Wednesday, April 24, 2024

Multiple Bugs in Canon DSLR Camera Let Hackers Infect with Ransomware Over a Rouge WiFi Access Point

Researchers discovered multiple critical vulnerabilities in Picture Transfer Protocol (PTP) that allows attackers to infect the Canon DSLR camera with ransomware to encrypt the pictures and demand the ransom.

An attacker who is very close with the victim’s WiFi or already hijacked computers with the USB access could propagate them to infect the cameras with deadly malware and ransomware.

There was a period when most users connect their camera to their PC using a USB cable to share the captured data using PTP/USB protocol.

New digital camera models now support WiFi to transfer the files from the camera to the computer via PTP/IP that is accessible to every WiFi-enabled device.

Researchers from Checkpoint found 6 critical vulnerabilities in PTP protocol that allows an attacker to take over the camera and infected with the severe ransomware over the rogue WiFi access and unsecured network.

There are 2 different scenarios that opens a door for attackers to exploit the vulnerabilities found in Picture Transfer Protocol (PTP).

USB – For an attacker that took over your PC, and now wants to propagate into your camera.

WiFi – An attacker can place a rogue WiFi access point at a tourist attraction, to infect your camera.

Vulnerabilities in Canon DSLR EOS

Part of the Research, Checkpoint Researchers mainly focusing on Canon’s EOS 80D DSLR camera that holds more than 50% of the market share, EOS80D model supports both USB and WiFi, Canon has an extensive “modding” community, called Magic Lantern, an open-source free software add-on that adds new features to the Canon EOS cameras.

PTP command handler supports up to 5 arguments for every command, out of 148 commands that perform various operations on camera, researchers narrowed down to 38 commands for this research that receives an input buffer.

Below mentioned vulnerabilities reside in the specific opcode and command name of the Picture Transfer Protocol (PTP).

  1. CVE-2019-5994 – Buffer Overflow in SendObjectInfo  (opcode 0x100C)
  2. CVE-2019-5998 – Buffer Overflow in NotifyBtStatus (opcode 0x91F9)
  3. CVE-2019-5999– Buffer Overflow in BLERequest (opcode 0x914C)
  4. CVE-2019-6000– Buffer Overflow in SendHostInfo (opcode0x91E4)
  5. CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport (opcode 0x91FD)
  6. CVE-2019-5995 – Silent malicious firmware update

In this case, 3 similar buffer overflow vulnerabilities are found over a global structure, Over stack and heap.

The second and third vulnerability is related to Bluetooth, but the camera model doesn’t support Bluetooth.

Researchers tested these vulnerabilities using the Proof-of-concept to check whether the vulnerabilities are working and it ended up in the camera crashing then later they wrote an exploit to bypass the camera.

According to Checkpoint “After playing around with the firmware update process, we went back to finish our ransomware. The ransomware uses the same cryptographic functions as the firmware update process and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user.”

In the above video, the developed exploit has been launched against the Camera over WiFi. In this part, the attacker set up a Rogue WiFi access point by sniffing the network.

Faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit and infect with ransomware, Researchers said.

All the vulnerability has been reported to Canon and they released an advisory with a firmware update, also Canon has informed that no confirmed cases of these vulnerabilities being exploited to cause harm.

You can read the complete guide of Ransomware Attack Response and Mitigation Checklist.

Sponsored: Best Practices to Strengthen Cyber Security – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.


Latest articles

Phishing Attacks Rise By 58% As The Attackers Leverage AI Tools

AI-powered generative tools have supercharged phishing threats, so even newbie attackers can effortlessly create...

Multiple MySQL2 Flaw Let Attackers Arbitrary Code Remotely

The widely used MySQL2 has been discovered to have three critical vulnerabilities: remote Code...

CoralRaider Hacker Evade Antivirus Detections Using Malicious LNK File

This campaign is observed to be targeting multiple countries, including the U.S., Nigeria, Germany,...

Spyroid RAT Attacking Android Users to Steal Confidential Data

A new type of Remote Access Trojan (RAT) named Spyroid has been identified.This...

Researchers Uncover that UK.GOV Websites Sending Data to Chinese Ad Vendor Analysts

Analysts from Silent Push, a data analytics firm, have uncovered several UK government websites...

Ransomware Victims Who Opt To Pay Ransom Hits Record Low

Law enforcement operations disrupted BlackCat and LockBit RaaS operations, including sanctions on LockBit members...

IBM Nearing Talks to Acquire Cloud-software Provider HashiCorp

IBM is reportedly close to finalizing negotiations to acquire HashiCorp, a prominent cloud infrastructure...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles