Canon DSLR Cameras Can Be Hacked Remotely With Ransomware

In its latest analysis, security researchers at cybersecurity firm stop incontestable however straightforward it’s for hackers to remotely infect a digital DSLR camera with ransomware and hold non-public photos and videos hostage until victims pay a ransom.
Security scientist Eyal Itkin discovered many security vulnerabilities within the computer code of Canon cameras which will be exploited over each USB and wifi, allowing attackers to compromise and take over the camera and its features.
According to a security advisory released by Canon, the reported security flaws affect Canon EOS-series digital SLR and mirrorless cameras, PowerShot SX740 HS, PowerShot SX70 HS, and PowerShot G5X Mark II.
“Imagine however would you respond if attackers inject ransomware into each your laptop and therefore the camera, causing them to hold all of your pictures hostage unless you pay a ransom,” Itkin warns.

Canon DSLR PTP and Firmware Vulnerabilities

All these vulnerabilities, listed below, reside in the way Canon implements Picture Transfer Protocol (PTP) in its firmware, a standard protocol that modern DSLR cameras use to transfer files between camera and computer or mobile devices via wired (USB) or wirelessly (WiFi).
Besides file transfer, Picture Transfer Protocol also supports dozens of commands to remotely handle many other tasks on camera—from taking live pictures to upgrading the camera’s firmware—many of which have been found vulnerable.
CVE-2019-5994 — Buffer Overflow in SendObjectInfo
CVE-2019-5998 — Buffer Overflow in NotifyBtStatus
CVE-2019-5999 — Buffer Overflow in BLERequest
CVE-2019-6000 — Buffer Overflow in SendHostInfo
CVE-2019-6001 — Buffer Overflow in SetAdapterBatteryReport
CVE-2019-5995 — Silent Malicious Firmware Update
Itkin found that Canon’s PTP operations neither require authentication nor use encryption in any way, allowing attackers to compromise the DSLR camera in the following scenarios:
Via USB — Malware that has already compromised your PC can propagate into your camera as soon as you connect it with your computer using a USB cable.
Over wifi — an attacker in shut proximity to a targeted DSLR camera will came upon a rogue wifi access point to infect your camera.

“This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit,” Itkin explains.

Exploiting Canon DSLR Flaw to Deploy Ransomware Over-the-Air

As a proof-of-concept, the researcher successfully exploited one of these vulnerabilities that allowed them to push and install a malicious firmware update on a targeted DSLR camera over WiFi—with no interaction required from the victim.
As shown within the video demonstration, the malicious firmware was modified to encrypt all files on the camera and display a ransom demand on its screen using the same built-in AES functions that Canon uses to protect its firmware.
“There is a PTP command for a remote firmware update, which requires zero user interaction,” the researcher explains. “This means although all of the implementation vulnerabilities area unit patched, an attacker can still infect the camera using a malicious firmware update file.”
A real ransomware attack of this kind is one of the most important threats to your precious reminiscences wherever hackers will usually demand cash in exchange for the decoding key that would unlock your photos, videos and audio files.
Researchers responsibility reportable these vulnerabilities to Canon in March this year. However, the corporate has presently only discharged an updated computer code for Canon eos 80D model and suggested users of other affected models to follow basic security practices until patches for their devices become available.