News Security researcher shows digital cameras susceptible to remote malware attacks


Code Monkey 🐒

There's a few articles hitting the street today about a security researcher being able to use Wi-Fi to remotely install a fake firmware infected with malware to a Canon EOS 80D to encrypt all of the images on the memory card. The malicious payload takes advantage of the Picture Transfer Protocol (PTP). So far there has been no reports of this taking place in the wild.

Most of the articles talk only about Wi-Fi but the actual release from Checkpoint Research, who published the security finding, says that USB connected devices are susceptible as well. No interaction is required of the camera user for the payload to be done, the attacker just needs to be on the same network as the device. This is different from the most common attack delivery methods that relies on the user doing an action first, like somebody clicking on a bogus "Your software needs to be updated!" pop-up window while visiting a web site.

The Canon 80D was specifically targeted but the real issue is with the PTP protocol. The Checkpoint researcher stated "As the PTP protocol offers a variety of commands, and is not authenticated or encrypted in any way, he demonstrated how he (mis)used the protocol’s functionality for spying over a victim.". Apparently PTP is a hackers best friend because (1) PTP is unauthenticated while supporting lots of commands that write to a device, (2) PTP is accessible over both USB and Wi-Fi, and (3) Wi-Fi enabled devices allow for attacks to be done without physical access to the device. They chose to target the 80D due to Canon's market share, it has Wi-Fi, and the Magic Lantern project has already torn apart a lot of the Canon firmware.

Prior to releasing their findings Checkpoint reported the issue to Canon who issued a security announcement last week to turn off Wi-Fi if you're not using it.

Canon has also issued a firmware update for the 80D numbered 1.0.3 on 2019-08-06.

Canon UK has published a list of which devices are affected at Canon Product Security - Canon UK.

OS-1DX*1 *2EOS 6D Mark IIEOS 760DEOS M5
EOS-1DC*1 *2EOS 70DEOS 1300DEOS M10
EOS 5D Mark IVEOS 80DEOS 2000DEOS M100
EOS 5D Mark III*1EOS 750DEOS 4000DEOS M50
EOS 5DS*1EOS 800DEOS RPowerShot SX70 HS
EOS 5DS R*1EOS 200DEOS RPPowerShot SX740 HS
EOS 6DEOS 250DEOS M3PowerShot G5X Mark II

And here's the Checkpoint video of this hack in action...