Canon cameras can be easily turned into a surveillance device
Imagine journalists after a press conference. They’re trying to remotely upload the pictures they’ve taken with their high-end cameras from their hotel or a coffee shop by using the public Wi-Fi connection.While they enjoy the benefits of their professional cameras, hackers may be lurking. They might be trying to steal photographs, upload their own onto the camera, or they might even be trying to abuse the device for surveillance purposes.
This isn’t a James Bond movie. According to Daniel Mende from ERNW, this is a highly plausible scenario.
At the presentation he has held at the Hack in the Box 2013 Amsterdam security conference, the expert has demonstrated that design flaws in Canon EOS-1DX cameras, and possibly other models from other vendors, can be exploited for a wide range of attacks.
Many professional-grade cameras, such as Canon’s EOS-1DX, allow users to easily transfer the pictures they take to the Web via a built-in Ethernet port or via an attachable Wireless File Transmitter (WFT).
According to Mende, journalists from top media organizations such as Reuters are currently utilizing Canon EOS-1DX, which means that there are plenty of potential targets out there.
So how do the attacks work?
Canon EOS-1DX has four communication modes: FTP Upload, DLNA (Digital Living Network Alliance), a built-in webserver, and the EOS Utility. Mende has identified a way to leverage each of them for an attack.
For instance, the FTP Upload mode can be utilized to upload the photographs to a server that’s configured on the camera.
However, since the traffic is unencrypted, it can be easily sniffed. This includes the uploaded pictures and even the FTP credentials that are transmitted in clear text.
For the DLNA mode, UPnP is utilized for discovery and HTTP and XML are used to access the media. The problem is that there is no authentication system and that there are no restrictions, so any DLNA client can download the images.
The WFT Server mode, or the built-in webserver, allows users to view and download images remotely via browsers. With this mode, the issue is that the authentication is not very sophisticated and the credentials can be easily extracted.
The session cookies used in the WFT server mode can be obtained with a 20-minute brute force attack.
The EOS Utility mode, on the other hand, can be exploited for even more interesting things. Mende has found that the EOS Utility – which users install on their computers to control all the camera’s non-manual functions remotely ¬¬¬¬¬¬¬– can allow an attacker to hijack the camera and use it for live streaming.
When the EOS Utility is utilized, the camera needs to be paired with the software via multicast Domain Name System (mDNS).
For this attack method to work, the attacker must listen for the device on mDNS, and deobfuscate the authentication data. Next, the attacker must disconnect the already connected client because the camera allows only one connection.
The final step is to connect to the camera via PTP/IP (Picture Transfer Protocol). Once this is done, the device is at the attacker’s mercy.
“This camera is really a surveillance device,” Mende noted.
Unfortunately, there’s not much users can do to protect themselves against such attacks, but the expert has a couple of suggestions: enabling the camera’s network functionality only on trusted networks, and using a secure passphrase to protect this trusted connection.
Mende’s work has focused on Canon EOS-1DX, but more recent Canon models could be even more tempting for cybercriminals. For instance, Canon’s new consumer-grade EOS 6D comes with a built-in Wireless Access Point, and even a communication protocol for iOS and Android applications.
The researcher has tried to contact Canon regarding the vulnerabilities he has discovered, but he says the company hasn’t been too keen to cooperate.
“I haven’t found anyone at Canon who wanted to listen to me,” Mende said during his presentation.
Daniel Mende’s complete presentation, containing additional technical details, is available here.