Researchers show how easy it is to inject a DSLR camera with ransomware

Hackers can encrypt a camera using just a Wi-Fi connection, demo shows

Hacked camera

Researchers have developed a working exploit that allows ransomware to be remotely deployed on DSLR cameras, encrypting all photos on an inserted SD card.

The attack was demonstrated on a Canon EOS 80D and can be performed over both USB and Wi-Fi if a victim was connected to an unsecured public network.

Advertisement - Article continues below

Ransomware can take over a modern DSLR by exploiting the popular Picture Transfer Protocol (PTP) which is used by cameras for a whole host of tasks such as image transfer, taking live pictures and even updating the camera's firmware.

The protocol is an attacker's delight because it's both unauthenticated and supports "dozens of different complex commands," researcher Eyal Itkin of Check Point said in a blog post.

Check Point chose to target the Canon EOS 80D due to Canon's dominance in the DSLR space (controlling more than 50% of the market) and the fact it supports both Wi-Fi and USB.

Canon also has an extensive modding community called Magic Lantern, meaning some initial exploration of the camera's firmware has already been conducted by its users.

"Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost)," said Itkin. "In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community."

Advertisement - Article continues below
Advertisement - Article continues below

This form of ransomware distribution could be especially lucrative to attackers due to the high sentimental value people place on photos. People may be more likely to pay out the attacker's ransom demands to preserve cherished memories.

The attack could be particularly effective in tourist hotspot areas where potential victims are connected to the same unsecured Wi-Fi networks as the attackers. The researchers show how quickly a camera could be infected in the video below, complete with a typical ransomware splash page - just like on a PC.

"Chaining everything together requires the attacker to first set-up a rogue WiFi Access Point," said Itkin. "This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit."

Exploiting PTP is nothing new. At the Hack in the Box 2013 security conference, researcher Daniel Mende showed how it could be leveraged to access a camera, but Check Point are thought to be the first to show that malware can be deployed using this method.

Advertisement - Article continues below

Canon released a patch for the issue along with a security advisory last week.

Although the exploit was only proven using a Canon camera, "due to the complexity of the protocol, we do believe that other vendors might be vulnerable as well, however it depends on their respective implementation," Itkin told The Verge.

"This is an interesting vulnerability. It does, however, require the victim to be connected to a rogue wifi hotspot which limits the attacker to being in close physical proximity to the intended victim," said Javvad Malik, security awareness advocate at KnowBe4.

"For some, having ransomware on their camera may be little more than a minor inconvenience where a memory card needs to be discarded," he added. "The impact to a professional photographer, like a journalist, or wedding photographer would be significant - so those professionals should be taking extra precautions regardless of this particular vulnerability."

Advertisement - Article continues below

Ransomware has seen somewhat of a resurgence in 2019, according to figures from SonicWall in July.

Attacks of this type on UK businesses fell in early 2019 but had surged 195% by the second half of the year - 6.4 million cases in total.

Elsewhere, two Floridian towns paid ransoms to regain control of their municipal systems which, when combined, cost more than $1 million. Baltimore was also attacked a month earlier.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



How can you protect your business from crypto-ransomware?

4 Nov 2019

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020
cyber attacks

Trump confirms US cyber attack on Russia election trolls

13 Jul 2020