Canon issues a security advisory for PTP equipped EOS DSLRs, EOS mirrorless and PowerShot cameras

TomDibble

I'm New Here
Jun 15, 2017
17
3
The researchers did eventually find the keys but ML did not leak them, a quote from the article: "Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end."

"Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.

I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.
Just a quick note on terminology (and apologies if this was already corrected in the ensuing pages of replies I haven't gotten to yet). You are describing "white hat" (or "ethical") hackers. "Black hat" is who have now been alerted to this PTP flaw and will be working to make money off it rather than report it to Canon.

"White" vs "black" hats refer to the old cowboy movie custom where the "good guys" always (or at least frequently) wore light-colored cowboy hats, and the "bad guys" would wear dark-colored hats. A white-hat hacker is using the tools of hacking but with the goal of closing any weakness they find rather than exploiting it.

 
  • Like
Reactions: LDS and Valvebounce

TomDibble

I'm New Here
Jun 15, 2017
17
3
A few notes from reading the write-up and my memory of the 80D settings (aided slightly by the 80D manual I have in front of me unlike my camera which is at home).

  1. The WiFi attack hinges on spoofing an access point. That immediately got my notice because I have never connected my camera to an access point; instead I connect my phone to my camera (with the camera itself acting as the access point). At least that is how it appears when I'm remote at a softball field and want to review some shots on a better screen than the one on the back of the 80D (aside: that is just an atrocious quality LCD, with horrible color gamut and brightness controls). Is Canon's software instead somehow making my iPhone act as an access point and then the camera automatically connecting to that???
  2. Checking the 80D manual, the mode where the camera connects to an access point is called "Advanced Connection", unlike "Easy Connection" which is what the phone app and lazy consumerish folks like me would follow instead.
  3. In "Easy Mode" one particularly insecure mode is the NFC triggering of a connection to a phone and picture transfer (presumably opening up a PTP session). Not having a phone with exposed NFC (I don't think Apple exposes the NFC interface to app developers), I have always had "Allow NFC Connections" unchecked. Presumably that stops an NFC phone from auto-connecting at all, not later on in the PTP communications, but I haven't verified. In any case, NFC is generally pretty short-range so triggering that would take a bit more of a personal touch by a hacker.
  4. For the "Connect to Smartphone" side of Easy Connect, Camera Connect needs to be on the smarphone, similar to EOS Utility on the computer. Camera Connect verifies the WiFi connection (Phone as client of the camera), then acts as (presumably) a PTP client allowing for picture transfer, control, and presumably somewhere in there (since for some insane reason the PTP/IP folks decided this functionality should be in PTP/IP not just when you had a hard tethered connection to the camera) firmware updates (aside: the EOS 80D firmware is on 1.02 if I recall correctly. Firmware updates happen les than once in a blue moon: there is no reason for them to be made seamless and interactionless!!!). In any case, the actual connection is made using the phone's WiFi settings screen, by selecting the camera's broadcast SSID to connect to, and typing in (if it hasn't already been saved in your settings) the "encryption key". The manual doesn't appear to specify which version of WPA it is using here, but I would be surprised if it wasn't the most recent version which is relatively secure (more about that later) and also supported in the "advanced configuration" so they have the hardware for it.
  5. Similarly, using "Easy Connect" with a computer, you also externally (from the EOS Utility software) make the WiFi connection with the computer as client to the camera's access point, secured using a (presumably WPA2) encryption key. Same thing with a printer using "PictBridge".
  6. "Advanced Mode" is where things get dicey. Advanced mode is a tortuous process to set up connecting the camera to a network access point, including keying in the encryption key on a horrible on-screen "keyboard", and your phone/computer/printer/whatever to that same access point, and then use PTP pretty much completely unsecured over the network. Because it is such a torturous process to set up, Canon "helps" you by (after the first time) doing it all for you the next time it sees that access point again. Canon supports connecting to pretty much any access point, no authentication even required.
  7. In any mode, the Camera's WiFi chip allows for exactly one connection at a time. If your phone is connected, the camera can not accept a connection from another phone, nor connect to an access point (this appears to be a connection layer limitation, not a PTP limitation). I am not sure if this limitation is unique to 80D or to all Canon WiFi implementations. It would seem odd to allow multiple PTP connections at once since PTP has full camera control, but that is an application-layer limitation that likely still exposes security holes.
  8. Spoofing an access point (depending on the complexity of the client, but especially given that Canon's security standards are laughably minimal, like using a 4-character session identifier for their web session in the 1D's network interface). If Canon's client is just connecting by broadcast SSID, anyone can spoof that. But even if it is connecting based on broadcast SSID and MAC address, that is almost child's play to spoof as well. The only thing the hacker needs to know is the SSID and (maybe) MAC address that the "real" access point broadcasts (which would be difficult in a mass attack, but trivial in most cases for targeted attacks).
  9. Spoofing a client means breaking WPA2. Now, WPA2 like anything that's been around for years, does have known exploits. But they are not trivial to implement, and often require specific circumstances or don't allow for a full spoofed access attack (ex, the "KRACK attack allows primarily for eavesdropping on ongoing communications, not hijacking of a connection nor especially establishment of a whole new connection with full privileges).
It appears that the layers which have been breached are:
  • Connection layer when using camera as a client connecting to an access point has been hacked (in Canon specifically, but I'd guess if any other manufacturer has a similar approach their implementation will likewise be hacked). Exploits here aren't "general purpose" unless you are in the habit of connecting your camera to "public" access points.
  • Connection layer in the "easy" or "direct" modes has not (by all appearances at least) been hacked.
  • PTP is not secure at all, which is scary for a line protocol which operates thousands of dollars worth of equipment and even allows easy escalation attacks by installing a hacked firmware on the device.
  • The specific Canon firmware has several buffer overflow security bugs which have been identified by the CheckPoint group, which allow for exploits of PTP to do things which is wasn't designed to do, which allows for attacks even without hacking the firmware. Of course, PTP's base feature set includes replacing the firmware so from a base "attack surface" the PTP flaws don't even register. But, they allow a less sophisticated attacker to forge an attack (until Canon fixes the flaws, which I would hope, given the clear instructions from CheckPoint, they have already done over the weekend and are getting updates into the QA/release cycle as we speak ... but maybe I am imagining too much of a commitment to security on the part of Canon).
The direct targets of the exposed attack are people who use WiFi to connect to their home or business network, and from there use their computers/phones to connect to the camera. There are likely other attacks around this (that may well be found by black hats now that white hats have shone the spotlight in this direction) - the "direct connect" not being exploited hangs on the thin thread of the WAP2 connection from the phone not getting hacked (I have to say, again, how odd it is that there is essentially no application-layer security on the PTP/IP protocol; that is just way below acceptable industry standards), so we shouldn't feel invulnerable there either.

