Hackers steal photos, turn Wi-Fi cameras into remote surveillance device

With so many people seizing the convenience of using their smartphone cameras to point, shoot and share, embedded GPS location and all, digital camera manufacturers have been offering more “social” options such as built-in Wi-Fi capabilities and camera apps to quickly share photos and videos. In fact, if a digital single-lens reflex (DSLR) camera isn’t Wi-Fi enabled, some photographers go the Wi-Fi SD card route and others create hacks to give that camera wireless file transfer capabilities. While there have been plenty of researchers working on ways to exploit smartphones for remote spying, such as the scary PlaceRaider, an Android app that remotely exploits the camera and secretly snaps a picture every two seconds, there has not been as much research into exploiting DSLR Wi-Fi-enabled cameras. However, security researchers from ERNW changed that by showing how to exploit vulnerabilities in order to steal photos and turn a DSLR camera into a spying device.

Wi-Fi-enabled cameras are the hottest new ticket. For example, the new Fuji XP200 is waterproof down to 50 feet, 15 meters, and if you can pick up a Wi-Fi signal underwater, then you could upload your photos to social networks right then. From inexpensive point-and shoot cameras with Wi-Fi, to the six new Samsung smart cameras, to more pricey new DSLR cameras like the Sony NEX-5R and the high end $6,500 Canon EOS-1D X, camera manufacturers are trying to stay relevant by using Wi-Fi for transferring without messing with USB cables and for social network sharing. It is this high dollar Canon DSLR camera with networking capabilities that security researchers, Daniel Mende and Pascal Turbing easily hacked at ShmooCon and Troopers13.

In the presentation Paparazzi over IP, Mende and Turbing explained that there are four ways that the Canon EOS-1D X can communicate with a network via FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the EOS Utility Mode. They were able to attack and exploit all four, saying, “Not only did we discover weak plaintext protocols used in the communication, we’ve also been able to gain complete control of the camera, including modification of camera settings, file transfer and image live stream. So in the end the ‘upload to the clouds’ feature resulted in an image stealing Man-in-the-Imageflow.”

Bring down the camera with a DDoS attack

When looking the Layer 2 and 3 implementations in the CamOS, “all the classic attacks, like ARP spoofing or TCP RST attacks are working like a charm,” according to Daniel Mende. “If you send more than ~100 packets per second to the camera, you can easily DoS the network stack.”

Steal photos via FTP and DLNA

FTP is insecure and sends in clear text, “so if an attacker is able to get into the packet stream (which he can get easily via ARP spoofing, if he’s in the same broadcast domain), it’s easy to extract the credentials used to log on to the FTP server. If the packet stream is recorded, it’s even possible to extract all uploaded photos from that stream.”

DLNA is used to share digital media between multimedia devices, but it is also insecure and does not use HTTPS. So in Paparazzi over IP, Mende said, “An attacker with some connectivity to the cam can enumerate and download all the images, if he is in the same broadcast domain, he even sees the cam announcing its presence.” During the presentation, they said every DLNA client can “download all images;” your browser, or an attacker’s, could be used as a DLNA client for your camera.

WFT to turn the camera into a surveillance device

When Canon launched the EOS 1D X DSLR, the company also launched the Canon WFT-E6 to give “enhanced remote capture, media server functionality, linked shooting, plus built-in Bluetooth connection functionality” for geo-tagging. The security researchers said the built-in browser in the camera connects to the WFT server using basic HTTP authentication, meaning an attacker could launch a man-in-the-middle (MITM) attack to sniff the credentials or the user’s session ID. When the camera is in WFT Server Mode, there is a valid session opened by the user, but that will remain open even if the user logs out. They said no one will recognize a brute force attack. Additionally, it uses an AJAX interface to control the camera, so they could get full access to Live View and could “get a picture every one to two seconds” to “turn the camera into a surveillance device.” An attacker could also access the camera settings and download all the stored photos.

EOS Utility

An attacker can practically gain “fast” root access by attacking the EOS Utility mode which is meant to help the camera connect to Canon software. The Utility Mode communicates via mDNS to discover the camera and then Picture Transfer Protocol over Internet Protocol (PTP/IP) to setup a connection. They described this attack as: “Listen for the CAM on MDNS. De-obfuscate Authentication data. Disconnect connected Client Software. Connect via TPT/IP. Have Phun.”

The researchers will also present Paparazzi over IP at HITSecCon2013.They advised for photographers to only use the networking function over secure Wi-Fi networks using WPA and to also use secure passwords. If an attacker were on the same insecure Wi-Fi network with you, such as if you used public Wi-Fi, then all of these attacks are possible. Many Wi-Fi-enabled cameras will offer encryption options for Wi-Fi uploads during the initial setup process, so photographers who do not enable encryption may want to rethink that option. An attacker with time on his or her side might find more vulnerabilities, take unauthorized photos and videos, and turn a Wi-Fi camera into a spying device used against the photographer. Camera manufacturers need to start putting some real thought into securing the devices and protecting privacy.