Wednesday, December 6, 2023

Multiple Bugs in Canon DSLR Camera Let Hackers Infect with Ransomware Over a Rouge WiFi Access Point

Researchers discovered multiple critical vulnerabilities in Picture Transfer Protocol (PTP) that allows attackers to infect the Canon DSLR camera with ransomware to encrypt the pictures and demand the ransom.

An attacker who is very close with the victim’s WiFi or already hijacked computers with the USB access could propagate them to infect the cameras with deadly malware and ransomware.

There was a period when most users connect their camera to their PC using a USB cable to share the captured data using PTP/USB protocol.

New digital camera models now support WiFi to transfer the files from the camera to the computer via PTP/IP that is accessible to every WiFi-enabled device.

Researchers from Checkpoint found 6 critical vulnerabilities in PTP protocol that allows an attacker to take over the camera and infected with the severe ransomware over the rogue WiFi access and unsecured network.

There are 2 different scenarios that opens a door for attackers to exploit the vulnerabilities found in Picture Transfer Protocol (PTP).

USB – For an attacker that took over your PC, and now wants to propagate into your camera.

WiFi – An attacker can place a rogue WiFi access point at a tourist attraction, to infect your camera.

Vulnerabilities in Canon DSLR EOS

Part of the Research, Checkpoint Researchers mainly focusing on Canon’s EOS 80D DSLR camera that holds more than 50% of the market share, EOS80D model supports both USB and WiFi, Canon has an extensive “modding” community, called Magic Lantern, an open-source free software add-on that adds new features to the Canon EOS cameras.

PTP command handler supports up to 5 arguments for every command, out of 148 commands that perform various operations on camera, researchers narrowed down to 38 commands for this research that receives an input buffer.

Below mentioned vulnerabilities reside in the specific opcode and command name of the Picture Transfer Protocol (PTP).

  1. CVE-2019-5994 – Buffer Overflow in SendObjectInfo  (opcode 0x100C)
  2. CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
  3. CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
  4. CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
  5. CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
  6. CVE-2019-5995 – Silent malicious firmware update

In this case, 3 similar buffer overflow vulnerabilities are found over a global structure, Over stack and heap.

The second and third vulnerability is related to Bluetooth, but the camera model doesn’t support Bluetooth.

Researchers tested these vulnerabilities using the Proof-of-concept to check whether the vulnerabilities are working and it ended up in the camera crashing then later they wrote an exploit to bypass the camera.

According to Checkpoint “After playing around with the firmware update process, we went back to finish our ransomware. The ransomware uses the same cryptographic functions as the firmware update process and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user.”

In the above video, the developed exploit has been launched against the Camera over WiFi. In this part, the attacker set up a Rogue WiFi access point by sniffing the network.

Faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit and infect with ransomware, Researchers said.

All the vulnerability has been reported to Canon and they released an advisory with a firmware update, also Canon has informed that no confirmed cases of these vulnerabilities being exploited to cause harm.

You can read the complete guide of Ransomware Attack Response and Mitigation Checklist.

Sponsored: Best Practices to Strengthen Cyber Security – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles