Hackers turn a Canon EOS camera into a remote surveillance tool

The Canon EOS 1D-X camera is not designed with security in mind, a researcher said

The high-end Canon EOS-1D X camera can be hacked for use as a remote surveillance tool, with images remotely downloaded, erased and uploaded, a researcher said during the Hack in the Box security conference in Amsterdam on Wednesday.

The digital SLR camera has a Ethernet port and also supports wireless connection via a WLAN adapter. That connectivity is particularly useful for photojournalists who can quickly upload the photos to a FTP server or a tablet, according to German security researcher Daniel Mende of ERNW.

However, the camera's connectivity was not designed with security in mind, said Mende. "If a photographer uses an insecure network like a hotel Wi-Fi network or a Starbucks network, than almost anybody with a little bit of knowledge is able to download images from the camera," he said.

The camera can be accessed by attackers in a number of ways, Mende said. Because FTP upload mode sends information in clear text, credentials and the complete data transmission can be sniffed, so uploaded pictures can be extracted from the network traffic, Mende said.

The camera also has an DNLA (Digital Living Network Alliance) mode that allows the sharing of media between devices and requires no authentication and has no restrictions, Mende said. DNLA uses the UPnP (Universal Plug and Play) networking protocols for discovery, and media can be accessed via HTTP and XML in DNLA mode, he said.

"In this mode the camera fires up like a network server," Mende said, adding that every DNLA client can download all images from the camera. Because a browser can serve as a DNLA client it's relatively easy to do this, he said. "In this mode it is also not hard to get your fingers on the footage, you just have to browse to the camera and download all images you like," he said.

The camera also has a built-in Web server called WFT server that does have authentication, he said. But the authentication method used has a 4-byte session ID cookie that can easily be overcome via brute force with six lines of Python script, said Mende.

"Checking all IDs takes about 20 minutes because the web server is not that responsive," Mende said. But whoever figures out the ID can get access to stored photos on the device and to camera settings, he said. "You could for instance make yourself the author of a photo. That would come in handy when you try to sell them," Mende said.

Attackers can also gain remote access to the camera's EOS Utility Mode, which comes closest to gaining root access on the camera, Mende said. The utility mode allows users to wirelessly control the camera through Canon's EOS Utility software interface, which provides Live View functionality, movie mode, and the ability to wirelessly transfer images from a camera to a remote computer.

Accessing the camera in that mode wasn't as easy as gaining control via FTP or the session ID, according to Mende.

To access the mode, an attacker has to listen for the camera's GUID (Globally Unique Identifier) that is broadcasted obfuscated. The attacker than needs to de-obfuscate the authentication data, disconnect the connected client software and connect to the camera using the PTP/IP protocol, or picture transfer protocol that is used to transfer images to connected devices, according to Mende's presentation.

"We not only can download all the taken pictures, we can also get a more or less live stream from the camera," Mende said. "We've successfully made the camera into a surveillance device."

Attackers are also able to upload pictures to the camera in Utility mode, he said.

Canon has not fixed the vulnerabilities yet, according to Mende, who said he wasn't able to find anyone at Canon willing to listen to him. "The camera is designed to work exactly like this. From Canon's point of view there is probably no bug," Mende said.

"[But] people who use the camera should be aware of this. That's why I'm standing here today without speaking to Canon," he told conference attendees.

Canon EOS-1D X owners should take countermeasures to prevent the attacks from succeeding, said Mende. They should only enable network connections in trusted networks, he said. And users should always use a secure password for trusted WLAN networks, he said.

Canon did not immediately reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Tags Daniel MendesecurityCanonAccess control and authenticationHITBdata breachmobile securitydata protectionExploits / vulnerabilitiesprivacyERNW GmbH

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?