# Networkable DSLRs trivially hacked



## TrumpetPower! (Mar 26, 2013)

Here're a couple security researchers giving an hour-long presentation at Shmoocon. They demonstrate that the 1Dx is basically an open sieve when it comes to security.

http://www.youtube.com/watch?v=u7RjJNLnWF8

If you turn on WiFi or plug in a network cable to your DSLR, basically anybody can do anything they way to it. Read all the pictures off the card; upload whatever they want to the camera (think of somebody uploading something really nasty and then tipping off the police officer standing right over there); even turn the camera into a remote surveillance device without your knowledge.

I'm sure Canon will fix this; they won't have any choice. I'm also sure it'll take a while, and that they won't get it right the first or even the umpteenth time. That's just the way that big companies new to networking react...they'll ignore it for a while, then grudgingly make a half-assed attempt at fixing things that won't do anything, and eventually reach a state where there're constant minor updates to stay on top of with the odd more major one just to keep things interesting.

But, in the mean time, you would be well advised to only turn on WiFi in areas where there is no possibility of anybody hostile being within physical range of your camera's WiFi signal. Similarly, only plug the camera's ethernet cable into a secured and trusted network fully firewalled from the Internet.

It's a same, because I was just thinking of how neat all this WiFi control stuff could be. Ah, well. Some day....

Cheers,

b&


----------



## cookinghusband (Mar 26, 2013)

I want to do all the above to my 1d 

I guess the existing setup make it simple to user to connect it to the network

User just need to secure their network instead of a camera, 

I like this link 

interested to control my camera via a camera from a long distant

The most Canon ned to do is to let user have a password for camera use for network access.

but I much prefer with out password


----------



## TrumpetPower! (Mar 26, 2013)

cookinghusband said:


> User just need to secure their network instead of a camera,



Easier said than done. How're you supposed to secure the public WiFi at the Starbuck's?



> interested to control my camera via a camera from a long distant



You can do that today already, assuming you can control it from the network in the first place.

Problem is...so can anybody else....

b&


----------



## ahab1372 (Mar 26, 2013)

I'm just surprised how people think this is a scandal of some kind. Canon added network features to the camera, it never occurred to me that the cameras were intended to be internet-ready. 
It is nice to be able to connect the camera to a private Ethernet network, or an ad-hoc network to your phone, but that's it. Connecting to the public wifi at Starbicks? Not what it is made for.


----------



## TrumpetPower! (Mar 26, 2013)

ahab1372 said:


> Connecting to the public wifi at Starbicks? Not what it is made for.



Problem is, that's going to be the very first thought of every photojournalist of any type. Or, if not Starbucks, then the hotel's WiFi, or the public (or quasi-public) WiFi at the stadium, or whatever.

And, arguably, that's _exactly_ what it's made for. Shoot your assignment and dump all your pictures to the editor's desk before you leave the venue, and they get published before the event's even over.

And why not?

I'm not surprised. It doesn't even occur to people, even many computer programmers, that some random device needs any kind of security when you connect it to the Internet. I mean, who's going to want to hack a camera?

The answer?

Everybody at the next Red Carpet affair looking for a wardrobe malfunction, everybody with a grudge against a photographer who'd just love to see the police catch her red-handed with some kiddie porn, everybody who'd like to see the live view feed from that supposedly-off camera in the locker room.

These cameras _could_ have been secured, right from the get-go. And they _should_ have been, too. But, again, I'm not at all surprised that they're not...indeed, it would have been naïve to have expected otherwise.

Hell, just the fact that they include a built-in FTP (as opposed to SFTP) client should have been the big tip-off right there....

Cheers,

b&


----------



## ahab1372 (Mar 26, 2013)

I never saw it that way because of the built in FTP _server_. Does it even connect to another server? Http/s, webDav? I might have missed some features, but I figured the camera just doesn't have features to actively connect to another server, so why connect it to the Internet?
The scenario you describe does make sense, but canon didn't go all the way (unless I missed some features, as I said)


----------



## TrumpetPower! (Mar 26, 2013)

ahab1372 said:


> I never saw it that way because of the built in FTP _server_. Does it even connect to another server?



First, it varies from model to model.

