#privacy: DSLR cameras can be hit by ransomware

Researchers have identified that DSLR cameras are vulnerable to ransomware attacks.

In a report by Check Point Software Technologies, researchers demonstrated how to remotely install malware on a digital DSLR camera. 

Security researcher Eyal Itkin, explained that the Picture Transfer Protocol (PTP) used by modern DSLR cameras to transfer digital images from the camera to a computer, is not encrypted or authenticated, and supports numerous different complex commands. 

Additionally a vulnerability in PTP can be exploited over both USB and WiFi, and with Wifi support, the cameras become more accessible to nearby attackers. 

In a video, Itkin demonstrated how a Canon EOS 8OD can be exploited over WiFi, whereby the researcher was able to remotely install malware on it. Itkin’s was able to encrypt all the photos on the camera’s SD thus preventing the owner gaining access to them. 

In a real attack, the owner would then see a message alerting them to pay a ransom in order to regain access to the photos. 

The researcher noted that DSLR cameras are an attractive target for attackers as photos often contain sentimental value for the owner. 

Following the findings, the vulnerabilities were reported to Canon in March, to which Canon confirmed the vulnerabilities in May and soon after published a patch as part of an official security advisory

Canon stated that there had been no confirmed cases of the vulnerabilities being exploited, but to prevent this from occurring, customers have been advised not to connect the camera to a PC or mobile device that is using an unsecure network, as well as not connecting the camera to a device that could be exposed to virus infections. 

Additionally Canon recommended disabling the camera’s network functions when they are not being used. 

Although Itkin only worked with a Canon device, he told The Verge that “due to the complexity of the protocol, we do believe that other vendors might be vulnerable as well, however it depends on their respective implementation.”

“Our research shows that any “smart” device, in our case a DSLR camera, is susceptible to attacks. The combination of price, sensitive contents, and wide-spread consumer audience makes cameras a lucrative target for attackers,” concluded Itkin in the report.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.