Not such a pretty picture. Security researchers manage to hack Canon DSLR camera with ransomware
Security researchers at Check Point have revealed they were able to successfully hack a Canon DSLR camera and install ransomware.
DSLR (digital single-lens reflex) cameras are still used by professionals and for those who are serious about photography, and Canon is one of the biggest names in the sector.
DSLR cameras typically connect to PCs using a USB interface, but newer versions can support Wi-Fi as well. In order to install the ransomware, the Check Point researchers said they were able to exploit the picture transfer protocol (PTP), which is software typically used to transfer images from the device to a computer.
The researchers showed the exploit at the Defcon security conference, for which they used a Canon EOS 80D, that offers both USB and Wi-Fi connectivity, and also has an extensive modding community called Magic Lantern (ML).
The researchers started off by seeing if they could locate firmware for the camera (they did) and then using tools from ML (called Portable ROM Dumper), they were able to reverse engineer the code.
Check Point researchers were then able to discover several vulnerabilities including buffer flows that enabled code execution. These flaws could be exploited to take control of a camera remotely using a malicious firmware update that would allow ransomware to be deployed.
And to make matters worse, the attack could also take place if there was physical access to the camera via USB or by tricking a user into connecting to a rogue wireless network.
Check Point offered the following video of its hack.
“During our research we found multiple critical vulnerabilities in the Picture Transfer Protocol as implemented by Canon,” said Check Point. “Although the tested implementation contains many proprietary commands, the protocol is standardized, and is embedded in other cameras. Based on our results, we believe that similar vulnerabilities can be found in the PTP implementations of other vendors as well.”
“Our research shows that any ‘smart’ device, in our case a DSLR camera, is susceptible to attacks,” the researchers added. “The combination of price, sensitive contents, and wide-spread consumer audience makes cameras a lucrative target for attackers.”
“A final note about the firmware encryption. Using Magic Lantern’s ROM Dumper, and later using the functions from the firmware itself, we were able to bypass both the encryption and verification,” they said. “This is a classic example that obscurity does not equal security, especially when it took only a small amount of time to bypass these cryptographic layers.”
Thankfully Check Point followed the responsible disclosure route.
In March it reported the vulnerabilities to Canon, and by mid May Canon confirmed the exploits worked.
In early July Canon and Check Point worked together on the Canon patches, which were released to the general public on 6 August.
So the advice is clear, if you own a Canon DSLR, check to see if an update is available.
Security experts very keen to point out that the exploit demonstrated that DSLR camera makers need to implement best practice procedures for their equipment.
“Preventing attacks against connected devices like DSLR cameras requires effort from both industry and users,” said Paul Edon, senior director (EMEA) at Tripwire. “Vendors of such devices need to adhere to best practices for built-in security measures, including patching known vulnerabilities.”
“These systems can’t be deployed without consideration for future security updates, ideally automated updates,” said Edon. “Consumers need to be aware of the security risks associated when connecting devices online. If there are default settings implemented, these need to be changed.”
“Connected devices shouldn’t be deployed directly on the Internet without adequate security reviewed,” he added. “Attackers will find open and accessible systems if they’re available. Lots of other devices are being hit too. Thermostats, Smart refrigerators, TVs, Etc. The trend will continue as more devices become connected online.”
Another expert also noted that any device with Wi-Fi connectivity is potentially vulnerable.
“The attack is novel, but historically attacks that require a physical distribution such as an attacker-controlled Wi-Fi access-point are far less exploited in practice than attacks that can rely on purely digital distribution,” explained Martin Jartelius, CSO at Outpost24.
“The important thing to remember – if it can be connected to a Wi-Fi, that is a strong indication it has a computer, and if it has a computer, there is a good chance it can be abused – even when it’s not meant to be used as a computer in the first place,” said Jartelius. “A piece of simple and sound advice is not to connect ‘smart’ devices to unknown networks, and unknown networks include essentially everything not owned by yourself, your friends or your workplace.”
Another expert reinforced the idea to not connect the device to outside networks, and that the flaw could be potentially more serious for professional photographers and journalists, than average users.
“This is an interesting vulnerability,” said Javvad Malik, security awareness advocate at KnowBe4. “It does, however, require the victim to be connected to a rogue Wi-Fi hotspot which limits the attacker to being in close physical proximity to the intended victim.”
“Turning off network features in the camera will prevent the attacker from being successful, as will downloading the Canon patch for the camera,” said Malik. “The impact to a professional photographer, like a journalist, or wedding photographer would be significant – so those professionals should be taking extra precautions regardless of this particular vulnerability.”
Do you know all about security? Try our quiz!