But the 1Dx has a built-in FTP _client_ that will connect to a remote server. With all of the lack of security of FTP that's been universally known about for at least three decades, now -- meaning that basically everything the client and server have to say to each other is entirely public. If you do anything with FTP, you should assume that everybody on the same network has your username and password along with a copy of all data that you transmit. And you shouldn't even assume that the server the client is talking to is the one you think you're talking to...it's trivial to convince an FTP client to think that the attacker's server is the real deal.

In addition to that, the 1Dx has three other network modes, including a trivially-hacked Web server (not client) that gives you nearly full access to the camera, and a proprietary control mode that gives you so much control over the camera that you can even lock out the user of the camera from doing anything, leaving them with only the option of pulling the battery -- all while the attacker remains full control over everything but the zoom ring and the direction the camera's pointed in.

The 6D is likely very similar, except its WiFi is built in whereas the WiFi on the 1Dx requires an extra doohickey. I think the 5DIII with the WiFi doohickey is basically the same as the 1Dx.

The researchers in the video didn't investigate Nikon's vulnerability, but I'd be surprised if it's much different from the Canon. Maybe it is, but this sort of thing just hasn't been on anybody's radar, and it'd be uncharacteristic of a big company to even realize the potential for mayhem before somebody rubs their noses in it.

Cheers,

b&


----------



## ahab1372 (Mar 26, 2013)

You are right, it does have an FTP client, among other things. When I read "FTP" when it was first announced, instead of FTPs or https I thought it was pretty obvious that it was not designed for Internet or public networks. Rudimentary network capabilities, not more. I was just surprised this was published as major discovery of a security whole. I thought it was pretty obvious. 
Would have been nice for sure for some or many users if they had added a bit more. Next round maybe ;-)


----------



## TrumpetPower! (Mar 26, 2013)

ahab1372 said:


> You are right, it does have an FTP client, among other things. When I read "FTP" when it was first announced, instead of FTPs or https I thought it was pretty obvious that it was not designed for Internet or public networks. Rudimentary network capabilities, not more. I was just surprised this was published as major discovery of a security whole. I thought it was pretty obvious.
> Would have been nice for sure for some or many users if they had added a bit more. Next round maybe ;-)



It's just that kind of thinking that leads to this being a problem in the first place.

I'm sure the programmers at Canon thought the same as you -- that it'd be obvious that this is just a neat add-on for people to use on their trusted LANs to save plugging the card into the card reader, and nothing more, and that nobody would be stupid enough to attach their $6,000 camera to a public WiFi hotspot.

But the marketing types, and especially the non-programmer end users...well, the "you'd have to be stupid to use this" doesn't even register, let alone make sense. _Their_ first thought -- and rightly so -- is, "Cool! Now I can use my camera just like I already use my iPhone and everything else I have with WiFi! Just _think_ of all the weird places I can go and still get my pictures back to the office immediately!"

And there's no reason why they shouldn't be able to. Securing these kinds of devices isn't hard; you just have to follow some basic best-practices.

Except, of course, it's impossible to do if the programmers have the mindset of, "Well, nobody would really be stupid enough to actually _use_ this sniny new feature I'm creating, would they?"

Cheers,

b&


----------



## ahab1372 (Mar 26, 2013)

You are right - people just want to use stuff (and there is nothing wrong with that) and the lack of security is not obvious if you don't happen to have some background knowledge. 
I still wouldn't call it " hacked" - there is nothing to hack, everything seems wide open.


----------



## TrumpetPower! (Mar 26, 2013)

ahab1372 said:


> You are right - people just want to use stuff (and there is nothing wrong with that) and the lack of security is not obvious if you don't happen to have some background knowledge.
> I still wouldn't call it " hacked" - there is nothing to hack, everything seems wide open.



Oh, it's hacked, all right. It only seems open to you because you know what's involved in securing something like this. The average non-technical person, though...well, that just anybody can do anything with and to the camera without so much as a "May I?" or leaving a trace, that'll come as quite a shock.

And, if you watch the video, you'll see that the camera does have a bit of superficial obfuscation that will appear to a non-technical person exactly identical to full security. There're passwords, you have to "pair" with the camera, that sort of thing. Nothing even hints to the end user that none of these are any more substantial than the stanchion rope at the movie theatre.

