Canon DSLR Camera, The “Unlikely Likely” Candidate For Ransomware Infection
We are covering ransomware and the latest “innovations” to improve it at the expense of the poor victims since 2017. They are always on top of their game in order to expand the infection rates and bypass antivirus software, with only one focus since day 1: profit. Ransomware has infected PCs with Windows, Linux, and MacOS, and cybercriminals have demonstrated that they can infect mobile phones as well, again since 2017. Where do you think is the next target of ransomware, of course not those “dumb” (non-smart) DSLR cameras right?
We love to answer you with a “No”, unfortunately, cybercriminals are a step ahead compared to the antivirus vendors, DLSRs are now at risk of ransomware infection. In this particular case, we are looking at Canon EOS 80D, which includes a flawed implementation of the Picture Transfer Protocol (PTP). According to CheckPoint, a cybersecurity consulting firm, represented by its security researchers, Eyal Itki, a complete takeover of the camera is possible if the six critical flaws can be used fully by a threat actor.
Unlike a typical DSLR in the market, Canon EOS 80D has Wi-Fi capability, which totally changes the equation of the camera being air-gapped for safety. Eyal Itki was able to get a hold of a non-encrypted firmware and started reverse-engineering it. The result is the discovery of the lackluster implementation of PTP, which made six critical security flaws in connection with its combination with Wi-Fi capability of the device:
Two-out-of-six critical flaws have something to do with Bluetooth buffer overflows, a hardware feature that EOS 80D actually lacks, but the vulnerable codes are in the firmware itself. “We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer,” explained Eyal Itkin. Canon issued its official public release statement regarding the critical vulnerability, expressing confidence that pulling it off is a huge undertaking. A successful hack through the mentioned instructions provided by the proof-of-concept is a very remote possibility.
Remote code execution can be executed both through a USB connection and through a malicious Wi-Fi connection. The use of the PTP for updating firmware is unique for the Canon camera, especially surprising is the lack of authentication requirements for a firmware. The update through PTP can be pushed without the user knowing it, such update also does not ask for user’s permission. An attacker can insert ransomware to the device using Wi-Fi and USB connection and execute it remotely. This action will be very damaging for the MicroSD card inserted in the device during the process. The image contents of the microSD will be encrypted similar to how a PC with ransomware infection encrypts all user data files.
The CheckPoint team posted the proof-of-concept attack in a Youtube video, demonstrating how to initialize a transfer of code, and executing it under the platform provided by Canon’s camera operating system. Paired with a malicious Wi-fi access point, the transfer of the ransomware code gets trivial for a persistent hacker who wishes to target a specific person (the photographer). Until such time that the bug is patched, we recommend never connect the mentioned DSLR model to any Wi-fi network that you do not trust.
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.