Researchers at cybersecurity firm Check Point have demonstrated that malicious actors could hack a DSLR camera and infect it with a piece of ransomware.
Modern cameras are embedded devices that run sophisticated software designed to improve functionality and image quality. They can be connected to a computer or mobile phone through USB or Wi-Fi.
While these connectivity options provide many benefits, they also introduce an attack vector which, as researchers from Check Point demonstrated, can be leveraged to deliver a piece of ransomware that holds the photos stored on the device for ransom.
The experts conducted their tests on a Canon EOS 80D DSLR camera and the Picture Transfer Protocol (PTP) it uses.
Developed by the International Imaging Industry Association, PTP is designed for transferring images from the camera to a computer, but it also provides capabilities designed for controlling the camera’s functionality and updating its firmware.
The researchers started by obtaining the camera firmware and decrypting it. They then analyzed Canon’s implementation of PTP and uncovered several buffer overflow vulnerabilities, including ones that could be exploited for arbitrary code execution, and a weakness that allows an attacker to push a malicious firmware to the device without any user interaction.
The security holes are tracked as CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000 and CVE-2019-6001.
Some of these vulnerabilities can be exploited to take control of a camera and install a piece of ransomware that encrypts all the files on the SD card and displays a ransom message to the victim on the camera’s screen.
An attacker can targeted the camera either via USB, by compromising the computer it’s connected to, or via Wi-Fi, by setting up a rogue access point that has the same name as a Wi-Fi connection the camera automatically connects to.
“Although the tested implementation contains many proprietary commands, the protocol is standardized, and is embedded in other cameras. Based on our results, we believe that similar vulnerabilities can be found in the PTP implementations of other vendors as well,” Check Point researchers explained.
Check Point reported the vulnerabilities it found to Canon in late March and in July it confirmed that the vendor’s patches were good.
In an advisory published last week, Canon advised customers to install the firmware that addresses the vulnerabilities, and provided some recommendations for mitigating potential threats, such as disabling the camera’s network functions when not needed, downloading firmware only from the official website, and only connecting the camera to trusted devices.
Canon has highlighted that there is no evidence that the vulnerabilities have been exploited in the wild.
Related: Critical Flaws Expose 400 Axis Cameras to Remote Attacks
Related: Vulnerability Gives Attackers Remote Access to Zoom Users’ Cameras
Related: Researchers Replace IP Camera Feed With Fake Footage