At the DefCon 27, Eyal Itkin, a vulnerability researcher at Check Point Software Technologies, demonstrated how vulnerabilities in the Picture Transfer Protocol (PTP) allowed him to infect a Canon EOS 80D DSLR with ransomware over a rogue WiFi connection.
The PTP along with image transfer also contains dozens of different commands that support anything from taking a live picture to upgrading the camera’s firmware.
The researcher chose Canon’s EOS 80D DSLR camera for three major reasons:
- Canon is the largest DSLR maker, controlling more than 50% of the market.
- The EOS 80D supports both USB and WiFi.
- Canon has an extensive “modding” community, called Magic Lantern, an open-source free software add-on that adds new features to the Canon EOS cameras.
Eyal Itkin highlighted six vulnerabilities in the PTP that can easily allow a hacker to infiltrate the DSLRs and inject ransomware and lock the device. Next, the users might have to pay ransom to free up their camera and picture files.
CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C)
CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
CVE-2019-5995 – Silent malicious firmware update
Itkin’s team informed Canon about the vulnerabilities in their DSLR on March 31, 2019. Recently, on August 6, Canon published a security advisory informing users that, “at this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm” and asking them to take advised measures to ensure safety.
Itkin told The Verge, “due to the complexity of the protocol, we do believe that other vendors might be vulnerable as well, however, it depends on their respective implementation”. Though Itkin said he worked only with the Canon model, he also said DSLRs of other companies may also be at high risk.
Vulnerability discovery by Itkin’s team in Canon’s DSLR
After Itkin’s team was successful in dumping the camera’s firmware and loading it into their disassembler (IDA Pro), they say finding the PTP layer was an easy task. This is because,
- The PTP layer is command-based, and every command has a unique numeric opcode.
- The firmware contains many indicative strings, which eases the task of reverse-engineering it.
Next, the team traversed back from the PTP OpenSession handler and found the main function that registers all of the PTP handlers according to their opcodes.
“When looking on the registration function, we realized that the PTP layer is a promising attack surface. The function registers 148 different handlers, pointing to the fact that the vendor supports many proprietary commands. With almost 150 different commands implemented, the odds of finding a critical vulnerability in one of them is very high,” Itkin wrote in the research report.
Each PTP command handler implements the same code API. The API makes use of the ptp_context object, an object that is partially documented thanks to ML, Itkin said.
The team realized that most of the commands were relatively simple. “They receive only a few numeric arguments, as the protocol supports up to 5 such arguments for every command. After scanning all of the supported commands, the list of 148 commands was quickly narrowed down to 38 commands that receive an input buffer,” Itkin writes.
“From an attacker’s viewpoint, we have full control of this input buffer, and therefore, we can start looking for vulnerabilities in this much smaller set of commands. Luckily for us, the parsing code for each command uses plain C code and is quite straight-forward to analyze,” he further added. Following this, they were able to find their first vulnerabilities and then the rest.
Check Point and Canon have advised users to ensure that their cameras are using the latest firmware and install patches whenever they become available. Also, if the device is not in use camera owners should keep the device’s Wi-Fi turned off.
A user on HackerNews points out, “It could get even worse if the perpetrator instead of bricking the device decides to install a backdoor that silently uploads photos to a server whenever a wifi connection is established.”
Another user on Petapixel explained what quick measures they should take, “A custom firmware can close the vulnerability also if they put in the work. Just turn off wifi and don’t use random computers in grungy cafes to connect to your USB port and you should be fine. It may or may not happen but it leaves the door open for awesome custom firmware to show up. Easy ones are real CLOG for 1dx2. For the 5D4, I would imagine 24fps HDR, higher res 120fps, and free Canon Log for starters.
For non tech savvy people that just leave wifi on all the time, that visit high traffic touristy photo landmarks they should update. Especially if they have no interest in custom firmware.”
Another user on Petapixel highlighted the fact, “this hack relies on a serious number of things to be in play before it works, there is no mention of how to get the camera working again, is it just a case of flashing the firmware and accepting you may have lost a few images ?… there’s a lot more things to worry about than this.”
Check Point has demonstrated the entire attack in the following YouTube video.
To know more about this news in detail, read Eyal Itkin’s complete research on Check Point.