Security firm shows how Canon DSLRs can be 'hijacked' over WiFi

13 August 2019
Comments Comments

Security researchers in the US have demonstrated that a DSLR can be incapacitated using wirelessly transmitted ransomware, a type of WiFi malware that forces victims to pay in order to decrypt their data.

As first reported at Hacker News, these vulnerabilities would allow a malicious actor to take over a target’s DSLR camera through both WiFi and USB, giving full control, and potentially allowing the remote installation of ransomware. In theory, infected users could then be charged to release the camera and images.

The research by Check Point Research involved hijacking a Canon EOS 80D camera, chosen due to Canon's large market share, along with with the 80D's support for USB, Wi-Fi and open-source software Magic Lantern.

Modern DSLR cameras use a standardised protocol to transfer digital images from a camera to a computer. This protocol is called Picture Transfer Protocol (PTP). Initially focused on image transfer, this protocol now contains dozens of different commands that support anything from taking a live picture to upgrading the camera’s firmware.

With many newer camera models now supporting WiFi, what was once a USB-exclusive protocol that was accessible only to USB connected devices, is now also accessible to every WiFi-enabled device in close proximity, opening the device up to malicious takeover. 

"Simulating attackers, we want to find implementation vulnerabilities, hoping to leverage them in order to take over the camera," explains the company. "Such a scenario will allow attackers to do whatever they want with the camera, and infecting it with ransomware is only one of many options."

To do so, an attacker would first need to set-up a rogue WiFi Access Point. "This can be easily achieved by first sniffing the network and then faking the access point to have the same name as the one the camera automatically attempts to connect," writes the company. "Once the attacker is within the same LAN as the camera, he can initiate the exploit."

In March the vulnerabilities were reported to Canon, with both parties working together to patch the vulnerabilities in a patch released in early August.

According to PetaPixel, Canon says there have been no reported cases of this vulnerability being exploited, but the company is working as quickly as possible to patch other affected DSLRs. 

For now, PetaPixel reports that Canon DSLR users with WiFi equipped cameras are being advised to disable the camera’s network functions when they are not being used.

Check Point Research says that in theory, the vulnerability is not just unique to Canon as many other camera brands also use PTP. 

"Our research shows that any “smart” device, in our case a DSLR camera, is susceptible to attacks. The combination of price, sensitive contents, and wide-spread consumer audience makes cameras a lucrative target for attackers."

You can read the research document in full here. 

comments powered by Disqus