The threat of ransomware is becoming more prevalent and severe as attackers' focus has now moved beyond computers to smartphones and other Internet-connected smart devices.
CheckPoint demonstrated how easy it is for hackers to remotely infect a digital DSLR camera with ransomware and hold private photos and videos hostage until victims pay a ransom.
It discovered several security vulnerabilities in the firmware of Canon cameras that can be exploited over both USB and WiFi, allowing attackers to compromise and take over the camera and its features.
Canon DSLR PTP and Firmware Vulnerabilities
All these vulnerabilities, listed below, reside in the way Canon implements Picture Transfer Protocol (PTP) in its firmware, a standard protocol that modern DSLR cameras use to transfer files between camera and computer or mobile devices via wired (USB) or wirelessly (WiFi).
Besides file transfer, Picture Transfer Protocol also supports dozens of commands to remotely handle many other tasks on camera—from taking live pictures to upgrading the camera's firmware—many of which have been found vulnerable.
CVE-2019-5994 — Buffer Overflow in SendObjectInfo
CVE-2019-5998 — Buffer Overflow in NotifyBtStatus
CVE-2019-5999 — Buffer Overflow in BLERequest
CVE-2019-6000 — Buffer Overflow in SendHostInfo
CVE-2019-6001 — Buffer Overflow in SetAdapterBatteryReport
CVE-2019-5995 — Silent Malicious Firmware Update
Canon's PTP operations neither require authentication nor use encryption in any way, allowing attackers to compromise the DSLR camera in the following scenarios:
Via USB — Malware that has already compromised your PC can propagate into your camera as soon as you connect it with your computer using a USB cable.
Over WiFi — An attacker in close proximity to a targeted DSLR camera can set up a rogue WiFi access point to infect your camera.
"This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit,"
Exploiting Canon DSLR Flaw to Deploy Ransomware Over-the-Air
As a proof-of-concept, the researcher successfully exploited one of these vulnerabilities that allowed them to push and install a malicious firmware update on a targeted DSLR camera over WiFi—with no interaction required from the victim.
As shown in the video demonstration, the malicious firmware was modified to encrypt all files on the camera and display a ransom demand on its screen using the same built-in AES functions that Canon uses to protect its firmware. "There is a PTP command for a remote firmware update, which requires zero user interaction," the researcher explains. "This means that even if all of the implementation vulnerabilities are patched, an attacker can still infect the camera using a malicious firmware update file."
A real ransomware attack of this type is one of the biggest threats to your precious memories where hackers can typically demand money in exchange for the decryption key that would unlock your photos, videos and audio files.
Researchers responsibility reported these vulnerabilities to Canon in March this year. However, the company has currently only released an updated firmware for Canon EOS 80D model and recommended users of other affected models to follow basic security practices until patches for their devices become available.
If you have any queries,please do not hesitate to contact us: email@example.com