Canon issues a security advisory for PTP equipped EOS DSLRs, EOS mirrorless and PowerShot cameras

Canon Rumors Guy

Canon EOS 40D
CR Pro
Jul 20, 2010
10,779
3,158
Canada
www.canonrumors.com
From Canon:
An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates.
(CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001)
Due to these vulnerabilities, the potential exists for a third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.
At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.


Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
Do not connect the camera to a PC or...

Continue reading...
 
Last edited:
Mar 26, 2014
1,443
536
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.

Whomever hack the f*pening nudes didn't target any specific person. Rather he hacked backups en masse, then picked those photos that interested him.
 
Upvote 0
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.

Most people's photos are special to the photographer. Think about your cousin's precious holiday snaps, locked out by ransomware. How many Bitcoins to get them back x 1,000 cameras to be worthwhile in a wider attack?

Users' and makers' privacy, security and reputations are all at stake.

I don't get how such a vulnerability can - or should - ever be a "nothing-burger".
 
Upvote 0
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.

If the camera is known to move from a public network to a private network, it can be used as a vector to infiltrate the private network.

E.g. a foreign government uses hotel wifi in their capital city to infect Canon cameras of visiting journalists. The journalists return home with the camera, and use it on the internal network of their newspaper/agency. The camera contains a virus which is now behind the media organisation's firewall and proceeds to exfiltrate information or disrupt operations.
 
  • Like
Reactions: 1 user
Upvote 0
https://threatpost.com/hack-of-a-canon-eos-80d-dslr/147214/

Worth reading. This hack was specific to Canon but: The researcher wrote, in a technical paper released Sunday, that PTP is a ripe target, given it is an unauthenticated protocol that supports dozens of different complex commands. “[A] vulnerability in PTP can be equally exploited over USB and over Wi-Fi."

Be *thankful* Canon was tested by a black hat and that Canon had some time and a willingness to release patches. Now that the vector is out, there are going to be more than researchers poking around other's implementations of PTP.
 
Upvote 0
Could this have been accomplished without Magic Lantern?
Yes. Was this particular round, no.

I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

Introducing our target
We chose to focus on Canon’s EOS 80D DSLR camera for multiple reasons, including:

 
  • Like
Reactions: 1 user
Upvote 0
Yes. Was this particular round, no.

I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

Thanks. This bit is troubling:

Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost). In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community.

While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.
 
Upvote 0

cayenne

CR Pro
Mar 28, 2012
2,868
796
Thanks. This bit is troubling:



While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.


Well, the old saying about not having security through obscurity stands.

You should not depend on unsecure protocols and systems by just not documenting them.

If they are there, someone will find them. While the camera is not the most critical vector in the world, this applies to ALL types of systems, think medical devices, they're constantly finding unsecured wireless protocols for things like pace makers, insulin pumps, etc....

The trouble is, you have people designing systems for things like these and cameras, and aren't hiring on the proper people to make sure these protocols are secure.

I work in IT....and I'm still of the mind that just because most everything CAN be networked, wireless and connected to the internet....most things should NOT be.

Doing so, just opens you up to security exploits, and while networking things does give some convenience....is it really worth it?

Just my $0.02,

C
 
  • Like
Reactions: 1 users
Upvote 0
Nov 2, 2016
849
648
For those who think it’s “boring” to hackers because nothing useful seems to be accomplished, though others have shown that this may not be true, remember that there are still plenty of hackers out there who do it just to mess with people, and make their lives more difficult.

To those hackers, that’s enough of a reward.
 
  • Like
Reactions: 1 user
Upvote 0

Don Haines

Beware of cats with laser eyes!
Jun 4, 2012
8,246
1,939
Canada
An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.
An attack on a camera is nothing. It is just noise.

Until you just shot a wedding and have to pay lots of money to (maybe) get those images back..... or you lost those pictures of your kid’s championship game, or your parents 50th anniversary when 50 relatives showed up for the surprise party......

No, this isn’t a big thing, this is a HUGE thing!

As a professional, you can not risk this. My cameras have WiFi and Bluetooth turned off until the updates are installed.
 
Last edited:
  • Like
Reactions: 1 users
Upvote 0
Correct. Anyway they used ML tools to ease their research, but we really don't know if Canon firmware or encryption keys leaked in some other, unknown, ways.

Just usually these detailed information are released only when fixed software is available - but Canon doesn't look to have made available new firmwares worldwide yet.

The researchers did eventually find the keys but ML did not leak them, a quote from the article: "Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end."

"Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.

I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.
 
  • Like
Reactions: 1 user
Upvote 0

That makes horrifying reading:

- even if the implementation were correct, the *design* of PTP is broken because it apparently allows modification of the camera firmware without user interaction. It's hard to imagine how anyone ever thought that was a good idea. Fix would be to always prompt for confirmation on the camera LCD, no matter what the PTP standard says.

- instead of using a public/private key pair to check for firmware signing, they used symmetric encryption, so that the key needed to make fake firmware is embedded in every camera (security through obscurity, which the Magic Lantern people have already penetrated).

I wish I could say I was surprised at the reported incompetence, but having read the DCF and EXIF standards and observed the endless propagation of incompatible non-self-describing raw formats from Japanese camera manufacturers, I'm not.
 
  • Like
Reactions: 1 users
Upvote 0