Multiple Bugs in Canon DSLR Camera Let Hackers Infect with Ransomware Over a Rouge WiFi Access Point
August 13, 2019 Share

Multiple Bugs in Canon DSLR Camera Let Hackers Infect with Ransomware Over a Rouge WiFi Access Point

Multiple Bugs in Canon DSLR Camera Let Hackers Infect with Ransomware Over a Rouge WiFi Access Point

Researchers discovered multiple critical vulnerabilities in Picture Transfer Protocol (PTP) that allows attackers to infect the Canon DSLR camera with ransomware to encrypt the pictures and demand the ransom.

An attacker who is very close with the victim’s WiFi or already hijacked computers with the USB access could propagate them to infect the cameras with deadly malware and ransomware.

There was a period when most users connect their camera to their PC using a USB cable to share the captured data using PTP/USB protocol.

New digital camera models now support WiFi to transfer the files from the camera to the computer via PTP/IP that is accessible to every WiFi-enabled device.

Researchers from Checkpoint found 6 critical vulnerabilities in PTP protocol that allows an attacker to take over the camera and infected with the severe ransomware over the rogue WiFi access and unsecured network.

There are 2 different scenarios that opens a door for attackers to exploit the vulnerabilities found in Picture Transfer Protocol (PTP).

USB – For an attacker that took over your PC, and now wants to propagate into your camera.

WiFi – An attacker can place a rogue WiFi access point at a tourist attraction, to infect your camera.

Part of the Research, Checkpoint Researchers mainly focusing on Canon’s EOS 80D DSLR camera that holds more than 50% of the market share, EOS80D model supports both USB and WiFi, Canon has an extensive “modding” community, called Magic Lantern, an open-source free software add-on that adds new features to the Canon EOS cameras.

PTP command handler supports up to 5 arguments for every command, out of 148 commands that perform various operations on camera, researchers narrowed down to 38 commands for this research that receives an input buffer.

Below mentioned vulnerabilities reside in the specific opcode and command name of the Picture Transfer Protocol (PTP).

  1. CVE-2019-5994 – Buffer Overflow in SendObjectInfo (opcode 0x100C)
  2. CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
  3. CVE-2019-5999- Buffer Overflow in BLERequest (opcode 0x914C)
  4. CVE-2019-6000- Buffer Overflow in SendHostInfo (opcode0x91E4)
  5. CVE-2019-6001- Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
  6. CVE-2019-5995 – Silent malicious firmware update

In this case, 3 similar buffer overflow vulnerabilities are found over a global structure, Over stack and heap.

The second and third vulnerability is related to Bluetooth, but the camera model doesn’t support Bluetooth.

Researchers tested these vulnerabilities using the Proof-of-concept to check whether the vulnerabilities are working and it ended up in the camera crashing then later they wrote an exploit to bypass the camera.

According to Checkpoint “After playing around with the firmware update process, we went back to finish our ransomware. The ransomware uses the same cryptographic functions as the firmware update process and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user.”

In the above video, the developed exploit has been launched against the Camera over WiFi. In this part, the attacker set up a Rogue WiFi access point by sniffing the network.

Faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit and infect with ransomware, Researchers said.

All the vulnerability has been reported to Canon and they released an advisory with a firmware update, also Canon has informed that no confirmed cases of these vulnerabilities being exploited to cause harm.

This post Multiple Bugs in Canon DSLR Camera Let Hackers Infect with Ransomware Over a Rouge WiFi Access Point originally appeared on GB Hackers.

Read More