Cheers,

b&


----------



## cayenne (Mar 26, 2013)

*EOS-1DX: Can be hacked into a spying device?*

Interesting article, about all the wifi we're putting into cameras, or the SD cards you can put in them (like Eye-fi)...and they appear to generally not be secure.

http://www.net-security.org/secworld.php?id=14651

It seems we're in a hurry in the world to make everything wireless, from medical devices to cameras...yet, the time isn't being taken to secure or encrypt the transmissions. Your own camera spying on you? Remote control heart attack by messing with someones pacemaker?

Anyway...thought it was interesting...food for thought.

cayenne


----------



## Skirball (Mar 26, 2013)

*Re: EOS-1DX: Can be hacked into a spying device?*



cayenne said:


> It seems we're in a hurry in the world to make everything wireless, from medical devices to cameras...yet, the time isn't being taken to secure or encrypt the transmissions. Your own camera spying on you? Remote control heart attack by messing with someones pacemaker?



You need to stop watching so much Homeland and crime dramas. And yes, I've read the articles and the crap spewed by Barnaby Jack, it's still just fodder for sensationalists.


----------



## cayenne (Mar 26, 2013)

TrumpetPower! said:


> I'm not surprised. It doesn't even occur to people, even many computer programmers, that some random device needs any kind of security when you connect it to the Internet. I mean, who's going to want to hack a camera?



This is happening to a lot of things. Like I'd mentioned in my post, medical instrumentation for instance, those wireless signals are sent in the clear, and can be read, intercepted or corrupted by anyone with a little tech savvy.

And there is often the larger question of why.....because it *CAN* be done. If it is out there, someone will want to get into it, and often they will be up for finding new and 'creative' ways to use that access.

C


----------



## rpt (Mar 26, 2013)

I have a simple strategy for somebody trying to hijack my camera: I did not buy the 1DX. I got the 5D3!


----------



## TrumpetPower! (Mar 26, 2013)

rpt said:


> I have a simple strategy for somebody trying to hijack my camera: I did not buy the 1DX. I got the 5D3!



Well, in fairness, the two are equally hackable. You need an expensive doohickey to enable WiFi on either. Granted, you don't need a doohickey to connect the 1DX to ethernet but you do for the 5DIII, but it's rare for people to physically plug into an insecure network these days. Not that it's a good idea to depend on the security of the network, of course!

But, anyway. My suggestion is to leave all networking of any kind completely turned off unless you have a known-secure physical environment...and that's _very_ rare as far as wireless goes.

In the mean time, if you really need to wirelessly get the pictures to your editor, use a card reader on your laptop. And if you need to remotely control your camera for anything more than infrared shutter release, do it with a single wire physically connecting your camera to the remote control.

It's not as convenient as wireless, sure...but getting hacked is much more inconvenient still.

And, yes. There are people who'll randomly search for anything hackable within range. They won't target you; they'll just get their kicks screwing you over because they can and they like feeling superior as they teach a lesson to those stupid idiots dumb enough to connect a camera to a publicly-accessible network.

Been there, done that, didn't get the T-shirt. Not with cameras, obviously, but with a couple computers a decade and more ago. Believe me, it's not fun, not something you want to clean up after, and nowhere worth the convenience of not having to stretch a wire between your computer and the camera.

Cheers,

b&


----------



## c.d.embrey (Mar 26, 2013)

I love paranoia!! Everything is a disaster just waiting to happen. The internet is great for passing along dis-information and fueling paranoia ... gota love the 'net.

!. Photo Journalists use their smart-phones, *not public WiFi*, to do their up-loading. *Not a problem for a pro.* If your not a pro I'm sure your milage does vary 

2. My GoPro Hero3 has a name (to control multiple cameras) and is password protected. WOW, such Hi-Tech in a $400.00 camera.


----------



## TrumpetPower! (Mar 26, 2013)

c.d.embrey said:


> I love paranoia!! Everything is a disaster just waiting to happen. The internet is great for passing along dis-information and fueling paranoia ... gota love the 'net.



Mr. Pot, please to meet Mr. Kettle.



