Pierluigi Paganini August 12, 2019

Canon DSLR Camera Infected with Ransomware Over the Air

A researcher discovered 6 flaws in the image transfer protocol used in Canon EOS 80D DSLR cameras that allow him to infect the device with ransomware over the air.

Security researcher Eyal Itkin from Check Point analyzed the Picture Transfer Protocol (PTP) implementation in Canon EOS 80D DSLR cameras and discovered six vulnerabilities that could be exploited for several attacks.

An attacker could exploit the flaw to compromise the device and install ransomware on the camera.

“Our research shows how an attacker in close proximity (WiFi), or an attacker who already hijacked our PC (USB), can also propagate to and infect our beloved cameras with malware. Imagine how would you respond if attackers inject ransomware into both your computer and the camera, causing them to hold all of your pictures hostage unless you pay ransom.” states the post published by the expert, who shared the following video PoC.

The expert explained that the attackers can set up a rogue WiFi access point and exploit wireless connection feature of the Canon EOS 80D DSLR cameras, another scenario sees attacker compromising the device through the PC it connects to.

Searching online the expert first found an encrypted firmware, he found on a forum a Portable ROM Dumper, (a custom firmware update file that once loaded, dumps the memory of the camera into the SD Card) that allowed him to dump the camera’s firmware and load it into his disassembler (IDA Pro).

The expert focused his analysis in PTP layer that supports 148 commands, 38 of them receive an input buffer.

Below the list of flaws discovered by Itkin:

1. CVE-2019-5994 – Buffer Overflow in SendObjectInfo  (opcode 0x100C)
2. CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
3. CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
4. CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
5. CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
6. CVE-2019-5995 – Silent malicious firmware update

The expert started by connecting the camera to his computer using a USB cable in order to gain code execution.

“We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer. Searching for a PTP Python library, we found ptpy, which didn’t work straight out of the box, but still saved us important time in our setup.” continues the post.

“Before writing a code execution exploit, we started with a small Proof-of-Concept (PoC) that will trigger each of the vulnerabilities we found, hopefully ending in the camera crashing. Figure 8 shows how the camera crashes, in what is described by the vendor as “Err 70.””

“We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer.” – Eyal Itkin

Itkin successfully tested his exploit code for the CVE-2019-5998 flaw and achieved code execution over a USB connection.

Next step was to gain the code execution via a wireless connection, but initially, the exploit script developed by the researcher was causing the camera crash.

Then the researcher finally found a way to exploit the above issues also over the air, one of the commands supported by PTP command allows remote firmware updates without any user interaction. The expert was able to access the keys for verifying the authenticity of the firmware and for encrypting it. This means that he was able to craft a malicious update.

Itkin was able to develop an exploit for both USB and WiFi connections, he also demonstrated that it was possible to encrypt files on the camera’s storage card using functions used for the firmware update process.

Below the disclosure timeline:

• 31 March 2019 – Vulnerabilities were reported to Canon.
• 14 May 2019 – Canon confirmed all of our vulnerabilities.
• From this point onward, both parties worked together to patch the vulnerabilities.
• 08 July 2019 – We verified and approved Canon’s patch.
• 06 August 2019 – Canon published the patch as part of an official security advisory.

Canon also published a security advisory, the company confirmed that it is not aware of attacks exploiting the above flaws.

Owners of Canon EOS 80D DSLR can address the issues by installing the firmware version 1.0.3.

Pierluigi Paganini

(SecurityAffairs – Canon EOS 80D DSLR, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]