Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Check Point analysts have discovered six vulnerabilities in the implementation of the Picture Transfer Protocol (PTP) used in Canon cameras. The exploitation of these problems ultimately leads to seizure of control over the device and allows the attacker to install any malware on the DSLR (including "over the air" if the camera supports wireless connections). Researchers demonstrated such an attack using the example of a Canon EOS 80D SLR camera, which was eventually infected with a ransomware over Wi-Fi connection.
First, the experts took a close look at the PTP implementation in Canon cameras. Then they looked at all 148 supported commands, and then narrowed down the list to 38 of them that have an input buffer. In this way, six different problems were identified. The list of vulnerable commands and their unique identifiers can be seen below. It should be noted, however, that not all of these vulnerabilities need to be exploited for unauthorized access to the camera.
- CVE-2019-5994 - Buffer overflow in SendObjectInfo (opcode 0x100C);
- CVE-2019-5998 - buffer overflow in NotifyBtStatus (opcode 0x91F9);
- CVE-2019-5999 - buffer overflow in BLERequest (opcode 0x914C);
- CVE-2019-6000 - Buffer overflow in SendHostInfo (opcode 0x91E4);
- CVE-2019-6001 - buffer overflow in SetAdapterBatteryReport (opcode 0x91FD);
- CVE-2019-5995 - "silent" firmware update for malware.
The researchers say they started testing the camera by simply connecting it to a computer using a USB cable. The wireless connection cannot be used when the camera is connected via USB, however, experts could still test and correct their exploit using the second vulnerability from the list above until they succeeded in executing the code over the USB connection.
But after switching to a wireless connection, the exploit simply stopped working, and the camera crashed. Thing is, sending a Bluetooth status notification when connected over Wi-Fi confused the camera (especially considering that it doesn't even support Bluetooth).
Then the researchers continued looking for other bugs and discovered an issue that allows remote firmware updates without user interaction. Reverse engineering helped to identify keys to verify the legitimacy of firmware and their encryption.
Such a firmware update will have all the correct signatures, and the camera will take it as legitimate. As a result, the experts were not only able to create an exploit that works both via USB and Wi-Fi, but also discovered a way to encrypt files on the camera's memory card. For this, the same cryptographic functions were used that were used for the firmware update process. The video below demonstrates an attack on a Canon EOS 80D via Wi-Fi and a ransomware infection of the camera.
Canon has now published a security bulletin covering the reported issues. The document states that the company is not aware of the use of these bugs by cybercriminals, and also contains links to updated firmware versions. So, for European and Asian users, updates to version 1.0.3. are available from July 30 this year, and for the American owners of vulnerable cameras the update was published on August 6.
