DSLR Cameras Are Vulnerable to Ransomware Attacks via WiFi

• Researchers present a novel way to perform a successful ransomware attack against DSLR cameras.
• The method involves the PTP functionality that is there to help send photos from the device to a computer.
• There’s a way to push a malicious firmware update on the camera and encrypt all of its files.

We tend to think that DSLR cameras are somewhat locked down electronics that aren’t particularly vulnerable, but Checkpoint researchers have demonstrated an attack against a Canon camera that proves this thinking wrong. The researchers proved that it’s possible for an attacker who is connected to the same WiFi network as the camera to launch a ransomware attack that will encrypt the photos in the device. The attack takes place via the PTP (Picture Transfer Protocol), which allows much more than just the transfer of images between the camera and a PC or laptop.

The Checkpoint researchers first tried to use an AES encrypted version of a firmware update for the Canon EOS 80D DSLR camera, but that couldn’t be used for analysis. Instead, they got a special “dumper” tool that dumps the memory of the camera onto the SD card, so they got the firmware they needed. Next, they figured out what commands were used by the PTP layer and analyzed the associated API. From there, the researchers worked with known vulnerabilities like the CVE-2019-5998 buffer overflow in NotifyBfStatus and the CVE-2019-5999 buffer overflow in BLERequest. The end result was the development of a Python script that does the trick.

This small script is the proof of concept code (PoC) that triggers the aforementioned vulnerabilities, but that was only causing the camera to crash. To take things further, the researchers implemented CVE-2019-6001 and CVE-2019-6000 exploits, so sending a malicious firmware update to the camera became possible. The update requires no user interaction to take place, carries the correct signatures, calls the same AES encryption functions in the firmware, and practically encrypts the photos that are stored in the device. This step is shown in the following video when the memory writing LED goes flashing without the user having done anything to invoke this action.

Canon has already issued a fixing patch and the relevant security advisory on August 6, 2019, patching a total of six flaws that are used in this type of attack. In their bulletin, Canon suggests that users should disable network functions when not needed, avoid connecting to untrusty PCs (via USB) or WiFi networks, and only trust the official website to get the latest firmware update. If you own a Canon DSLR, or any other WiFi-enabled camera, go ahead and update your firmware right away. As always, keep in mind that whatever can connect to a network becomes automatically potentially vulnerable to other devices connected on that same network. This applies not only to DSLR devices but anything.

Are you performing regular firmware updates on your cameras, or do you go on with whatever it ran when you took it out of the box? Let us know in the comments below, or on our socials, on Facebook and Twitter.