Canon Firmware

Canon issues a security advisory for PTP equipped EOS DSLRs, EOS mirrorless and PowerShot cameras

From Canon:

An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates.

(CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001)

Due to these vulnerabilities, the potential exists for a third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.

At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.

  • Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
  • Do not connect the camera to a PC or mobile device that is being used in an unsecured network, such as in a free Wi-Fi environment.
  • Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
  • Disable the camera’s network functions when they are not being used.
  • Download the official firmware from Canon’s website when performing a camera firmware update.

There is an increase in use of PCs and mobile devices in an unsecured (free Wi-Fi) network environment where customers are not aware of the network security. As it has become prevalent to transfer images from a camera to a mobile device via a Wi-Fi connection, we will implement firmware updates for the following models that are equipped with the Wi-Fi function.

 

These vulnerabilities affect the following EOS-series digital SLR and mirrorless cameras:

EOS-1DX*1 *2 EOS 6D Mark II EOS 760D EOS M5
EOS-1DX MK II*1 *2 EOS 7D Mark II*1 EOS 77D EOS M6
EOS-1DC*1 *2 EOS 70D EOS 1300D EOS M10
EOS 5D Mark IV EOS 80D EOS 2000D EOS M100
EOS 5D Mark III*1 EOS 750D EOS 4000D EOS M50
EOS 5DS*1 EOS 800D EOS R PowerShot SX70 HS
EOS 5DS R*1 EOS 200D EOS RP PowerShot SX740 HS
EOS 6D EOS 250D EOS M3 PowerShot G5X Mark II

 

*1 If a WiFi adapter or a Wireless file transmitter is used, WiFi connection can be established.

*2 Ethernet connections are also affected by these vulnerabilities.

Firmware update information will be provided for each product, in turn, starting from products for which preparations have been completed.

Dec 6, 2018
69
87
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
 

Antono Refa

EOS 7D MK II
Mar 26, 2014
799
102
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
Whomever hack the f*pening nudes didn't target any specific person. Rather he hacked backups en masse, then picked those photos that interested him.
 

LDS

EOR R
Sep 14, 2012
1,529
125
Photoreporters could be hacked to try to understand what they shoot and when - there have been reports about spywares - even some that should be available to law enforcement agencies only, used to track and spy journalists and activists.

It's good Canon is going to fix even older models to fix the issues.
 
  • Like
Reactions: stevelee

pixel8foto

EOS M50
Jan 27, 2015
49
6
UK
www.joelgoodman.net
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
Most people's photos are special to the photographer. Think about your cousin's precious holiday snaps, locked out by ransomware. How many Bitcoins to get them back x 1,000 cameras to be worthwhile in a wider attack?

Users' and makers' privacy, security and reputations are all at stake.

I don't get how such a vulnerability can - or should - ever be a "nothing-burger".
 

hollybush

EOS M50
Feb 1, 2012
40
16
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
If the camera is known to move from a public network to a private network, it can be used as a vector to infiltrate the private network.

E.g. a foreign government uses hotel wifi in their capital city to infect Canon cameras of visiting journalists. The journalists return home with the camera, and use it on the internal network of their newspaper/agency. The camera contains a virus which is now behind the media organisation's firewall and proceeds to exfiltrate information or disrupt operations.
 
  • Like
Reactions: Architect1776

brianboru

EOS T7i
May 1, 2012
98
9
https://threatpost.com/hack-of-a-canon-eos-80d-dslr/147214/

Worth reading. This hack was specific to Canon but: The researcher wrote, in a technical paper released Sunday, that PTP is a ripe target, given it is an unauthenticated protocol that supports dozens of different complex commands. “[A] vulnerability in PTP can be equally exploited over USB and over Wi-Fi."

Be *thankful* Canon was tested by a black hat and that Canon had some time and a willingness to release patches. Now that the vector is out, there are going to be more than researchers poking around other's implementations of PTP.
 

brianboru

EOS T7i
May 1, 2012
98
9
Could this have been accomplished without Magic Lantern?
Yes. Was this particular round, no.

