Researchers Demonstrated Canon DSLR Ransomware Using WIFI
Israeli security company Check Point published a short video (above) demonstrating how its researchers were able to hijack a Canon EOS 80D using USB and wirelessly using WIFI.
Ransomware is a type of attack where the attacker either blocks the user’s access to his or her data or alternatively threatens to publish private data if payment will not be transferred to a remote account (typically using bitcoin or other untraceable currency).
In recent years a growing number of individuals and institutions have been hit by Ransomware typically by opening a website or e-mail containing some sort of Trojan. These attacks are normally focused on computers, however, as more and more connected devices become available they also become a potential target.
Cameras are a prime target in this respect and as the Washington Post reported a year ago hackers took over two-thirds of D.C. police’s surveillance cameras days before the 2017 presidential inauguration in a ransomware attack. But this is just the tip of the iceberg and there are a lot more ransomware attacks that go unpublished.
The exploit was demonstrated by Check Point researchers at the recent Hacking Conference DEF CON 2019 held this year in Las Vegas. In an extensive (and fairly technical) blog post, the cybersecurity experts from Check Point explained how they were able to use specific weaknesses in Canon’s EOS 80D DSLR and by building on pre-existing knowledge of Magic Lantern (the third party open source software/firmware hack), they were able to deploy a ransomware that used the same cryptographic functions as the camera’s firmware update process.
An attacker who would want to use a similar approach to perform a real-world ransomware attack on a EOS 80D will need to set-up a rogue WiFi Access Point and initiate the exploit (something that can certainly be done by many sufficiently experienced attackers although will require the Camera’s WIFI to be turned on).
Check Point informed Canon of this exploit in advance and the company released the following statement (we copied some of the more relevant parts):
At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.
- Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
- Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
- Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
- Disable the camera’s network functions when they are not being used.
- Download the official firmware from Canon’s website when performing a camera firmware update.
Canon also released a firmware update to fix the specific vulnerabilities found by Check Point for the EOS 80D and we will be looking at potentially many more to come in the near future (possibly even to all of Canon’s cameras so keep your eyes open).
Regardless of this specific exploit, the researchers concluded that they “found multiple critical vulnerabilities in the Picture Transfer Protocol as implemented by Canon. Although the tested implementation contains many proprietary commands, the protocol is standardized, and is embedded in other cameras. Based on our results, we believe that similar vulnerabilities can be found in the PTP implementations of other vendors as well.
In other words, similar attacks are possible with other cameras and other brands. Hopefully, camera manufacturers will understand the risks and act now before users will start falling victim to such attacks.