Okay, so where does that leave us?

I think obviously, the best security approach is always: turn off any interface you are not using. If you end up needing it later on, you'll be able to find it and turn it back on (even as horrible as Canon's UI is, these things are still discoverable with just a little patience). So, if you have WiFi on routinely, turn it off until you are actually going to use it. The risk here is huge: being able to install new firmware on a device is essentially "game over" in terms of security, because that new firmware could do anything imaginable (sit and wait until your card has over 1000 images before executing ransomware attack, or connect to open wifis and publish all photos on the device to an anonymous FTP site, etc). You should take precautions against this.

But, don't panic. A device with WiFi (and NFC) turned off does not have any of these WiFi vulnerabilities (obviously). The camera isn't useless, but you need to make sure you only turn WiFi on when you are using it, and turn it off immediately after. While you are actively using that WiFi connection - your camera is connected to a known good access point, or your phone is connected to the camera - no one else can exploit these vulnerabilities while that single-channel WiFi connection is in use by you. However, when you are done with the connection (to your phone, computer, etc), turn the WiFi back off on the camera immediately. I would go so far as turning that off to disconnect the phone rather than disconnecting the phone first. This attack takes literally seconds to complete per the proof of concept video (assuming that was in realtime), so you don't want to disconnect your phone, walk to the parking lot, and then turn off the camera wifi.
 

