Check Point analysts found six vulnerabilities in the implementation of the Picture Transfer Protocol (PTP) used in Canon cameras.The exploitation of these problems ultimately enables intercepting control over the device and allows the attacker to install any malware on the DSLR (including “over the air” path if the camera supports wireless connections).
“Our research shows how an attacker in close proximity (WiFi), or an attacker who already hijacked our PC (USB), can also propagate to and infect our beloved cameras with malware. Imagine how would you respond if attackers inject ransomware into both your computer and the camera, causing them to hold all of your pictures hostage unless you pay ransom”, — report Check Point researchers.
Researchers discovered vulnerabilities in Canon cameras and demonstrated such an attack using the Canon EOS 80D SLR camera, which they eventually infected with a ransomware via a Wi-Fi connection.
At first, experts carefully examined the implementation of PTP in Canon cameras. Then they studied all 148 supported commands, and then narrowed the list to 38 of them that have an input buffer. Thus, six different problems were identified. The list of vulnerable teams and their unique identifiers can be seen below. It is worth noting that not all of these vulnerabilities must be exploited for unauthorized access to the camera.
- CVE-2019-5994 — buffer overflow in SendObjectInfo (opcode 0x100C);
- CVE-2019-5998 — buffer overflow in NotifyBtStatus (opcode 0x91F9);
- CVE-2019-5999 — buffer overflow in BLERequest (opcode 0x914C);
- CVE-2019-6000 — buffer overflow in SendHostInfo (opcode 0x91E4);
- CVE-2019-6001 — buffer overflow in SetAdapterBatteryReport (opcode 0x91FD);
- CVE-2019-5995 — “silent” firmware update for malware.
The second and third vulnerabilities found in the commands turned out to be related to Bluetooth, although used in study camera does not support this type of connection at all.
Researchers say they started checking the camera from a regular connection to a computer using a USB cable. A wireless connection cannot be used when the camera is connected via USB, however, experts could still test and adjust their exploit, using the second vulnerability from the list above, until they succeeded in executing the code through the USB connection.Video presentation of Check Point exploit and ransomware
However, after switching to a wireless connection, the exploit simply stopped working, and the camera was malfunctioning. The fact is that sending a Bluetooth status notification when connecting via Wi-Fi confused the camera (especially considering that it does not even support Bluetooth).
Then the researchers continued to search for other bugs and found a problem that allows remote firmware upgrade without user’s interaction. Reverse engineering helped to identify the keys to verify the legitimacy of the firmware and its encryption.
Such a firmware update will have all the correct signatures, and the camera will take it for a legitimate one. As a result, experts not only were able to create an exploit that works both via USB and Wi-Fi, but at the same time they found a way to encrypt files on the camera’s memory card. For this, were used same cryptographic functions that as for the firmware update process. The video below demonstrates the attack on the Canon EOS 80D via Wi-Fi and the encryption of the camera.
Canon has already published a security bulletin on issues discovered. The document states that the company is not aware of the use of these bugs by cybercriminals, and also contains links to updated versions of firmware. So, for European and Asian users, updates to version 1.0.3. Available from July 30 this year, and for American owners of vulnerable cameras, the update was published on August 6.