[rawr]

This could easily happen to any brand camera, but security researchers have recently been able to hack the firmware of a Canon 80D to, amongst other things, plant ransomware on the camera via USB or WiFi connections.

"The simplified version is, researchers created their own malicious firmware update mechanism that allowed encrypting all images stored on the camera’s flash drive.

“The ransomware uses the same cryptographic functions as the firmware update process, and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user,” Itkin said."

DEF CON 2019: Picture Perfect Hack of a Canon EOS 80D DSLR | Threatpost

Just a sample, I suspect, of what imaginative hackers could do.

[UncleVanya]

I would expect Canon to be much easier given their firmware design where no modification to furthest is needed to hook 3rd party software. This is why the add on magic lantern is so popular.

[stevebrot]

The take-away is:

• There are several exploitable vulnerabilities on the 80D tied to that camera's implementation of the Picture Transfer Protocol (PTP)
• Demonstrated entry points include USB connection to an infected computer and wi-fi connection to an unsafe access point, basically I/O available to the Picture Transfer Protocol (PTP) used for direct from camera printing, tethering, and direct writes of image data to other devices (https://en.wikipedia.org/wiki/Picture_Transfer_Protocol)
• Demonstrated vulnerabilities include stealth remote firmware installation
• Other potential vulnerabilities and entry points may exist
• The ransomware exploit was proof of concept only

The degree to which this applies to other than Canon product is unknown. FWIW, Pentax cameras implement PTP over USB, though not as the default.


Steve

[interested_observer]

Yes, its DEF CON time of the year and there are going to be new reports of vulnerabilities across a potentially wide range of products, devices and systems. Security or more specifically Information Assurance (or some folks like to refer to this as Information Warfare) has been my business for the last 20+ years (but, I'm now retired and prefer to take interesting photographs).

This could easily happen to any brand camera, but security researchers have recently been able to hack the firmware of a Canon 80D to, amongst other things, plant ransomware on the camera via USB or WiFi connections.

No, this could not easily happen to any brand of camera.

You must actually execute on the platform in order to create an exploit. Each brand of camera has a different image processing unit - Sony has their Bionz, Canon has their own DIGIC, Fuji uses their EXR III or X Processor Pro, Nikon / Pentax / Sigma use their own priority versions of based on Fujitsu Milbeaut (Nikon the Expeed and Pentax the PRIME, with Sigma using their True - and the Fujitsu Mibeaut does include a version of the ARM processor embedded within their image processor), etc. Yes, there is some commonality across all of these (most likely the ARM architecture), but each uses a different embedded real time operating system (RTOS), each of which has differing protocols in terms of connecting executable code fragments / exploits. In order to "hack the firmware", you need to accomplish several actions....

• introduce some software into the system
• have this introduced software actually execute
• and have this introduced software be stored (on the device) in order to survive power on/off reset cycles.

The reason why Canon was the target and specifically the 80D is just what @UncleVanya pointed out - the Magic Lantern software extension and the KNOWN method to link into the camera software so as to be able to execute the "unauthorized" software. Essentially this intrusion is somewhat of a low hanging fruit. Also, an intruder is going to have to expend a lot of time and effort in order to accomplish any of this.

I would expect Canon to be much easier given their firmware design where no modification to furthest is needed to hook 3rd party software. This is why the add on magic lantern is so popular.

Yup! Magic Lantern is a ready made vehicle for creating and introducing exploits into the Canon ecosystem. It's known, documented, open source, with and abundant supply of examples.

The take-away is:

• There are several exploitable vulnerabilities on the 80D tied to that camera's implementation of the Picture Transfer Protocol (PTP)
• Demonstrated entry points include USB connection to an infected computer and wi-fi connection to an unsafe access point, basically I/O available to the Picture Transfer Protocol (PTP) used for direct from camera printing, tethering, and direct writes of image data to other devices (Picture Transfer Protocol - Wikipedia)
• Demonstrated vulnerabilities include stealth remote firmware installation
• Other potential vulnerabilities and entry points may exist
• The ransomware exploit was proof of concept only

The degree to which this applies to other than Canon product is unknown. FWIW, Pentax cameras implement PTP over USB, though not as the default.

