Researchers Infect Canon DSLR Camera With Ransomware

Just when you thought it was safe to download your holiday photos ... it turns out that 'modern' cameras can be hacked through WiFi connections and the USB, a report has shown.

Digital cameras transfer images from the camera to the computer via the Picture Transfer Protocol (PTP), which has numerous commands, including upgrading camera firmware. It is vulnerabilitites in the PTP that can be targeted.

"From an attacker's perspective, the PTP layer looks like a great target (because) PTP is an unauthenticated protocol that supports dozens of different complex commands," writes Eyal Itkin, the researcher behind the Check Point Security report. "Vulnerability in PTP can be equally exploited over USB and over WiFi and the WiFi support makes our cameras more accessible to nearby attackers."

Itkin chose the Canon EOS 80D as his 'victim' (Canon is the world's largest DSLR maker, the EOS 80D supports both USB and WiFi and Canon has an extensive 'modding' community, called Magic Lantern [ML]). The PTP is standardized across the industry, so Check Point "believe that similar vulnerabilities can be found in the PTP implementations of other vendors as well."

In order to access the camera, Itkin tried numerous known methods. None worked, until he checked:

"... if ML ported their software to our camera model, on the chance it contains debugging functionality that will help us dump the firmware. Although such a port has yet to be released, while reading through their forums and Wiki, we did find a breakthrough. ML developed something called Portable ROM Dumper. This is a custom firmware update file that once loaded, dumps the memory of the camera into the SD Card ... Using the instructions supplied in the forum, we successfully dumped the camera’s firmware and loaded it into our disassembler (IDA Pro). Now we can finally start looking for vulnerabilities in the camera."

The end result was that six vulnerabilities were found when the EOS 80D's firmware was reverse engineered:

CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C)

CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)

CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)

CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)

CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)

CVE-2019-5995 – Silent malicious firmware update

Regarding the last of these, Itkin wrote: "There is a PTP command for remote firmware update, which requires zero user interaction. This means that even if all of the implementation vulnerabilities are patched, an attacker can still infect the camera using a malicious firmware update file."

Canon responded to the report by issuing a security bulletin: "Due to these vulnerabilities, the potential exists for third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network. Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment."

The report concludes that "any smart device ... is susceptible to attacks. The combination of price, sensitive contents, and wide-spread consumer audience makes cameras a lucrative target for attackers. This is a classic example that obscurity does not equal security."

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.