A security researcher was able to infect a Canon EOS 80D DSLR with ransomware over a rogue WiFi connection. This was achieved through vulnerabilities in the image transfer protocol used in digital cameras. A host of six flaws discovered in the implementation of the Picture Transfer Protocol (PTP) in Canon cameras, some of them offering exploit options for a variety of attacks.
The final stage of an attack would be a complete takeover of the device, allowing hackers to deploy any kind of malware on the camera. On devices that support a wireless connection, the compromise can occur through a rogue WiFi access point. Otherwise, a hacker could attack the camera through the computer it connects to.
After jumping through some hoops to get the firmware in a non-encrypted form, security researcher Eyal Itkin from Check Point were able to analyze how PTP is implemented in Canon’s cameras. They scanned all the 148 supported commands and narrowed the list to 38 of them that receive an input buffer.
Below is a list of the vulnerable commands and their unique numeric opcode. Not all of them are required for unauthorized access to the camera, though.
CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C)
CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
CVE-2019-5995 – Silent malicious firmware update
The second and the third bugs are in commands related to Bluetooth, although the target camera module does not support this type of connection. “We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer,” explained Eyal Itkin/
A wireless connection cannot be used while the camera is connected via USB to a computer. Nevertheless, Itkin could test and adjust his exploit code that leveraged the second vulnerability until he achieved code execution over a USB connection.
However, this did not work when switching to a wireless connection as the exploit script broke, causing the camera to crash. One explanation is that “sending a notification about the Bluetooth status, when connecting over WiFi, simply confuses the camera. Especially when it doesn’t even support Bluetooth.”
This drove the researcher to dig deeper and find the other vulnerable commands and a way to exploit them in a meaningful way over the air. Check out the video below:
Check Point says that it disclosed the vulnerability to Canon back in March, and the two began work in May to develop a patch. Last week, Canon issued a security advisory, telling people to avoid using unsecured Wi-Fi networks, to turn off its network functions when it’s not being used, and to update and install a new security patch onto the camera itself.
TagsCanon EOS 80D DSLR Picture Transfer Protocol PTP Ransomware security researcher WiFi Edit Post
