# Canon issues a security advisory for PTP equipped EOS DSLRs, EOS mirrorless and PowerShot cameras



## Canon Rumors Guy (Aug 11, 2019)

> From Canon:
> An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates.
> (CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001）
> Due to these vulnerabilities, the potential exists for a third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.
> ...



Continue reading...


----------



## Chaitanya (Aug 11, 2019)

Its a very common protocol, and I hope other manufacturers using it also iasue an update.


----------



## M. D. Vaden of Oregon (Aug 11, 2019)

An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.


----------



## Antono Refa (Aug 11, 2019)

M. D. Vaden of Oregon said:


> An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.



Whomever hack the f*pening nudes didn't target any specific person. Rather he hacked backups en masse, then picked those photos that interested him.


----------



## LDS (Aug 11, 2019)

Photoreporters could be hacked to try to understand what they shoot and when - there have been reports about spywares - even some that should be available to law enforcement agencies only, used to track and spy journalists and activists.

It's good Canon is going to fix even older models to fix the issues.


----------



## PGSanta (Aug 11, 2019)

Sweet. Maybe this means we’ll see focus bracketing on an R sooner.


----------



## pixel8foto (Aug 12, 2019)

M. D. Vaden of Oregon said:


> An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.



Most people's photos are special to the photographer. Think about your cousin's precious holiday snaps, locked out by ransomware. How many Bitcoins to get them back x 1,000 cameras to be worthwhile in a wider attack?

Users' and makers' privacy, security and reputations are all at stake. 

I don't get how such a vulnerability can - or should - ever be a "nothing-burger".


----------



## Ozarker (Aug 12, 2019)

I suspect Sony's paid trolls.


----------



## hollybush (Aug 12, 2019)

M. D. Vaden of Oregon said:


> An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.



If the camera is known to move from a public network to a private network, it can be used as a vector to infiltrate the private network.

E.g. a foreign government uses hotel wifi in their capital city to infect Canon cameras of visiting journalists. The journalists return home with the camera, and use it on the internal network of their newspaper/agency. The camera contains a virus which is now behind the media organisation's firewall and proceeds to exfiltrate information or disrupt operations.


----------



## KrisK (Aug 12, 2019)

Could this have been accomplished without Magic Lantern?


----------



## brianboru (Aug 12, 2019)

https://threatpost.com/hack-of-a-canon-eos-80d-dslr/147214/

Worth reading. This hack was specific to Canon but: _The researcher wrote, in a technical paper released Sunday, that PTP is a ripe target, given it is an unauthenticated protocol that supports dozens of different complex commands. “[A] vulnerability in PTP can be equally exploited over USB and over Wi-Fi."_

Be *thankful* Canon was tested by a black hat and that Canon had some time and a willingness to release patches. Now that the vector is out, there are going to be more than researchers poking around other's implementations of PTP.


----------



## brianboru (Aug 12, 2019)

KrisK said:


> Could this have been accomplished without Magic Lantern?


Yes. Was this particular round, no.

I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/



> *Introducing our target*
> We chose to focus on Canon’s EOS 80D DSLR camera for multiple reasons, including:
> 
> 
> ...


----------



## KrisK (Aug 12, 2019)

brianboru said:


> Yes. Was this particular round, no.
> 
> I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/



Thanks. This bit is troubling:



> Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost). In this case, research on *Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community.*



While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.


----------



## cayenne (Aug 12, 2019)

KrisK said:


> Thanks. This bit is troubling:
> 
> 
> 
> While I admire the enthusiasm of the ML community, this quote suggests that ML's efforts have now yielded unintended consequences affecting NON-users of ML.




Well, the old saying about not having security through obscurity stands.

You should not depend on unsecure protocols and systems by just not documenting them.

If they are there, someone will find them. While the camera is not the most critical vector in the world, this applies to ALL types of systems, think medical devices, they're constantly finding unsecured wireless protocols for things like pace makers, insulin pumps, etc....