> !. Photo Journalists use their smart-phones, *not public WiFi*, to do their up-loading. *Not a problem for a pro.* If your not a pro I'm sure your milage does vary



If you bothered to watch the video, you'd have seen where they showed, for example, a Reuters pool advertisement with most of the cameras with the WiFi module attached. I don't even know how you'd get the pictures from your camera to your smart phone, or why you'd bother.



> 2. My GoPro Hero3 has a name (to control multiple cameras) and is password protected. WOW, such Hi-Tech in a $400.00 camera.



Again, if you had bothered to watch the video, you'd have seen that, yes, the Canon cameras have a "username" and a "password." And a "session ID" and all sorts of other things that, by their names, you'd nominally think would offer security. Thing is, as one would expect from a company that's not yet been publicly burned by a lapse in security, it's all so much window dressing that doesn't even pretend, behind the scenes, to actually do anything to secure the camera.

I have no clue if the GoPro is any better or worse in this regard. If I had to guess, I'd suggest it's probably about the same.

And this isn't at all paranoia. There is a very long history of all sorts of nasty things happening from lack of security. Hell, it was even a major news story a few years back when poor security caused a vice presidential candidate to lose control over her email account, and there's constant stories of somebody famous's cell phone being hacked and the contact list making the news in the tabloids, all those sorts of things.

The only reason the tabloids aren't using this to steal photos off of each others's cameras is because it's so new that cameras have their own built-in WiFi hotspots that it's only now that it's occurring to people that maybe they haven't been secured.

I wouldn't at all be surprised if there's a story that makes the evening news sometime in the next six months about a camera being hacked using the exact flaws the researchers in the video have discovered. Probably sooner, now that the cat's out of the bag.

One thing I can guarantee you: no way, no how does Pete Souza have WiFi turned on on any of his cameras today.

Cheers,

b&


----------



## Skirball (Mar 26, 2013)

TrumpetPower! said:


> I wouldn't at all be surprised if there's a story that makes the evening news sometime in the next six months about a camera being hacked using the exact flaws the researchers in the video have discovered. Probably sooner, now that the cat's out of the bag.



Would that be before, or after, the piece on the waterskiing squirrel?


----------



## c.d.embrey (Mar 26, 2013)

TrumpetPower! said:


> If you bothered to watch the video, ...



Not a valid address.



> Again, if you had bothered to watch the video,..



Again, not a valid address.

Have a nice say


----------



## cayenne (Mar 26, 2013)

*Re: EOS-1DX: Can be hacked into a spying device?*



Skirball said:


> cayenne said:
> 
> 
> > It seems we're in a hurry in the world to make everything wireless, from medical devices to cameras...yet, the time isn't being taken to secure or encrypt the transmissions. Your own camera spying on you? Remote control heart attack by messing with someones pacemaker?
> ...



Hmm...I've never seen Homeland, and I'm going to have to Google who Barnaby Jack is after I post this....

But I do work in tech, and I do have work in the security areas, and know a bit about penetration testing. This all isn't just sensationalism.

C


----------



## TrumpetPower! (Mar 26, 2013)

c.d.embrey said:


> TrumpetPower! said:
> 
> 
> > If you bothered to watch the video, ...
> ...



Sorry 'bout that. The Canon Rumors forum does weird things to links. I've just fixed it, but you also could have copy / pasted the text of the link....

b&


----------



## Rienzphotoz (Mar 26, 2013)

Interesting, thanks for sharing ... but, if I am not wrong, I don't think most photographers would be concerned with it.
I use 5D MK III with CamRanger for my WiFi needs and it is secured with a password, so me not worried ;D


----------



## bvukich (Mar 26, 2013)

Correct video link:
Shmoocon 2013 - Paparazzi Over IP


----------



## cayenne (Mar 27, 2013)

Rienzphotoz said:


> Interesting, thanks for sharing ... but, if I am not wrong, I don't think most photographers would be concerned with it.
> I use 5D MK III with CamRanger for my WiFi needs and it is secured with a password, so me not worried ;D


Well, I'm curious if that password makes for an encrypted connection...or not?

If not, would be trivial to do a man-in-the-middle attack, and gain info and access....


----------

