A few notes from reading the write-up and my memory of the 80D settings (aided slightly by the 80D manual I have in front of me unlike my camera which is at home).
- The WiFi attack hinges on spoofing an access point. That immediately got my notice because I have never connected my camera to an access point; instead I connect my phone to my camera (with the camera itself acting as the access point). At least that is how it appears when I'm remote at a softball field and want to review some shots on a better screen than the one on the back of the 80D (aside: that is just an atrocious quality LCD, with horrible color gamut and brightness controls). Is Canon's software instead somehow making my iPhone act as an access point and then the camera automatically connecting to that???
- Checking the 80D manual, the mode where the camera connects to an access point is called "Advanced Connection", unlike "Easy Connection" which is what the phone app and lazy consumerish folks like me would follow instead.
- In "Easy Mode" one particularly insecure mode is the NFC triggering of a connection to a phone and picture transfer (presumably opening up a PTP session). Not having a phone with exposed NFC (I don't think Apple exposes the NFC interface to app developers), I have always had "Allow NFC Connections" unchecked. Presumably that stops an NFC phone from auto-connecting at all, not later on in the PTP communications, but I haven't verified. In any case, NFC is generally pretty short-range so triggering that would take a bit more of a personal touch by a hacker.
- For the "Connect to Smartphone" side of Easy Connect, Camera Connect needs to be on the smarphone, similar to EOS Utility on the computer. Camera Connect verifies the WiFi connection (Phone as client of the camera), then acts as (presumably) a PTP client allowing for picture transfer, control, and presumably somewhere in there (since for some insane reason the PTP/IP folks decided this functionality should be in PTP/IP not just when you had a hard tethered connection to the camera) firmware updates (aside: the EOS 80D firmware is on 1.02 if I recall correctly. Firmware updates happen les than once in a blue moon: there is no reason for them to be made seamless and interactionless!!!). In any case, the actual connection is made using the phone's WiFi settings screen, by selecting the camera's broadcast SSID to connect to, and typing in (if it hasn't already been saved in your settings) the "encryption key". The manual doesn't appear to specify which version of WPA it is using here, but I would be surprised if it wasn't the most recent version which is relatively secure (more about that later) and also supported in the "advanced configuration" so they have the hardware for it.
- Similarly, using "Easy Connect" with a computer, you also externally (from the EOS Utility software) make the WiFi connection with the computer as client to the camera's access point, secured using a (presumably WPA2) encryption key. Same thing with a printer using "PictBridge".
- "Advanced Mode" is where things get dicey. Advanced mode is a tortuous process to set up connecting the camera to a network access point, including keying in the encryption key on a horrible on-screen "keyboard", and your phone/computer/printer/whatever to that same access point, and then use PTP pretty much completely unsecured over the network. Because it is such a torturous process to set up, Canon "helps" you by (after the first time) doing it all for you the next time it sees that access point again. Canon supports connecting to pretty much any access point, no authentication even required.
- In any mode, the Camera's WiFi chip allows for exactly one connection at a time. If your phone is connected, the camera can not accept a connection from another phone, nor connect to an access point (this appears to be a connection layer limitation, not a PTP limitation). I am not sure if this limitation is unique to 80D or to all Canon WiFi implementations. It would seem odd to allow multiple PTP connections at once since PTP has full camera control, but that is an application-layer limitation that likely still exposes security holes.
- Spoofing an access point (depending on the complexity of the client, but especially given that Canon's security standards are laughably minimal, like using a 4-character session identifier for their web session in the 1D's network interface). If Canon's client is just connecting by broadcast SSID, anyone can spoof that. But even if it is connecting based on broadcast SSID and MAC address, that is almost child's play to spoof as well. The only thing the hacker needs to know is the SSID and (maybe) MAC address that the "real" access point broadcasts (which would be difficult in a mass attack, but trivial in most cases for targeted attacks).
- Spoofing a client means breaking WPA2. Now, WPA2 like anything that's been around for years, does have known exploits. But they are not trivial to implement, and often require specific circumstances or don't allow for a full spoofed access attack (ex, the "KRACK attack allows primarily for eavesdropping on ongoing communications, not hijacking of a connection nor especially establishment of a whole new connection with full privileges).
It appears that the layers which have been breached are:
- Connection layer when using camera as a client connecting to an access point has been hacked (in Canon specifically, but I'd guess if any other manufacturer has a similar approach their implementation will likewise be hacked). Exploits here aren't "general purpose" unless you are in the habit of connecting your camera to "public" access points.
- Connection layer in the "easy" or "direct" modes has not (by all appearances at least) been hacked.
- PTP is not secure at all, which is scary for a line protocol which operates thousands of dollars worth of equipment and even allows easy escalation attacks by installing a hacked firmware on the device.
- The specific Canon firmware has several buffer overflow security bugs which have been identified by the CheckPoint group, which allow for exploits of PTP to do things which is wasn't designed to do, which allows for attacks even without hacking the firmware. Of course, PTP's base feature set includes replacing the firmware so from a base "attack surface" the PTP flaws don't even register. But, they allow a less sophisticated attacker to forge an attack (until Canon fixes the flaws, which I would hope, given the clear instructions from CheckPoint, they have already done over the weekend and are getting updates into the QA/release cycle as we speak ... but maybe I am imagining too much of a commitment to security on the part of Canon).
The
direct targets of the exposed attack are people who use WiFi to connect to their home or business network, and from there use their computers/phones to connect to the camera. There are likely other attacks around this (that may well be found by black hats now that white hats have shone the spotlight in this direction) - the "direct connect" not being exploited hangs on the thin thread of the WAP2 connection from the phone not getting hacked (I have to say, again, how odd it is that there is essentially no application-layer security on the PTP/IP protocol; that is just way below acceptable industry standards), so we shouldn't feel invulnerable there either.
Okay, so where does that leave us?
I think obviously, the best security approach is always:
turn off any interface you are not using. If you end up needing it later on, you'll be able to find it and turn it back on (even as horrible as Canon's UI is, these things are still discoverable with just a little patience). So, if you have WiFi on routinely, turn it off until you are actually going to use it. The risk here is huge: being able to install new firmware on a device is essentially "game over" in terms of security, because that new firmware could do anything imaginable (sit and wait until your card has over 1000 images before executing ransomware attack, or connect to open wifis and publish all photos on the device to an anonymous FTP site, etc). You should take precautions against this.
But, don't panic. A device with WiFi (and NFC) turned off does not have any of these WiFi vulnerabilities (obviously). The camera isn't useless, but you need to make sure you only turn WiFi on when you are using it, and turn it off immediately after. While you are actively using that WiFi connection - your camera is connected to a known good access point, or your phone is connected to the camera - no one else can exploit these vulnerabilities while that single-channel WiFi connection is in use by you. However, when you are done with the connection (to your phone, computer, etc),
turn the WiFi back off on the camera immediately. I would go so far as turning that off to disconnect the phone rather than disconnecting the phone first. This attack takes literally seconds to complete per the proof of concept video (assuming that was in realtime), so you don't want to disconnect your phone, walk to the parking lot, and then turn off the camera wifi.