Architect1776

Defining the poetics of space through Architecture
Aug 18, 2017
325
271
117
Williamsport, PA
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
So you take that life time vacation you saved for and your camera is hacked and there is a demand to pay to get your photos. What are those photos worth? Nothing to joe stupid but to you who has a lot invested in getting them and most likely will never be able to do it again they are invaluable.
Photos of the baby's first steps mean nothing to the idiot yahoo but to the parents these are precious moments that cannot be repeated as they are the first steps not next weeks steps etc.
A pro is less likely to care as they have insurance etc. for failures etc. but the rest of the world those one time photos are invaluable and cannot ever be duplicated.
 
  • Like
Reactions: Valvebounce

Architect1776

Defining the poetics of space through Architecture
Aug 18, 2017
325
271
117
Williamsport, PA
If the camera is known to move from a public network to a private network, it can be used as a vector to infiltrate the private network.

E.g. a foreign government uses hotel wifi in their capital city to infect Canon cameras of visiting journalists. The journalists return home with the camera, and use it on the internal network of their newspaper/agency. The camera contains a virus which is now behind the media organisation's firewall and proceeds to exfiltrate information or disrupt operations.
And we all know most pros worth hiring use Canon equipment so that is who will be attacked. Other camera makes are just on a mac at home that has no real value to sell internal access like a major corporation. Yes personal photos are very valuable to the individual and it is a terrible thing to pay a ransom for them if you can afford it to get those once in a lifetime photos back.
 

tron

EOS 5D SR
Nov 8, 2011
4,031
335
Will be interesting to see how the 5D4 update is handled. As someone who paid to upgrade to C-LOG, I wasn't able to download or install the EOS 5D Mark IV Firmware Version 1.1.2 update. Have been "stuck" without a firmware update since that upgrade.
Have a read at:


By reading it I deduct that you have to have your camera to 1.1.0 or greater before the c-log upgrade. Then it is not affected and you upgrade firmware as usual. So if you are below this maybe you should visit Canon service (demanding that they will not charge again of course). After that you will be able to upgrade with the 5DIV firmware and the process would left c-log as is. At least this is my interpretation of the above.
 

SaP34US

EOS T7i
Aug 21, 2018
91
5
What cameras does it effect? Is currently a firmware update combat the problem can be downloaded to cameras?
 

photo212

EOS T7i
Feb 14, 2013
65
0
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
in another article I was reading earlier today, they called the hack "ransonware." So that boring hack could disable your camera until you pay some sort of ranson (bit coins). Wanna another bite of your nothing-burger?
 

cayenne

EOR R
Mar 28, 2012
1,936
116
in another article I was reading earlier today, they called the hack "ransonware." So that boring hack could disable your camera until you pay some sort of ranson (bit coins). Wanna another bite of your nothing-burger?
I was just thinking, if this hit you, sure you're gonna likely lose your images....reformat that card.

And as far as the camera, I would think refreshing the firmware would get it working again....?
 

Valvebounce

EOS 5D SR
Apr 3, 2013
4,239
183
52
Isle of Wight
Hi Cayenne.
And if they hide the firmware update menu and disable the USB port?

Cheers, Graham.

I was just thinking, if this hit you, sure you're gonna likely lose your images....reformat that card.

And as far as the camera, I would think refreshing the firmware would get it working again....?
 
  • Like
Reactions: cayenne

photo212

EOS T7i
Feb 14, 2013
65
0
I was just thinking, if this hit you, sure you're gonna likely lose your images....reformat that card.

And as far as the camera, I would think refreshing the firmware would get it working again....?
yeah, good luck with that. Toss the card. Do not take any chances. As far as your camera goes, I'd think anyone going to the trouble of hijacking your camera's operating system probably has disable all the menus, except theirs demanding the ransom and the ability to enter a code to free your system (then good idea to reload the firmware).