DSLR Cameras Are Vulnerable to Ransomware Attacks via WiFi

  • Researchers present a novel way to perform a successful ransomware attack against DSLR cameras.
  • The method involves the PTP functionality that is there to help send photos from the device to a computer.
  • There’s a way to push a malicious firmware update on the camera and encrypt all of its files.

We tend to think that DSLR cameras are somewhat locked down electronics that aren’t particularly vulnerable, but Checkpoint researchers have demonstrated an attack against a Canon camera that proves this thinking wrong. The researchers proved that it’s possible for an attacker who is connected to the same WiFi network as the camera to launch a ransomware attack that will encrypt the photos in the device. The attack takes place via the PTP (Picture Transfer Protocol), which allows much more than just the transfer of images between the camera and a PC or laptop.

The Checkpoint researchers first tried to use an AES encrypted version of a firmware update for the Canon EOS 80D DSLR camera, but that couldn’t be used for analysis. Instead, they got a special “dumper” tool that dumps the memory of the camera onto the SD card, so they got the firmware they needed. Next, they figured out what commands were used by the PTP layer and analyzed the associated API. From there, the researchers worked with known vulnerabilities like the CVE-2019-5998 buffer overflow in NotifyBfStatus and the CVE-2019-5999 buffer overflow in BLERequest. The end result was the development of a Python script that does the trick.

This small script is the proof of concept code (PoC) that triggers the aforementioned vulnerabilities, but that was only causing the camera to crash. To take things further, the researchers implemented CVE-2019-6001 and CVE-2019-6000 exploits, so sending a malicious firmware update to the camera became possible. The update requires no user interaction to take place, carries the correct signatures, calls the same AES encryption functions in the firmware, and practically encrypts the photos that are stored in the device. This step is shown in the following video when the memory writing LED goes flashing without the user having done anything to invoke this action.

Canon has already issued a fixing patch and the relevant security advisory on August 6, 2019, patching a total of six flaws that are used in this type of attack. In their bulletin, Canon suggests that users should disable network functions when not needed, avoid connecting to untrusty PCs (via USB) or WiFi networks, and only trust the official website to get the latest firmware update. If you own a Canon DSLR, or any other WiFi-enabled camera, go ahead and update your firmware right away. As always, keep in mind that whatever can connect to a network becomes automatically potentially vulnerable to other devices connected on that same network. This applies not only to DSLR devices but anything.

Are you performing regular firmware updates on your cameras, or do you go on with whatever it ran when you took it out of the box? Let us know in the comments below, or on our socials, on Facebook and Twitter.


Recent Articles

Apple Is Working on Transparent Glass Keyboard Caps

Apple could introduce glass keycaps that display stuff from LEDs that reside underneath. These keys could change form and function as needed,...

How to Watch the ‘2020 Austrian Grand Prix’ Online – Live Stream F1

Formula 1 is finally back on the racetrack, and we are excited to start watching The Event online. Now that the F1 season is...

Offline Viewing Finally Lands on Amazon’s Windows 10 Prime Video App

The Windows 10 Amazon Prime Video app now allows local downloads for offline viewing. The app is enabling users to access over...

Brazilian Electric Power Company Extorted by REvil Ransomware Actors

“Light S.A.,” a Brazilian energy producer and distributor, has fallen victim to a REvil ransomware attack. The actors are demanding the payment...

Costa Tsaousis, Netdata: We Build Free Software to Put End-Users First

After working in the tech industry for many decades, Costa Tsaousis was annoyed that network monitoring tools simply were not "seeing" everything they should...