Image transfer capabilities in digital cameras allowed a safety investigator to infect a Canon EOS 80D DSLR with ransomware over a rogue WiFi connection.
A host of six faults found in Canon cameras in the application of the Photo Transfer Protocol (PTP), some of which offer exploit alternatives for various assaults.
The final stage of an assault would be a complete takeover of the device, which would allow hackers to deploy any type of malware.
A compromise can happen on devices which support a wireless link using a rogue Wi-Fi access point. If not, a hacker could attack the camera from the computer with which it is connected.
Six Picture Transfer Protocol vulnerabilities.
Security researchers Eyal Itkin from Check Point could analyze how PTP is implemented in Canon’s cameras after jumping through some hoops to get the firmware in a non-encrypted format.
They scanned all 148 commands that were endorsed and reduced the list to 38 that received an input buffer.
Below is a list of vulnerable commands and their unique opcode numbers. However, not all of them are necessary for unauthorized camera access.
- CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C)
- CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
- CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
- CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
- CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
- CVE-2019-5995 – Silent malicious firmware update
The second and third bugs are in Bluetooth-related instructions, but this sort of connection does not help the target camera module.
“We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer.” – Eyal Itkin
When the camera is attached to a laptop via USB, a wireless connection cannot be used. However, until code execution via a USB connection was completed, itkin had been able to test and modify the exploit code that exploited a second vulnerability.
This didn’t work when the exploit script collapsed and the camera crashed. It wasn’t working. One is that “sending a notification of Bluetooth status confuses only the camera when you connect via WiFi. Especially if it does not support Bluetooth.” This has caused the scientist to dig deeper and discover other sensitive commands and a way to use them in the atmosphere in meaningful way.
Using firmware cryptofunctions.
He found a PTP command that allows remote firmware updates without user interaction. Reverse engineering disclosed the keys for verifying and encrypting the validity of the firmware.
This would have the right signatures for a malicious update and the camera would take it for legitimate since verification goes through.
The effort was rewarded as itkin was able not only to build a feat that worked on both USB and WiFi, but also to encrypt files on the camera’s storage card: the same encryption features for the firmware update process.
The video below shows the successful utilization of Picture Transfer Protocol vulnerabilities and ransomware infects a Canon EOS 80D camera. At the end, the camera proprietor would see the attacker’s ransom note:
Although this is not a threat to users who just connect their camera to trustworthy WIFI networks, an attacker could target tourists from popular tourist attractions.
Check Point revealed Canon’s vulnerabilities on 31 March and validated on 14 May. Both businesses worked together to solve the problems.
Canon released a guide last week informing consumers of the malicious exploitation of the defects and indicating customers in their region of the company’s sales website for firmware that addresses the issues.
Users in Europe can update the firmware to 1.0.3 as of July 30 on the same release date as in Asia (download here). Customers in the United States have been able to install the same version since 6 August.