Hackers turn a Canon EOS camera into a remote surveillance tool

The Canon EOS 1D-X camera is not designed with security in mind, a researcher said

The high-end Canon EOS-1D X camera can be hacked for use as a remote surveillance tool, with images remotely downloaded, erased and uploaded, a researcher said during the Hack in the Box security conference in Amsterdam on Wednesday.

The digital SLR camera has a Ethernet port and also supports wireless connection via a WLAN adapter. That connectivity is particularly useful for photojournalists who can quickly upload the photos to a FTP server or a tablet, according to German security researcher Daniel Mende of ERNW.

However, the camera's connectivity was not designed with security in mind, said Mende. "If a photographer uses an insecure network like a hotel Wi-Fi network or a Starbucks network, than almost anybody with a little bit of knowledge is able to download images from the camera," he said.

The camera can be accessed by attackers in a number of ways, Mende said. Because FTP upload mode sends information in clear text, credentials and the complete data transmission can be sniffed, so uploaded pictures can be extracted from the network traffic, Mende said.

The camera also has an DNLA (Digital Living Network Alliance) mode that allows the sharing of media between devices and requires no authentication and has no restrictions, Mende said. DNLA uses the UPnP (Universal Plug and Play) networking protocols for discovery, and media can be accessed via HTTP and XML in DNLA mode, he said.

"In this mode the camera fires up like a network server," Mende said, adding that every DNLA client can download all images from the camera. Because a browser can serve as a DNLA client it's relatively easy to do this, he said. "In this mode it is also not hard to get your fingers on the footage, you just have to browse to the camera and download all images you like," he said.

The camera also has a built-in Web server called WFT server that does have authentication, he said. But the authentication method used has a 4-byte session ID cookie that can easily be overcome via brute force with six lines of Python script, said Mende.

"Checking all IDs takes about 20 minutes because the web server is not that responsive," Mende said. But whoever figures out the ID can get access to stored photos on the device and to camera settings, he said. "You could for instance make yourself the author of a photo. That would come in handy when you try to sell them," Mende said.

Attackers can also gain remote access to the camera's EOS Utility Mode, which comes closest to gaining root access on the camera, Mende said. The utility mode allows users to wirelessly control the camera through Canon's EOS Utility software interface, which provides Live View functionality, movie mode, and the ability to wirelessly transfer images from a camera to a remote computer.

Accessing the camera in that mode wasn't as easy as gaining control via FTP or the session ID, according to Mende.

To access the mode, an attacker has to listen for the camera's GUID (Globally Unique Identifier) that is broadcasted obfuscated. The attacker than needs to de-obfuscate the authentication data, disconnect the connected client software and connect to the camera using the PTP/IP protocol, or picture transfer protocol that is used to transfer images to connected devices, according to Mende's presentation.

"We not only can download all the taken pictures, we can also get a more or less live stream from the camera," Mende said. "We've successfully made the camera into a surveillance device."

Attackers are also able to upload pictures to the camera in Utility mode, he said.

Canon has not fixed the vulnerabilities yet, according to Mende, who said he wasn't able to find anyone at Canon willing to listen to him. "The camera is designed to work exactly like this. From Canon's point of view there is probably no bug," Mende said.

"[But] people who use the camera should be aware of this. That's why I'm standing here today without speaking to Canon," he told conference attendees.

Canon EOS-1D X owners should take countermeasures to prevent the attacks from succeeding, said Mende. They should only enable network connections in trusted networks, he said. And users should always use a secure password for trusted WLAN networks, he said.

Canon did not immediately reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Daniel MendeCanonsecuritymobile securitydata breachHITBAccess control and authenticationExploits / vulnerabilitiesdata protectionprivacyERNW GmbH

More about CanonIDGNetwork AllianceStarbucks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place