The trouble is, you have people designing systems for things like these and cameras, and aren't hiring on the proper people to make sure these protocols are secure.

I work in IT....and I'm still of the mind that just because most everything CAN be networked, wireless and connected to the internet....most things should NOT be.

Doing so, just opens you up to security exploits, and while networking things does give some convenience....is it really worth it?

Just my $0.02,

C


----------



## LDS (Aug 12, 2019)

Correct. Anyway they used ML tools to ease their research, but we really don't know if Canon firmware or encryption keys leaked in some other, unknown, ways. 

Just usually these detailed information are released only when fixed software is available - but Canon doesn't look to have made available new firmwares worldwide yet.


----------



## bsbeamer (Aug 12, 2019)

Will be interesting to see how the 5D4 update is handled. As someone who paid to upgrade to C-LOG, I wasn't able to download or install the EOS 5D Mark IV Firmware Version 1.1.2 update. Have been "stuck" without a firmware update since that upgrade.


----------



## melgross (Aug 12, 2019)

For those who think it’s “boring” to hackers because nothing useful seems to be accomplished, though others have shown that this may not be true, remember that there are still plenty of hackers out there who do it just to mess with people, and make their lives more difficult.

To those hackers, that’s enough of a reward.


----------



## Don Haines (Aug 12, 2019)

M. D. Vaden of Oregon said:


> An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.


An attack on a camera is nothing. It is just noise.

Until you just shot a wedding and have to pay lots of money to (maybe) get those images back..... or you lost those pictures of your kid’s championship game, or your parents 50th anniversary when 50 relatives showed up for the surprise party......

No, this isn’t a big thing, this is a *HUGE*  thing!

As a professional, you can not risk this. My cameras have WiFi and Bluetooth turned off until the updates are installed.


----------



## brianboru (Aug 13, 2019)

LDS said:


> Correct. Anyway they used ML tools to ease their research, but we really don't know if Canon firmware or encryption keys leaked in some other, unknown, ways.
> 
> Just usually these detailed information are released only when fixed software is available - but Canon doesn't look to have made available new firmwares worldwide yet.



The researchers did eventually find the keys but ML did not leak them, a quote from the article: "_Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end._"

"Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.

I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.


----------



## hollybush (Aug 13, 2019)

brianboru said:


> I found the researcher's article finally: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/



That makes horrifying reading:

- even if the implementation were correct, the *design* of PTP is broken because it apparently allows modification of the camera firmware without user interaction. It's hard to imagine how anyone ever thought that was a good idea. Fix would be to always prompt for confirmation on the camera LCD, no matter what the PTP standard says.

- instead of using a public/private key pair to check for firmware signing, they used symmetric encryption, so that the key needed to make fake firmware is embedded in every camera (security through obscurity, which the Magic Lantern people have already penetrated).

I wish I could say I was surprised at the reported incompetence, but having read the DCF and EXIF standards and observed the endless propagation of incompatible non-self-describing raw formats from Japanese camera manufacturers, I'm not.


----------



## TomDibble (Aug 13, 2019)

brianboru said:


> The researchers did eventually find the keys but ML did not leak them, a quote from the article: "_Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end._"
> 
> "Usual" black-hat "policy" is to wait till a solution is published or two-months if the company is blowing you off. It seems like the former although they may have rushed it by a day or two to present at a conference.
> 
> I agree it's a big deal but it's better to have it done by a black-hat than the next round, probably looking at other brands, that wont be. Search for "security by obscurity" and you will find many resources on why that is a bad idea.



Just a quick note on terminology (and apologies if this was already corrected in the ensuing pages of replies I haven't gotten to yet). You are describing "white hat" (or "ethical") hackers. "Black hat" is who have now been alerted to this PTP flaw and will be working to make money off it rather than report it to Canon.