I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

Introducing our target
We chose to focus on Canon’s EOS 80D DSLR camera for multiple reasons, including:

 
  • Like
Reactions: hollybush

KrisK

EOS T7i
Jun 8, 2013
57
4
Yes. Was this particular round, no.

I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/
Thanks. This bit is troubling:

Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost). In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community.
While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.
 

cayenne

EOR R
Mar 28, 2012
1,873
89
Thanks. This bit is troubling:



While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.

Well, the old saying about not having security through obscurity stands.

You should not depend on unsecure protocols and systems by just not documenting them.

If they are there, someone will find them. While the camera is not the most critical vector in the world, this applies to ALL types of systems, think medical devices, they're constantly finding unsecured wireless protocols for things like pace makers, insulin pumps, etc....

The trouble is, you have people designing systems for things like these and cameras, and aren't hiring on the proper people to make sure these protocols are secure.

I work in IT....and I'm still of the mind that just because most everything CAN be networked, wireless and connected to the internet....most things should NOT be.

Doing so, just opens you up to security exploits, and while networking things does give some convenience....is it really worth it?

Just my $0.02,

C
 

LDS

EOR R
Sep 14, 2012
1,529
125
Correct. Anyway they used ML tools to ease their research, but we really don't know if Canon firmware or encryption keys leaked in some other, unknown, ways.

Just usually these detailed information are released only when fixed software is available - but Canon doesn't look to have made available new firmwares worldwide yet.
 

bsbeamer

EOS RP
Nov 5, 2011
277
9
Will be interesting to see how the 5D4 update is handled. As someone who paid to upgrade to C-LOG, I wasn't able to download or install the EOS 5D Mark IV Firmware Version 1.1.2 update. Have been "stuck" without a firmware update since that upgrade.
 

melgross

EOS RP
Nov 2, 2016
343
140
For those who think it’s “boring” to hackers because nothing useful seems to be accomplished, though others have shown that this may not be true, remember that there are still plenty of hackers out there who do it just to mess with people, and make their lives more difficult.

To those hackers, that’s enough of a reward.
 
  • Like
Reactions: Valvebounce

Don Haines

Beware of cats with laser eyes!
Jun 4, 2012
8,021
1,481
Canada
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
An attack on a camera is nothing. It is just noise.

Until you just shot a wedding and have to pay lots of money to (maybe) get those images back..... or you lost those pictures of your kid’s championship game, or your parents 50th anniversary when 50 relatives showed up for the surprise party......

No, this isn’t a big thing, this is a HUGE thing!

As a professional, you can not risk this. My cameras have WiFi and Bluetooth turned off until the updates are installed.
 
Last edited:

brianboru

EOS T7i
May 1, 2012
98
9
Correct. Anyway they used ML tools to ease their research, but we really don't know if Canon firmware or encryption keys leaked in some other, unknown, ways.

Just usually these detailed information are released only when fixed software is available - but Canon doesn't look to have made available new firmwares worldwide yet.
The researchers did eventually find the keys but ML did not leak them, a quote from the article: "Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end."

"Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.

I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.
 
  • Like
Reactions: cayenne

hollybush

EOS M50
Feb 1, 2012
40
16
That makes horrifying reading:

- even if the implementation were correct, the *design* of PTP is broken because it apparently allows modification of the camera firmware without user interaction. It's hard to imagine how anyone ever thought that was a good idea. Fix would be to always prompt for confirmation on the camera LCD, no matter what the PTP standard says.

- instead of using a public/private key pair to check for firmware signing, they used symmetric encryption, so that the key needed to make fake firmware is embedded in every camera (security through obscurity, which the Magic Lantern people have already penetrated).

I wish I could say I was surprised at the reported incompetence, but having read the DCF and EXIF standards and observed the endless propagation of incompatible non-self-describing raw formats from Japanese camera manufacturers, I'm not.