The first rule of security is to define the risk, so you can make intelligent assessments of how to defend the system. In this particular instance, a slightly different design rule applies - don't do stupid (in the first place), especially during the design of the product. All of these exploits are well known and thread bare. They are all easily fixed. The problem is that the camera designers never considered that their cameras might become 1) a target or 2) a transport vehicle to introduce an exploit into another system.

Cameras are power cycled a lot. In order to have a successful vulnerability, the exploit needs to survive a power cycle, which means that it needs to be introduced into flash memory in such a way that upon power up / restart, that it can find a way to be executed (become active). Transiting across / through USB or WiFi does not necessarily mean or entail successful execution on the targeted device.

Yes, the camera manufacturers need to tighten up their designs and do a better job at securing their products, from these types of exploits. On the positive side, you can't exploit a camera that is not powered on - unlike most desktops and laptops (and yes, when my laptop travels, it travels in a RFID sleeve).

---

Last edited by interested_observer; 08-11-2019 at 07:33 PM.

[rawr]

No, this could not easily happen to any brand of camera.

I may have overstated the risk, true. Much depends on hardware and software configurations, and connectivity environments.

But the key to the vulnerability is use of a basic camera control protocol (PTP) that is implemented in thousands of cameras, past and present, from many brands. Hence attacks that launch through PTP vulns won't likely be brand specific.

[stevebrot]

But the key to the vulnerability is use of a basic camera control protocol (PTP) that is implemented in thousands of cameras, past and present, from many brands. Hence attacks that launch through PTP vulns won't likely be brand specific.

Quite the opposite. The key word is "implementation". The standard is widely supported, but The vulnerabilities are most likely the result of brand-specific camera control extensions to a widely available toolkit or a fully proprietary implementation, otherwise the faults would have been detected and exploited years ago. Considering that the list of affected models is fairly long with a few being rather long in the tooth, I suspect that the problems are in long-standing Canon extensions for camera control over USB and WiFi (LINK).

I guess time will tell. Canon has already published worldwide security bulletins. If other makers quickly follow suit, there is likely a shared code base. Otherwise...poor Canon.


Steve

[johnha]

On the positive side, you can't exploit a camera that is not powered on - unlike most desktops and laptops (and yes, when my laptop travels, it travels in a RFID sleeve)

I'm definitely buying one of those lead lined pouches to put my film in when travelling after reading this 🙂

[interested_observer]

I may have overstated the risk, true. Much depends on hardware and software configurations, and connectivity environments.

Yes, we do agree on quite a few areas.

But the key to the vulnerability is use of a basic camera control protocol (PTP) that is implemented in thousands of cameras, past and present, from many brands. Hence attacks that launch through PTP vulns won't likely be brand specific.

Just because there is a possibility of transferring vulnerabilities through the "data" via PTP does not guarantee successful infection of a target system. The "data" transferred via PTP would need to be handled by the target systems software in such a manner that would enable this transferred "data" to be successfully executed (and also stored in the flash of the targeted unit). Separation of instruction and data spaces has been around for quite a long time, and is enforced by every modern (in the last 30+ years) compiler/assembler. Also, the transferred "data" would need to be in the native machine executable of the target machine. Even with the wide use of the ARM processors across the various brands of camera's image processing chips, there are sufficient differences in the various versions of the ARM processors that native code running on one version of Canon's DIGIC image processor would have problems running on another version of the DIGIC image processor, let alone another camera brand.

One of the main reasons for the prevailing security problems in the PC world is the large homogeneous ecosystem (using the Intel x86 architecture of which the AMD processors also execute). The camera's image processing hardware is not nearly as homogeneous. The greater risk is using the camera units as a transport mechanism in order to infect a PC system with the PTP "data" payload being aimed at the WinTel ecosystem.

