Yes, its DEF CON time of the year and there are going to be new reports of vulnerabilities across a potentially wide range of products, devices and systems. Security or more specifically Information Assurance (or some folks like to refer to this as Information Warfare) has been my business for the last 20+ years (but, I'm now retired and prefer to take interesting photographs).
Originally posted by rawr This could easily happen to any brand camera, but security researchers have recently been able to hack the firmware of a Canon 80D to, amongst other things, plant ransomware on the camera via USB or WiFi connections.
No, this could not easily happen to any brand of camera.
You must actually execute on the platform in order to create an exploit. Each brand of camera has a different
image processing unit - Sony has their Bionz, Canon has their own DIGIC, Fuji uses their EXR III or X Processor Pro, Nikon / Pentax / Sigma use their own priority versions of based on Fujitsu Milbeaut (Nikon the Expeed and Pentax the PRIME, with Sigma using their True - and the Fujitsu Mibeaut does include a version of the ARM processor embedded within their image processor), etc. Yes, there is some commonality across all of these (most likely the ARM architecture), but each uses a different embedded real time operating system (RTOS), each of which has differing protocols in terms of connecting executable code fragments / exploits. In order to "hack the firmware", you need to accomplish several actions....
- introduce some software into the system
- have this introduced software actually execute
- and have this introduced software be stored (on the device) in order to survive power on/off reset cycles.
The reason why Canon was the target and specifically the 80D is just what @UncleVanya pointed out - the Magic Lantern software extension and the KNOWN method to link into the camera software so as to be able to execute the "unauthorized" software. Essentially this intrusion is somewhat of a low hanging fruit. Also, an intruder is going to have to expend a lot of time and effort in order to accomplish any of this.
Originally posted by UncleVanya I would expect Canon to be much easier given their firmware design where no modification to furthest is needed to hook 3rd party software. This is why the add on magic lantern is so popular.
Yup! Magic Lantern is a ready made vehicle for creating and introducing exploits into the Canon ecosystem. It's known, documented, open source, with and abundant supply of examples.
Originally posted by stevebrot The take-away is:
- There are several exploitable vulnerabilities on the 80D tied to that camera's implementation of the Picture Transfer Protocol (PTP)
- Demonstrated entry points include USB connection to an infected computer and wi-fi connection to an unsafe access point, basically I/O available to the Picture Transfer Protocol (PTP) used for direct from camera printing, tethering, and direct writes of image data to other devices (Picture Transfer Protocol - Wikipedia)
- Demonstrated vulnerabilities include stealth remote firmware installation
- Other potential vulnerabilities and entry points may exist
- The ransomware exploit was proof of concept only
The degree to which this applies to other than Canon product is unknown. FWIW, Pentax cameras implement PTP over USB, though not as the default.
The first rule of security is to define the risk, so you can make intelligent assessments of how to defend the system. In this particular instance, a slightly different design rule applies - don't do stupid (in the first place), especially during the design of the product. All of these exploits are well known and thread bare. They are all easily fixed. The problem is that the camera designers never considered that their cameras might become 1) a target or 2) a transport vehicle to introduce an exploit into another system.
Cameras are power cycled a lot. In order to have a successful vulnerability, the exploit needs to survive a power cycle, which means that it needs to be introduced into flash memory in such a way that upon power up / restart, that it can find a way to be executed (become active). Transiting across / through USB or WiFi does not necessarily mean or entail successful execution on the targeted device.
Yes, the camera manufacturers need to tighten up their designs and do a better job at securing their products, from these types of exploits. On the positive side, you can't exploit a camera that is not powered on - unlike most desktops and laptops (and yes, when my laptop travels, it travels in a RFID sleeve).
Last edited by interested_observer; 08-11-2019 at 07:33 PM.