An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates.
(CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001）
Due to these vulnerabilities, the potential exists for a third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.
At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.
- Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
- Do not connect the camera to a PC or mobile device that is being used in an unsecured network, such as in a free Wi-Fi environment.
- Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
- Disable the camera’s network functions when they are not being used.
- Download the official firmware from Canon’s website when performing a camera firmware update.
There is an increase in use of PCs and mobile devices in an unsecured (free Wi-Fi) network environment where customers are not aware of the network security. As it has become prevalent to transfer images from a camera to a mobile device via a Wi-Fi connection, we will implement firmware updates for the following models that are equipped with the Wi-Fi function.
These vulnerabilities affect the following EOS-series digital SLR and mirrorless cameras:
|EOS-1DX*1 *2||EOS 6D Mark II||EOS 760D||EOS M5|
|EOS-1DX MK II*1 *2||EOS 7D Mark II*1||EOS 77D||EOS M6|
|EOS-1DC*1 *2||EOS 70D||EOS 1300D||EOS M10|
|EOS 5D Mark IV||EOS 80D||EOS 2000D||EOS M100|
|EOS 5D Mark III*1||EOS 750D||EOS 4000D||EOS M50|
|EOS 5DS*1||EOS 800D||EOS R||PowerShot SX70 HS|
|EOS 5DS R*1||EOS 200D||EOS RP||PowerShot SX740 HS|
|EOS 6D||EOS 250D||EOS M3||PowerShot G5X Mark II|
*1 If a WiFi adapter or a Wireless file transmitter is used, WiFi connection can be established.
*2 Ethernet connections are also affected by these vulnerabilities.
Firmware update information will be provided for each product, in turn, starting from products for which preparations have been completed.
Whomever hack the f*pening nudes didn't target any specific person. Rather he hacked backups en masse, then picked those photos that interested him.
It's good Canon is going to fix even older models to fix the issues.
Most people's photos are special to the photographer. Think about your cousin's precious holiday snaps, locked out by ransomware. How many Bitcoins to get them back x 1,000 cameras to be worthwhile in a wider attack?
Users' and makers' privacy, security and reputations are all at stake.
I don't get how such a vulnerability can - or should - ever be a "nothing-burger".
If the camera is known to move from a public network to a private network, it can be used as a vector to infiltrate the private network.
E.g. a foreign government uses hotel wifi in their capital city to infect Canon cameras of visiting journalists. The journalists return home with the camera, and use it on the internal network of their newspaper/agency. The camera contains a virus which is now behind the media organisation's firewall and proceeds to exfiltrate information or disrupt operations.
Worth reading. This hack was specific to Canon but: The researcher wrote, in a technical paper released Sunday, that PTP is a ripe target, given it is an unauthenticated protocol that supports dozens of different complex commands. “[A] vulnerability in PTP can be equally exploited over USB and over Wi-Fi."
Be *thankful* Canon was tested by a black hat and that Canon had some time and a willingness to release patches. Now that the vector is out, there are going to be more than researchers poking around other's implementations of PTP.
I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/
Thanks. This bit is troubling:
While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.
Well, the old saying about not having security through obscurity stands.
You should not depend on unsecure protocols and systems by just not documenting them.
If they are there, someone will find them. While the camera is not the most critical vector in the world, this applies to ALL types of systems, think medical devices, they're constantly finding unsecured wireless protocols for things like pace makers, insulin pumps, etc....
The trouble is, you have people designing systems for things like these and cameras, and aren't hiring on the proper people to make sure these protocols are secure.
I work in IT....and I'm still of the mind that just because most everything CAN be networked, wireless and connected to the internet....most things should NOT be.
Doing so, just opens you up to security exploits, and while networking things does give some convenience....is it really worth it?
Just my $0.02,
Just usually these detailed information are released only when fixed software is available - but Canon doesn't look to have made available new firmwares worldwide yet.
To those hackers, that’s enough of a reward.
Until you just shot a wedding and have to pay lots of money to (maybe) get those images back..... or you lost those pictures of your kid’s championship game, or your parents 50th anniversary when 50 relatives showed up for the surprise party......
No, this isn’t a big thing, this is a HUGE thing!
As a professional, you can not risk this. My cameras have WiFi and Bluetooth turned off until the updates are installed.
The researchers did eventually find the keys but ML did not leak them, a quote from the article: "Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end."
"Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.
I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.
That makes horrifying reading:
- even if the implementation were correct, the *design* of PTP is broken because it apparently allows modification of the camera firmware without user interaction. It's hard to imagine how anyone ever thought that was a good idea. Fix would be to always prompt for confirmation on the camera LCD, no matter what the PTP standard says.
- instead of using a public/private key pair to check for firmware signing, they used symmetric encryption, so that the key needed to make fake firmware is embedded in every camera (security through obscurity, which the Magic Lantern people have already penetrated).
I wish I could say I was surprised at the reported incompetence, but having read the DCF and EXIF standards and observed the endless propagation of incompatible non-self-describing raw formats from Japanese camera manufacturers, I'm not.