Vulnerabilities in the image transfer protocol used in digital cameras enabled a security researcher to infect with ransomware a Canon EOS 80D DSLR over a rogue WiFi connection.
A host of six flaws discovered in the implementation of the Picture Transfer Protocol (PTP) in Canon cameras, some of them offering exploit options for a variety of attacks.
The final stage of an attack would be a complete takeover of the device, allowing hackers to deploy any kind of malware on the camera.
On devices that support a wireless connection, the compromise can occur through a rogue WiFi access point. Otherwise, a hacker could attack the camera through the computer it connects to.
Six vulnerabilities in the Picture Transfer Protocol
After jumping through some hoops to get the firmware in a non-encrypted form, security researcher Eyal Itkin from Check Point were able to analyze how PTP is implemented in Canon’s cameras. They scanned all the 148 supported commands and narrowed the list to 38 of them that receive an input buffer.
Below is a list of the vulnerable commands and their unique numeric opcode. Not all of them are required for unauthorized access to the camera, though.
- CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C)
- CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
- CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
- CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
- CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
- CVE-2019-5995 – Silent malicious firmware update
The second and the third bugs are in commands related to Bluetooth, although the target camera module does not support this type of connection.
A wireless connection cannot be used while the camera is connected via USB to a computer. Nevertheless, Itkin could test and adjust his exploit code that leveraged the second vulnerability until he achieved code execution over a USB connection.
However, this did not work when switching to a wireless connection as the exploit script broke, causing the camera to crash. One explanation is that “sending a notification about the Bluetooth status, when connecting over WiFi, simply confuses the camera. Especially when it doesn’t even support Bluetooth.” This drove the researcher to dig deeper and find the other vulnerable commands and a way to exploit them in a meaningful way over the air.
Using firmware’s crypto functions
He discovered a PTP command that permits remote firmware updates without any interaction from the user. Reverse engineering revealed the keys for verifying the legitimacy of the firmware and for encrypting it. A malicious update built this way would have the correct signatures and the camera would take it for legitimate since it passes verification.
The effort paid off as Itkin was not only able to build an exploit that worked over both USB and WiFi but also found a way to encrypt files on the camera’s storage card: using the same cryptographic functions used for the firmware update process.
While this may not be a threat for users that connect their camera only to trusted WiFi networks, an attacker could target visitors of popular touristic attractions. Check Point disclosed the vulnerabilities responsibly to Canon on March 31 and validated on May 14. The two companies worked together to fix the issues.
Canon published an advisory last week informing that it has no reports about malicious exploitation of the flaws and pointing users to the company’s sales website in their region for details about firmware that addresses the problems.