"White" vs "black" hats refer to the old cowboy movie custom where the "good guys" always (or at least frequently) wore light-colored cowboy hats, and the "bad guys" would wear dark-colored hats. A white-hat hacker is using the tools of hacking but with the goal of closing any weakness they find rather than exploiting it.









White Hat vs. Black Hat Hackers and The Need For Ethical Hacking.


What comes to mind when you hear the term “hacker?” For most people, the term is associated with cyber criminals. But did you know there is such a thing




www.clearpathit.com


----------



## TomDibble (Aug 14, 2019)

A few notes from reading the write-up and my memory of the 80D settings (aided slightly by the 80D manual I have in front of me unlike my camera which is at home).


The WiFi attack hinges on spoofing an access point. That immediately got my notice because I have never connected my camera to an access point; instead I connect my phone to my camera (with the camera itself acting as the access point). At least that is how it appears when I'm remote at a softball field and want to review some shots on a better screen than the one on the back of the 80D (aside: that is just an atrocious quality LCD, with horrible color gamut and brightness controls). Is Canon's software instead somehow making my iPhone act as an access point and then the camera automatically connecting to that???
Checking the 80D manual, the mode where the camera connects to an access point is called "Advanced Connection", unlike "Easy Connection" which is what the phone app and lazy consumerish folks like me would follow instead.
In "Easy Mode" one particularly insecure mode is the NFC triggering of a connection to a phone and picture transfer (presumably opening up a PTP session). Not having a phone with exposed NFC (I don't think Apple exposes the NFC interface to app developers), I have always had "Allow NFC Connections" unchecked. Presumably that stops an NFC phone from auto-connecting at all, not later on in the PTP communications, but I haven't verified. In any case, NFC is generally pretty short-range so triggering that would take a bit more of a personal touch by a hacker.
For the "Connect to Smartphone" side of Easy Connect, Camera Connect needs to be on the smarphone, similar to EOS Utility on the computer. Camera Connect verifies the WiFi connection (Phone as client of the camera), then acts as (presumably) a PTP client allowing for picture transfer, control, and presumably somewhere in there (since for some insane reason the PTP/IP folks decided this functionality should be in PTP/IP not just when you had a hard tethered connection to the camera) firmware updates (aside: the EOS 80D firmware is on 1.02 if I recall correctly. Firmware updates happen les than once in a blue moon: *there is no reason for them to be made seamless and interactionless!!!*). In any case, the actual connection is *made* using the phone's WiFi settings screen, by selecting the camera's broadcast SSID to connect to, and typing in (if it hasn't already been saved in your settings) the "encryption key". The manual doesn't appear to specify which version of WPA it is using here, but I would be surprised if it wasn't the most recent version which is relatively secure (more about that later) and also supported in the "advanced configuration" so they have the hardware for it.
Similarly, using "Easy Connect" with a computer, you also externally (from the EOS Utility software) make the WiFi connection with the computer as client to the camera's access point, secured using a (presumably WPA2) encryption key. Same thing with a printer using "PictBridge".
"Advanced Mode" is where things get dicey. Advanced mode is a tortuous process to set up connecting the camera to a network access point, including keying in the encryption key on a horrible on-screen "keyboard", and your phone/computer/printer/whatever to that same access point, and then use PTP pretty much completely unsecured over the network. _Because_ it is such a torturous process to set up, Canon "helps" you by (after the first time) doing it all for you the next time it sees that access point again. Canon supports connecting to pretty much any access point, no authentication even required.
In any mode, the Camera's WiFi chip allows for exactly one connection at a time. If your phone is connected, the camera can not accept a connection from another phone, nor connect to an access point (this appears to be a connection layer limitation, not a PTP limitation). *I am not sure if this limitation is unique to 80D or to all Canon WiFi implementations*. It would seem odd to allow multiple PTP connections at once since PTP has full camera control, but that is an application-layer limitation that likely still exposes security holes.
Spoofing an access point (depending on the complexity of the client, but especially given that Canon's security standards are laughably minimal, like using a 4-character session identifier for their web session in the 1D's network interface). If Canon's client is just connecting by broadcast SSID, anyone can spoof that. But even if it is connecting based on broadcast SSID and MAC address, that is almost child's play to spoof as well. The only thing the hacker needs to know is the SSID and (maybe) MAC address that the "real" access point broadcasts (which would be difficult in a mass attack, but trivial in most cases for targeted attacks).
Spoofing a client means breaking WPA2. Now, WPA2 like anything that's been around for years, does have known exploits. But they are not trivial to implement, and often require specific circumstances or don't allow for a full spoofed access attack (ex, the "KRACK attack allows primarily for eavesdropping on ongoing communications, not hijacking of a connection nor especially establishment of a whole new connection with full privileges).
It appears that the layers which have been breached are:

Connection layer when using camera as a client connecting to an access point has been hacked (in Canon specifically, but I'd guess if any other manufacturer has a similar approach their implementation will likewise be hacked). Exploits here aren't "general purpose" unless you are in the habit of connecting your camera to "public" access points.
Connection layer in the "easy" or "direct" modes has *not* (by all appearances at least) been hacked.
PTP is not secure at all, which is scary for a line protocol which operates thousands of dollars worth of equipment and even allows easy escalation attacks by installing a hacked firmware on the device.
The specific Canon firmware has several buffer overflow security bugs which have been identified by the CheckPoint group, which allow for exploits of PTP to do things which is wasn't designed to do, which allows for attacks even without hacking the firmware. Of course, PTP's base feature set includes replacing the firmware so from a base "attack surface" the PTP flaws don't even register. But, they allow a less sophisticated attacker to forge an attack (until Canon fixes the flaws, which I would hope, given the clear instructions from CheckPoint, they have already done over the weekend and are getting updates into the QA/release cycle as we speak ... but maybe I am imagining too much of a commitment to security on the part of Canon).
The *direct* targets of the exposed attack are people who use WiFi to connect to their home or business network, and from there use their computers/phones to connect to the camera. There are likely other attacks around this (that may well be found by black hats now that white hats have shone the spotlight in this direction) - the "direct connect" not being exploited hangs on the thin thread of the WAP2 connection from the phone not getting hacked (I have to say, again, how odd it is that there is essentially no application-layer security on the PTP/IP protocol; that is just way below acceptable industry standards), so we shouldn't feel invulnerable there either.

Okay, so where does that leave us?

I think obviously, the best security approach is always: *turn off any interface you are not using*. If you end up needing it later on, you'll be able to find it and turn it back on (even as horrible as Canon's UI is, these things are still discoverable with just a little patience). So, if you have WiFi on routinely, turn it off until you are actually going to use it. The risk here is huge: being able to install new firmware on a device is essentially "game over" in terms of security, because that new firmware could do anything imaginable (sit and wait until your card has over 1000 images before executing ransomware attack, or connect to open wifis and publish all photos on the device to an anonymous FTP site, etc). You should take precautions against this.

But, don't panic. A device with WiFi (and NFC) turned off does not have any of these WiFi vulnerabilities (obviously). The camera isn't useless, but you need to make sure you only turn WiFi on when you are using it, and turn it off immediately after. While you are actively using that WiFi connection - your camera is connected to a known good access point, or your phone is connected to the camera - no one else can exploit these vulnerabilities while that single-channel WiFi connection is in use by you. However, when you are done with the connection (to your phone, computer, etc), *turn the WiFi back off on the camera immediately*. I would go so far as turning that off to disconnect the phone rather than disconnecting the phone first. This attack takes literally seconds to complete per the proof of concept video (assuming that was in realtime), so you don't want to disconnect your phone, walk to the parking lot, and then turn off the camera wifi.


----------



## Architect1776 (Aug 14, 2019)

M. D. Vaden of Oregon said:


> An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.