Also, I really do not see any individual or group spending a lot of time and effort in trying to utilize cameras as a means for infection or denial of service (which is what ransomware essentially does as a base concept). I really do not see the risk in terms of your camera instructing you to transfer 1/2 of a bitcoin to yourlocalhacker@payme.com to recover your pictures. Stranger things have happened, but the payoff was quite a bit larger.

• Hackers once stole casino database through lobby fish tank thermometer - Business Insider
• Hackers Broke Into a Casino?s High-Roller Database Through a Fish Tank | Digital Trends

The larger overall problem is the IoT (Internet of Things) of which cameras are part of. Due to the size and its overall integration within the web, IoT will be a painful mess for years to come. It's the gift that will just keep giving and giving and giving.

[Rondec]

It doesn't feel as though this is a huge deal. For one thing, as has been mentioned, most brands have specific firmwares that are delivered through the brand's website. There is minimal opportunity to get malicious software on your camera (Magic Lantern is different).

For another thing, the value of your camera is significantly less than that of your computer or your company's mainframe. The value of a computer isn't the computer, it is the stuff on it, the personal information, photos, videos and whatever I haven't backed up recently. But how much would someone really pay if their Canon 80D was ransomed? Not much I wouldn't think.

[jeallen01]

Expertreviews article on this subject.

Says that it was found in Canons but could affect other makes and the ransomeware could then spread to home networks

[UncleVanya]

I don't mean to suggest that there is no possibility outside of Canon for infection. As others confirmed Canon has a special vulnerability that others lack, but all manufactures treat cameras with very little attention to security. PTP is never involved in my workflow as I physically move my SD card to my computer. This may give me a false sense of security... But changing my workflow to add a card reformat would add additional security.

[stevebrot]

PTP is never involved in my workflow as I physically move my SD card to my computer.

Do you tether using USB or with a wireless device? If so, it is possibly done through PTP. For Canon, part of the problem is that their cameras are capable of exposing PTP through wireless LAN with TCP/IP as the transport protocol. The other part is that their PTP implementation is exploitable. Whether Pentax's has similar vulnerabilities is hard to say.


Steve

[stevebrot]

Here is a link to CheckPoint's full discussion of the vulnerability and the hack...

Say Cheese: Ransomware-ing a DSLR Camera - Check Point Research

Very entertaining and informative. BTW...Checkpoint claims that Canon has issued a patch. Has their been a flurry of firmware updates?


Steve

[CapitanXeon]

I have to say, and sorry about the double post i did before Steve, that PTP on itself poses a security issue if the camera firmware isn't the best, an while interested_observer did a nice breakdown of the cpu part, they do have much more in common than we thing, specially the fact that all of them will eventually work through PTP, an unencrypted protocol that gives direct control to even update the system firmware without user input. So see, PTP is probably the weakest part on the security chain, and independently of the processors used, the important part is how well the firmware is secured.

On the Canon's part, they didn't even check if the WiFi packets were the right size, so a buffer overflow was very easy to obtain, and from there you get a vulnerable state that lead consoles to the dreaded unsigned code execution. So yes, it can easily happen to any camera if the bran didn't secure the firmware enough.

[interested_observer]

It doesn't feel as though this is a huge deal. For one thing, as has been mentioned, most brands have specific firmwares that are delivered through the brand's website. There is minimal opportunity to get malicious software on your camera (Magic Lantern is different).

For another thing, the value of your camera is significantly less than that of your computer or your company's mainframe. The value of a computer isn't the computer, it is the stuff on it, the personal information, photos, videos and whatever I haven't backed up recently. But how much would someone really pay if their Canon 80D was ransomed? Not much I wouldn't think.

The bottom line value to this exploit is rather low if not zero. The real value that in this exploit is not on DSLRs or even MILC units, but on smartphones. Android uses MTP/PTP and if they utilize some of the more egregious capabilities offered in PTP (like updating the system firmware without user input). This update feature to my thinking has no real functional value, so why implement the capability - just stub it out (if not eliminate it altogether). With the amount of functionality and information folks retain on their smartphones today, that would be the real target for a substantial greater payoff.

