Security researchers with Check Point Research have demonstrated that it is possible to incapacitate a DSLR camera using wirelessly transmitted ransomware, a type of malware that forces victims to pay in order to decrypt their data. Though the demonstration involved using Wi-Fi, the researchers say it is also possible to hijack a DSLR camera using USB.

Modern cameras feature an unauthenticated protocol called Picture Transfer Protocol (PTP) that comes in two varieties: PTP/USB for wired connections and PTP/IP for wireless connections. Whereas USB requires the hacker to compromise the camera owner's computer, Wi-Fi makes it possible to target the camera directly by simply being located near the device.

The DSLR malware demonstration involved a Canon EOS 80D camera, with the researchers explaining that they chose this model due to Canon's popularity combined with the 80D's support for USB, Wi-Fi and open-source software called Magic Lantern.

The researchers detailed the technical aspects of developing this malware in a blog post, ultimately explaining:

‘The ransomware uses the same cryptographic functions as the firmware update process, and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user.’

It's possible for hackers to set up a rogue Wi-Fi access point that causes these Wi-Fi-enabled cameras to automatically connect to the network, after which point the ransomware can be deployed. In a real-world scenario, this malware would demand payment from the victim -- usually a few hundred dollars -- in order to decrypt the images on the camera.

According to Check Point Research, Canon was contacted about these vulnerabilities in March and worked with the company to patch the security issues. Canon released the first security patch on August 6 alongside an advisory, shared below, detailing the PTP vulnerability and the cameras affected by by it.

Product advisory:

Regarding the security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions

August 6, 2019 — Thank you very much for using Canon products.

An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates. (CVE-ID: CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001)

Due to these vulnerabilities, the potential exists for third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.

At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.

  • Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
  • Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
  • Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
  • Disable the camera’s network functions when they are not being used.
  • Download the official firmware from Canon’s website when performing a camera firmware update.

Please check the Web site of the Canon sales company in your region for the latest information regarding firmware designed to address this issue.