Canon DSLR Hacked with Ransomware via Wi-Fi: Check Point Researchers Reveal Vulnerabilities

By Ava McKinneyOnline Safety

Check Point Researchers Infect Canon DSLR with Ransomware via Wi-Fi

Security analysts from Check Point have discovered six vulnerabilities in the implementation of the Picture Transfer Protocol (PTP) used in Canon cameras. Exploiting these issues can ultimately lead to an attacker taking control of the device and installing any type of malware—including wirelessly, if the camera supports wireless connections. The researchers demonstrated such an attack on a Canon EOS 80D DSLR, which they successfully infected with ransomware over a Wi-Fi connection.

How the Attack Was Carried Out

The experts first thoroughly examined the PTP implementation in Canon cameras. They reviewed all 148 supported commands and narrowed the list down to 38 that have an input buffer. This process led to the identification of six distinct vulnerabilities. The list of vulnerable commands and their unique identifiers is provided below. Not all of these vulnerabilities need to be exploited to gain unauthorized access to the camera.

  • CVE-2019-5994 – Buffer overflow in SendObjectInfo (opcode 0x100C)
  • CVE-2019-5998 – Buffer overflow in NotifyBtStatus (opcode 0x91F9)
  • CVE-2019-5999 – Buffer overflow in BLERequest (opcode 0x914C)
  • CVE-2019-6000 – Buffer overflow in SendHostInfo (opcode 0x91E4)
  • CVE-2019-6001 – Buffer overflow in SetAdapterBatteryReport (opcode 0x91FD)
  • CVE-2019-5995 – “Silent” firmware update to a malicious version

The second and third vulnerabilities are related to Bluetooth commands, even though the tested camera does not support Bluetooth at all.

Testing and Exploitation Process

The researchers began by connecting the camera to a computer via USB. Wireless connections cannot be used when the camera is connected through USB, but the team was still able to test and refine their exploit using the second vulnerability listed above, eventually achieving code execution over USB.

However, when switching to a wireless connection, the exploit stopped working and the camera would crash. This happened because sending a Bluetooth status notification over Wi-Fi confused the camera—especially since it doesn’t support Bluetooth in the first place.

Remote Firmware Update Vulnerability

The researchers continued searching for other bugs and discovered a vulnerability that allows remote firmware updates without user interaction. Through reverse engineering, they identified the keys used to verify and encrypt firmware. Such a firmware update would have all the correct signatures, and the camera would accept it as legitimate.

As a result, the experts not only created an exploit that works via both USB and Wi-Fi, but also found a way to encrypt files on the camera’s memory card. They used the same cryptographic functions employed in the firmware update process. The video below demonstrates the attack on a Canon EOS 80D over Wi-Fi, resulting in the camera being infected with ransomware.

Canon’s Response

Canon has already published a security bulletin addressing the discovered vulnerabilities. According to the document, the company is not aware of any incidents where these bugs have been exploited by attackers. The bulletin also provides links to updated firmware versions. For European and Asian users, updates to version 1.0.3 have been available since July 30, while for American owners of affected cameras, the update was released on August 6.

Leave a Reply