Expertreviews article on this subject.

Says that it was found in Canons but could affect other makes and the ransomeware could then spread to home networks

In theory yes, but with DSLRs and MILCs, you need to infect the camera target (using the native executable of probably the arm processor) in order to store a payload (written in x86 native executable) in order to have any effect on a home network (Windows, Mac and Linux running on either Intel or AMD processors).

I don't mean to suggest that there is no possibility outside of Canon for infection. As others confirmed Canon has a special vulnerability that others lack, but all manufactures treat cameras with very little attention to security. PTP is never involved in my workflow as I physically move my SD card to my computer. This may give me a false sense of security... But changing my workflow to add a card reformat would add additional security.

And that is the large question in play here. Internet of Things (IoT) devices are going to be the real threat, just because the developers take as little time to develop these items. Who needs security? The dirty secret is that a many of the best security practices are already built into the development tools (compilers, assemblers, debuggers, software analyzers/optimizers, etc.). For buffer and stack overflows, all the software engineer needs to do is to turn on (enable) the option to check for these conditions. The penalty is that the code will be slightly larger and run a tad slower, however this can be recovered in tightening up the executable code elsewhere. Just run an optimizer and you can recover the few percentages (and more) in a couple of days time during the unit test and module integration phases.

Do you tether using USB or with a wireless device? If so, it is possibly done through PTP. For Canon, part of the problem is that their cameras are capable of exposing PTP through wireless LAN with TCP/IP as the transport protocol. The other part is that their PTP implementation is exploitable. Whether Pentax's has similar vulnerabilities is hard to say.

Steve

You point is well taken, and this goes back to the overall design process. Quite a few companies that design products, make use of licensed libraries - say for PTP (a make or buy decision), but that does not mean that you want to buy the entire capability. No user in their right mind would want their camera updated with new firmware while they are having lunch next to a wifi hotspot via PTP. Some of these capabilities/functionalities, just because you can perform them, does not make them a good idea for implementation or inclusion in the final product. Actually, they cost money in memory consumption, licensing, testing, documentation, etc., during the products life time. Just take it out. In fact, there are a vast array of security requirements (or controls) that go over all of these. You don't need to be a rocket scientist to think of them, just read the basic security practices, and they will pay for themselves over time.

Here is a link to CheckPoint's full discussion of the vulnerability and the hack...

Say Cheese: Ransomware-ing a DSLR Camera - Check Point Research

Very entertaining and informative. BTW...Checkpoint claims that Canon has issued a patch. Has their been a flurry of firmware updates?

Steve

For me it was something of an interesting read (along with the other article linked in the thread). Nothing really new, and this is what my team at work did both internally and externally for customers/clients. All the exploits/techniques were all too well known, just that they were applied to the DSLR/MILC device ecosystems. As pointed out earlier, doing a modicum of security during the product concept, initial architecture and design phases, actually saves time and money - easily paying for itself many times over - thereby producing additional profit margin.

I have to say, and sorry about the double post i did before Steve, that PTP on itself poses a security issue if the camera firmware isn't the best, an while interested_observer did a nice breakdown of the cpu part, they do have much more in common than we thing, specially the fact that all of them will eventually work through PTP, an unencrypted protocol that gives direct control to even update the system firmware without user input. So see, PTP is probably the weakest part on the security chain, and independently of the processors used, the important part is how well the firmware is secured.

On the Canon's part, they didn't even check if the WiFi packets were the right size, so a buffer overflow was very easy to obtain, and from there you get a vulnerable state that lead consoles to the dreaded unsigned code execution. So yes, it can easily happen to any camera if the bran didn't secure the firmware enough.

I agree with you in terms of PTP "feature set". Just because you can do something, does not make it a good idea for implementation.