Researchers show how easy it is to inject a DSLR camera with ransomware

Hackers can encrypt a camera using just a Wi-Fi connection, demo shows

Hacked camera

Researchers have developed a working exploit that allows ransomware to be remotely deployed on DSLR cameras, encrypting all photos on an inserted SD card.

The attack was demonstrated on a Canon EOS 80D and can be performed over both USB and Wi-Fi if a victim was connected to an unsecured public network.

Ransomware can take over a modern DSLR by exploiting the popular Picture Transfer Protocol (PTP) which is used by cameras for a whole host of tasks such as image transfer, taking live pictures and even updating the camera's firmware.

The protocol is an attacker's delight because it's both unauthenticated and supports "dozens of different complex commands," researcher Eyal Itkin of Check Point said in a blog post.

Check Point chose to target the Canon EOS 80D due to Canon's dominance in the DSLR space (controlling more than 50% of the market) and the fact it supports both Wi-Fi and USB.

Canon also has an extensive modding community called Magic Lantern, meaning some initial exploration of the camera's firmware has already been conducted by its users.

"Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost)," said Itkin. "In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community."

This form of ransomware distribution could be especially lucrative to attackers due to the high sentimental value people place on photos. People may be more likely to pay out the attacker's ransom demands to preserve cherished memories.

The attack could be particularly effective in tourist hotspot areas where potential victims are connected to the same unsecured Wi-Fi networks as the attackers. The researchers show how quickly a camera could be infected in the video below, complete with a typical ransomware splash page - just like on a PC.

"Chaining everything together requires the attacker to first set-up a rogue WiFi Access Point," said Itkin. "This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit."

Exploiting PTP is nothing new. At the Hack in the Box 2013 security conference, researcher Daniel Mende showed how it could be leveraged to access a camera, but Check Point are thought to be the first to show that malware can be deployed using this method.

Canon released a patch for the issue along with a security advisory last week.

Although the exploit was only proven using a Canon camera, "due to the complexity of the protocol, we do believe that other vendors might be vulnerable as well, however it depends on their respective implementation," Itkin told The Verge.

"This is an interesting vulnerability. It does, however, require the victim to be connected to a rogue wifi hotspot which limits the attacker to being in close physical proximity to the intended victim," said Javvad Malik, security awareness advocate at KnowBe4.

"For some, having ransomware on their camera may be little more than a minor inconvenience where a memory card needs to be discarded," he added. "The impact to a professional photographer, like a journalist, or wedding photographer would be significant - so those professionals should be taking extra precautions regardless of this particular vulnerability."

Ransomware has seen somewhat of a resurgence in 2019, according to figures from SonicWall in July.

Attacks of this type on UK businesses fell in early 2019 but had surged 195% by the second half of the year - 6.4 million cases in total.

Elsewhere, two Floridian towns paid ransoms to regain control of their municipal systems which, when combined, cost more than $1 million. Baltimore was also attacked a month earlier.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Best ransomware removal tools
Security

Best ransomware removal tools

17 Nov 2020
Survey finds web app attacks are up 800% compared to 2019
Security

Survey finds web app attacks are up 800% compared to 2019

23 Nov 2020
Digital Shadows’ context-based security alerts expand sensitive doc management
Security

Digital Shadows’ context-based security alerts expand sensitive doc management

23 Nov 2020
More than half of businesses saw rising fraud levels this year
Security

More than half of businesses saw rising fraud levels this year

23 Nov 2020

Most Popular

Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020