There's a few articles hitting the street today about a security researcher being able to use Wi-Fi to remotely install a fake firmware infected with malware to a Canon EOS 80D to encrypt all of the images on the memory card. The malicious payload takes advantage of the Picture Transfer Protocol (PTP). So far there has been no reports of this taking place in the wild.
Most of the articles talk only about Wi-Fi but the actual release from Checkpoint Research, who published the security finding, says that USB connected devices are susceptible as well. No interaction is required of the camera user for the payload to be done, the attacker just needs to be on the same network as the device. This is different from the most common attack delivery methods that relies on the user doing an action first, like somebody clicking on a bogus "Your software needs to be updated!" pop-up window while visiting a web site.
The Canon 80D was specifically targeted but the real issue is with the PTP protocol. The Checkpoint researcher stated "As the PTP protocol offers a variety of commands, and is not authenticated or encrypted in any way, he demonstrated how he (mis)used the protocol’s functionality for spying over a victim.". Apparently PTP is a hackers best friend because (1) PTP is unauthenticated while supporting lots of commands that write to a device, (2) PTP is accessible over both USB and Wi-Fi, and (3) Wi-Fi enabled devices allow for attacks to be done without physical access to the device. They chose to target the 80D due to Canon's market share, it has Wi-Fi, and the Magic Lantern project has already torn apart a lot of the Canon firmware.
Say Cheese: Ransomware-ing a DSLR Camera - Check Point Research
Research by: Eyal Itkin TL;DR Cameras. We take them to every important life event, we bring them on our vacations, and we store them in a protective case to keep them safe during transit. Cameras are more than just a tool or toy; we entrust them with our very memories, and so they are very important […]
research.checkpoint.com
Prior to releasing their findings Checkpoint reported the issue to Canon who issued a security announcement last week to turn off Wi-Fi if you're not using it.
Regarding the security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions | Canon Global
Here you will find information regarding the security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions
Canon has also issued a firmware update for the 80D numbered 1.0.3 on 2019-08-06.
Canon Support for EOS 80D | Canon U.S.A., Inc.
Find support for your Canon EOS 80D. Browse the recommended drivers, downloads, and manuals to make sure your product contains the most up-to-date software.
Canon UK has published a list of which devices are affected at Canon Product Security - Canon UK.
| OS-1DX*1 *2 | EOS 6D Mark II | EOS 760D | EOS M5 |
| EOS-1DX MK II*1 *2 | EOS 7D Mark II*1 | EOS 77D | EOS M6 |
| EOS-1DC*1 *2 | EOS 70D | EOS 1300D | EOS M10 |
| EOS 5D Mark IV | EOS 80D | EOS 2000D | EOS M100 |
| EOS 5D Mark III*1 | EOS 750D | EOS 4000D | EOS M50 |
| EOS 5DS*1 | EOS 800D | EOS R | PowerShot SX70 HS |
| EOS 5DS R*1 | EOS 200D | EOS RP | PowerShot SX740 HS |
| EOS 6D | EOS 250D | EOS M3 | PowerShot G5X Mark II |
And here's the Checkpoint video of this hack in action...
