Security researchers have discovered a fundamental flaw within a Canon DSLR camera which could give hackers the ability to install malware via the camera’s Picture Transfer Protocol software. The researchers began by searching for and “dumping” the firmware of a free open-source software called Magic Lantern, used by a modding community of Canon owners to add new features to the cameras. Once obtained, they were able to hunt out vulnerabilities in the cameras themselves; in particular, flaws that could be used by hackers to install malware via the camera’s Picture Transfer Protocol. The protocol is an attacker’s delight because it’s both unauthenticated and supports “dozens of different complex commands,” researcher Eyal Itkin of Check Point said in a blog post.
Commenting on the news are the following security professionals:
I’ve been waiting to see what target the ransomware threat/business model would go after next, and I’d say the personal and irreplaceable photos are a pretty logical next target. CheckPoint did a good job of pre-empting this with the research they presented.
The proof-of-concept ransomware attack on DSLR cameras is clever. It’s also difficult to exploit at scale in the wild, which is a core part of the ransomware business model, but proves the concept of the threat of ransomware-style attacks into this space and others well. As is true with most exploits, the exploit leverages a weakness in a design assumption — which means it should be equally simple for the manufacturers to mitigate, and for other industries to learn from when they design their own software.
The important illustration is the role of the ethical hacking community in highlighting these flaws, and the value in encouraging and inviting them to do so.
Companies looking to ensure the security of their IoT devices understand this threat and are turning frequently to the crowd for feedback, and it truly does take a crowd to know what assumptions we’ll need to question and adjust next for the sake of better product security.
Protocols are funny things. When created, they often assume a specific physical interface or connection. When a protocol becomes popular, the semantics, assumptions and interfaces can become standards – process which happened with PTP. As technologies evolve, it’s not the least bit uncommon for protocols to follow suit, often with implementation reviews which lack awareness of the full semantics, assumptions and interfaces for the standard. In the case of PTP and Canon, it appears that the Picture Transfer Protocol, which was designed and standardized for connections only over USB was reused over a WiFi link. When the product team elected to use PTP over WiFi, that should’ve triggered a security review of the implementation for new potential threats resulting from the potential for remote access to the camera. This review should’ve looked at any unresolved software defects in an effort to determine whether they became more serious if the code was remotely accessible. Given the nature of the vulnerabilities disclosed by the researchers, additional reviews were warranted.
As a photographer using any DLSR with a WiFi capability, best practices should include enabling WiFi for only as long as required to transfer pictures to a computer for processing or to upload them to a preferred cloud service. Once the upload is completed, WiFi should be disabled to ensure malicious actions can’ be performed on the camera. While it might be prudent to only use trusted access points, when traveling, its often difficult to fully vet any WiFi provider. As a result, limiting the window of opportunity for attack by disabling WiFi should be a default.
This is an interesting vulnerability. It does, however, require the victim to be connected to a rogue wifi hotspot which limits the attacker to being in close physical proximity to the intended victim.
Turning off network features in the camera will prevent the attacker from being successful, as will downloading the Canon patch for the camera. However, it\’s a good exercise for people to understand what is or isn\’t vulnerable. For some, having ransomware on their camera may be little more than a minor inconvenience where a memory card needs to be discarded. The impact to a professional photographer, like a journalist, or wedding photographer would be significant – so those professionals should be taking extra precautions regardless of this particular vulnerability.
The attack is novel, but historically attacks that require a physical distribution such as an attacker-controlled WIFI access-point are far less exploited in practice than attacks that can rely on purely digital distribution. The important thing to remember – if it can be connected to a WIFI, that is a strong indication it has a computer, and if it has a computer, there is a good chance it can be abused – even when it\’s not meant to be used as a computer in the first place. A piece of simple and sound advice is not to connect “smart” devices to unknown networks, and unknown networks include essentially everything not owned by yourself, your friends or your workplace.
Preventing attacks against connected devices like DSLR cameras requires effort from both industry and users. Vendors of such devices need to adhere to best practices for built-in security measures, including patching known vulnerabilities. These systems can’t be deployed without consideration for future security updates, ideally automated updates. Consumers need to be aware of the security risks associated when connecting devices online. If there are default settings implemented, these need to be changed. Connected devices shouldn’t be deployed directly on the Internet without adequate security reviewed. Attackers will find open and accessible systems if they’re available. Lots of other devices are being hit too. Thermostats, Smart refrigerators, TVs, Etc. The trend will continue as more devices become connected online.