The threat of ransomware is becoming more prevalent and severe as attackers’ focus has now moved beyond computers to smartphones and other Internet-connected smart devices.
In its latest research, security researchers at cybersecurity firm CheckPoint demonstrated how easy it is for hackers to remotely infect a digital DSLR camera with ransomware and hold private photos and videos hostage until victims pay a ransom.
Yes, you heard me right.
Security researcher Eyal Itkin discovered several security vulnerabilities in the firmware of Canon cameras that can be exploited over both USB and WiFi, allowing attackers to compromise and take over the camera and its features.
According to a security advisory released by Canon, the reported security flaws affect Canon EOS-series digital SLR and mirrorless cameras, PowerShot SX740 HS, PowerShot SX70 HS, and PowerShot G5X Mark II.
“Imagine how would you respond if attackers inject ransomware into both your computer and the camera, causing them to hold all of your pictures hostage unless you pay a ransom,” Itkin warns.
Canon DSLR PTP and Firmware Vulnerabilities
All these vulnerabilities, listed below, reside in the way Canon implements Picture Transfer Protocol (PTP) in its firmware, a standard protocol that modern DSLR cameras use to transfer files between camera and computer or mobile devices via wired (USB) or wirelessly (WiFi).
Besides file transfer, Picture Transfer Protocol also supports dozens of commands to remotely handle many other tasks on camera—from taking live pictures to upgrading the camera’s firmware—many of which have been found vulnerable.
- CVE-2019-5994 — Buffer Overflow in SendObjectInfo
- CVE-2019-5998 — Buffer Overflow in NotifyBtStatus
- CVE-2019-5999 — Buffer Overflow in BLERequest
- CVE-2019-6000 — Buffer Overflow in SendHostInfo
- CVE-2019-6001 — Buffer Overflow in SetAdapterBatteryReport
- CVE-2019-5995 — Silent Malicious Firmware Update
Itkin found that Canon’s PTP operations neither require authentication nor use encryption in any way, allowing attackers to compromise the DSLR camera in the following scenarios:
- Via USB — Malware that has already compromised your PC can propagate into your camera as soon as you connect it with your computer using a USB cable.
- Over WiFi — An attacker in close proximity to a targeted DSLR camera can set up a rogue WiFi access point to infect your camera.
“This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit,” Itkin explains.
Exploiting Canon DSLR Flaw to Deploy Ransomware Over-the-Air
As a proof-of-concept, the researcher successfully exploited one of these vulnerabilities that allowed them to push and install a malicious firmware update on a targeted DSLR camera over WiFi—with no interaction required from the victim.
As shown in the video demonstration, the malicious firmware was modified to encrypt all files on the camera and display a ransom demand on its screen using the same built-in AES functions that Canon uses to protect its firmware.
“There is a PTP command for a remote firmware update, which requires zero user interaction,” the researcher explains. “This means that even if all of the implementation vulnerabilities are patched, an attacker can still infect the camera using a malicious firmware update file.”
A real ransomware attack of this type is one of the biggest threats to your precious memories where hackers can typically demand money in exchange for the decryption key that would unlock your photos, videos and audio files.
Researchers responsibility reported these vulnerabilities to Canon in March this year. However, the company has currently only released an updated firmware for Canon EOS 80D model and recommended users of other affected models to follow basic security practices until patches for their devices become available.
For more details about the vulnerabilities in Canon camera models, you can head on to CheckPoint’s report published yesterday.