic attractions.

Check Point disclosed the vulnerabilities responsibly to Canon on March 31 and validated on May 14. The two companies worked together to fix the issues.

Canon published an advisory last week informing that it has no reports about malicious exploitation of the flaws and pointing users to the company's sales website in their region for details about firmware that addresses the problems.

For users in Europe, a firmware update to 1.0.3 is available since July 30, the same release date as for those in Asia (download here). Customers in the U.S. can install the same version from here since August 6.