Hackers turn a Canon EOS camera into a remote surveillance tool

The high-end Canon EOS-1D X camera can be hacked for use as a remote surveillance tool, with images remotely downloaded, erased and uploaded, a researcher said during the Hack in the Box security conference in Amsterdam on Wednesday.

The digital SLR camera has a Ethernet port and also supports wireless connection via a WLAN adapter. That connectivity is particularly useful for photojournalists who can quickly upload the photos to a FTP server or a tablet, according to German security researcher Daniel Mende of ERNW.

However, the camera’s connectivity was not designed with security in mind, said Mende. “If a photographer uses an insecure network like a hotel Wi-Fi network or a Starbucks network, than almost anybody with a little bit of knowledge is able to download images from the camera,” he said.

The camera can be accessed by attackers in a number of ways, Mende said. Because FTP upload mode sends information in clear text, credentials and the complete data transmission can be sniffed, so uploaded pictures can be extracted from the network traffic, Mende said.

The camera also has an DNLA (Digital Living Network Alliance) mode that allows the sharing of media between devices and requires no authentication and has no restrictions, Mende said. DNLA uses the UPnP (Universal Plug and Play) networking protocols for discovery, and media can be accessed via HTTP and XML in DNLA mode, he said.

“In this mode the camera fires up like a network server,” Mende said, adding that every DNLA client can download all images from the camera. Because a browser can serve as a DNLA client it’s relatively easy to do this, he said. “In this mode it is also not hard to get your fingers on the footage, you just have to browse to the camera and download all images you like,” he said.

The camera also has a built-in Web server called WFT server that does have authentication, he said. But the authentication method used has a 4-byte session ID cookie that can easily be overcome via brute force with six lines of Python script, said Mende.

“Checking all IDs takes about 20 minutes because the web server is not that responsive,” Mende said. But whoever figures out the ID can get access to stored photos on the device and to camera settings, he said. “You could for instance make yourself the author of a photo. That would come in handy when you try to sell them,” Mende said.

Attackers can also gain remote access to the camera’s EOS Utility Mode, which comes closest to gaining root access on the camera, Mende said. The utility mode allows users to wirelessly control the camera through Canon’s EOS Utility software interface, which provides Live View functionality, movie mode, and the ability to wirelessly transfer images from a camera to a remote computer.

Accessing the camera in that mode wasn’t as easy as gaining control via FTP or the session ID, according to Mende.

To access the mode, an attacker has to listen for the camera’s GUID (Globally Unique Identifier) that is broadcasted obfuscated. The attacker than needs to de-obfuscate the authentication data, disconnect the connected client software and connect to the camera using the PTP/IP protocol, or picture transfer protocol that is used to transfer images to connected devices, according to Mende’s presentation.

“We not only can download all the taken pictures, we can also get a more or less live stream from the camera,” Mende said. “We’ve successfully made the camera into a surveillance device.”

Attackers are also able to upload pictures to the camera in Utility mode, he said.

Canon has not fixed the vulnerabilities yet, according to Mende, who said he wasn’t able to find anyone at Canon willing to listen to him. “The camera is designed to work exactly like this. From Canon’s point of view there is probably no bug,” Mende said.

“[But] people who use the camera should be aware of this. That’s why I’m standing here today without speaking to Canon,” he told conference attendees.

Canon EOS-1D X owners should take countermeasures to prevent the attacks from succeeding, said Mende. They should only enable network connections in trusted networks, he said. And users should always use a secure password for trusted WLAN networks, he said.

Canon did not immediately reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com