Researchers show how easy it is to inject a DSLR camera with ransomware

Hackers can encrypt a camera using just a Wi-Fi connection, demo shows

Hacked camera

Researchers have developed a working exploit that allows ransomware to be remotely deployed on DSLR cameras, encrypting all photos on an inserted SD card.

The attack was demonstrated on a Canon EOS 80D and can be performed over both USB and Wi-Fi if a victim was connected to an unsecured public network.

Ransomware can take over a modern DSLR by exploiting the popular Picture Transfer Protocol (PTP) which is used by cameras for a whole host of tasks such as image transfer, taking live pictures and even updating the camera's firmware.

The protocol is an attacker's delight because it's both unauthenticated and supports "dozens of different complex commands," researcher Eyal Itkin of Check Point said in a blog post.

Check Point chose to target the Canon EOS 80D due to Canon's dominance in the DSLR space (controlling more than 50% of the market) and the fact it supports both Wi-Fi and USB.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Canon also has an extensive modding community called Magic Lantern, meaning some initial exploration of the camera's firmware has already been conducted by its users.

"Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost)," said Itkin. "In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community."

This form of ransomware distribution could be especially lucrative to attackers due to the high sentimental value people place on photos. People may be more likely to pay out the attacker's ransom demands to preserve cherished memories.

The attack could be particularly effective in tourist hotspot areas where potential victims are connected to the same unsecured Wi-Fi networks as the attackers. The researchers show how quickly a camera could be infected in the video below, complete with a typical ransomware splash page - just like on a PC.

"Chaining everything together requires the attacker to first set-up a rogue WiFi Access Point," said Itkin. "This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit."

Advertisement - Article continues below

Exploiting PTP is nothing new. At the Hack in the Box 2013 security conference, researcher Daniel Mende showed how it could be leveraged to access a camera, but Check Point are thought to be the first to show that malware can be deployed using this method.

Canon released a patch for the issue along with a security advisory last week.

Although the exploit was only proven using a Canon camera, "due to the complexity of the protocol, we do believe that other vendors might be vulnerable as well, however it depends on their respective implementation," Itkin told The Verge.

"This is an interesting vulnerability. It does, however, require the victim to be connected to a rogue wifi hotspot which limits the attacker to being in close physical proximity to the intended victim," said Javvad Malik, security awareness advocate at KnowBe4.

"For some, having ransomware on their camera may be little more than a minor inconvenience where a memory card needs to be discarded," he added. "The impact to a professional photographer, like a journalist, or wedding photographer would be significant - so those professionals should be taking extra precautions regardless of this particular vulnerability."

Advertisement
Advertisement - Article continues below

Ransomware has seen somewhat of a resurgence in 2019, according to figures from SonicWall in July.

Advertisement - Article continues below

Attacks of this type on UK businesses fell in early 2019 but had surged 195% by the second half of the year - 6.4 million cases in total.

Elsewhere, two Floridian towns paid ransoms to regain control of their municipal systems which, when combined, cost more than $1 million. Baltimore was also attacked a month earlier.

Featured Resources

Transform the operator experience with enhanced automation & analytics

Bring networking into the digital era

Download now

Artificially intelligent data centres

How the C-Suite is embracing continuous change to drive value

Download now

Deliver secure automated multicloud for containers with Red Hat and Juniper

Learn how to get started with the multicloud enabler from Red Hat and Juniper

Download now

Get the best out of your workforce

7 steps to unleashing their true potential with robotic process automation

Download now
Advertisement

Recommended

Visit/security/29204/how-can-you-protect-your-business-from-crypto-ransomware
Security

How can you protect your business from crypto-ransomware?

4 Nov 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354193/buy-it-to-grow-not-slow-your-business
Sponsored

Buy IT to grow, not slow, your business

25 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019