So you take that life time vacation you saved for and your camera is hacked and there is a demand to pay to get your photos. What are those photos worth? Nothing to joe stupid but to you who has a lot invested in getting them and most likely will never be able to do it again they are invaluable.
Photos of the baby's first steps mean nothing to the idiot yahoo but to the parents these are precious moments that cannot be repeated as they are the first steps not next weeks steps etc.
A pro is less likely to care as they have insurance etc. for failures etc. but the rest of the world those one time photos are invaluable and cannot ever be duplicated.


----------



## Architect1776 (Aug 14, 2019)

hollybush said:


> If the camera is known to move from a public network to a private network, it can be used as a vector to infiltrate the private network.
> 
> E.g. a foreign government uses hotel wifi in their capital city to infect Canon cameras of visiting journalists. The journalists return home with the camera, and use it on the internal network of their newspaper/agency. The camera contains a virus which is now behind the media organisation's firewall and proceeds to exfiltrate information or disrupt operations.



And we all know most pros worth hiring use Canon equipment so that is who will be attacked. Other camera makes are just on a mac at home that has no real value to sell internal access like a major corporation. Yes personal photos are very valuable to the individual and it is a terrible thing to pay a ransom for them if you can afford it to get those once in a lifetime photos back.


----------



## tron (Aug 14, 2019)

bsbeamer said:


> Will be interesting to see how the 5D4 update is handled. As someone who paid to upgrade to C-LOG, I wasn't able to download or install the EOS 5D Mark IV Firmware Version 1.1.2 update. Have been "stuck" without a firmware update since that upgrade.


Have a read at:






Canon U.S.A., Inc. | Product Advisory Detail Page







www.usa.canon.com





By reading it I deduct that you have to have your camera to 1.1.0 or greater before the c-log upgrade. Then it is not affected and you upgrade firmware as usual. So if you are below this maybe you should visit Canon service (demanding that they will not charge again of course). After that you will be able to upgrade with the 5DIV firmware and the process would left c-log as is. At least this is my interpretation of the above.


----------



## SaP34US (Aug 14, 2019)

What cameras does it effect? Is currently a firmware update combat the problem can be downloaded to cameras?


----------



## photo212 (Aug 16, 2019)

M. D. Vaden of Oregon said:


> An "attack" on a camera? Sounds like a nothing-burger unless a photographer maybe has special images that could get lifted from the camera where the photos would have certain value. Otherwise such an "attack" on a camera sounds darn boring for a hacker to mess around with.


in another article I was reading earlier today, they called the hack "ransonware." So that boring hack could disable your camera until you pay some sort of ranson (bit coins). Wanna another bite of your nothing-burger?


----------



## cayenne (Aug 16, 2019)

photo212 said:


> in another article I was reading earlier today, they called the hack "ransonware." So that boring hack could disable your camera until you pay some sort of ranson (bit coins). Wanna another bite of your nothing-burger?



I was just thinking, if this hit you, sure you're gonna likely lose your images....reformat that card.

And as far as the camera, I would think refreshing the firmware would get it working again....?


----------



## YuengLinger (Aug 16, 2019)

Just another ploy to get us to update firmware that makes after-market batteries useless.


----------



## Valvebounce (Aug 17, 2019)

Hi Cayenne. 
And if they hide the firmware update menu and disable the USB port? 

Cheers, Graham. 



cayenne said:


> I was just thinking, if this hit you, sure you're gonna likely lose your images....reformat that card.
> 
> And as far as the camera, I would think refreshing the firmware would get it working again....?


----------



## photo212 (Aug 27, 2019)

cayenne said:


> I was just thinking, if this hit you, sure you're gonna likely lose your images....reformat that card.
> 
> And as far as the camera, I would think refreshing the firmware would get it working again....?


yeah, good luck with that. Toss the card. Do not take any chances. As far as your camera goes, I'd think anyone going to the trouble of hijacking your camera's operating system probably has disable all the menus, except theirs demanding the ransom and the ability to enter a code to free your system (then good idea to reload the firmware).


----------

