Researchers show how easy it is to inject a DSLR camera with ransomware

Researchers have developed a working exploit that allows ransomware to be remotely deployed on DSLR cameras, encrypting all photos on an inserted SD card.

The attack was demonstrated on a Canon EOS 80D and can be performed over both USB and Wi-Fi if a victim was connected to an unsecured public network.

Ransomware can take over a modern DSLR by exploiting the popular Picture Transfer Protocol (PTP) which is used by cameras for a whole host of tasks such as image transfer, taking live pictures and even updating the camera's firmware.

The protocol is an attacker's delight because it's both unauthenticated and supports "dozens of different complex commands," researcher Eyal Itkin of Check Point said in a blog post.

Check Point chose to target the Canon EOS 80D due to Canon's dominance in the DSLR space (controlling more than 50% of the market) and the fact it supports both Wi-Fi and USB.

Canon also has an extensive modding community called Magic Lantern, meaning some initial exploration of the camera's firmware has already been conducted by its users.

"Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost)," said Itkin. "In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community."

This form of ransomware distribution could be especially lucrative to attackers due to the high sentimental value people place on photos. People may be more likely to pay out the attacker's ransom demands to preserve cherished memories.

The attack could be particularly effective in tourist hotspot areas where potential victims are connected to the same unsecured Wi-Fi networks as the attackers. The researchers show how quickly a camera could be infected in the video below, complete with a typical ransomware splash page - just like on a PC.

"Chaining everything together requires the attacker to first set-up a rogue WiFi Access Point," said Itkin. "This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit."

Exploiting PTP is nothing new. At the Hack in the Box 2013 security conference, researcher Daniel Mende showed how it could be leveraged to access a camera, but Check Point are thought to be the first to show that malware can be deployed using this method.

Canon released a patch for the issue along with a security advisory last week.

Although the exploit was only proven using a Canon camera, "due to the complexity of the protocol, we do believe that other vendors might be vulnerable as well, however it depends on their respective implementation," Itkin told The Verge.

"This is an interesting vulnerability. It does, however, require the victim to be connected to a rogue wifi hotspot which limits the attacker to being in close physical proximity to the intended victim," said Javvad Malik, security awareness advocate at KnowBe4.

"For some, having ransomware on their camera may be little more than a minor inconvenience where a memory card needs to be discarded," he added. "The impact to a professional photographer, like a journalist, or wedding photographer would be significant - so those professionals should be taking extra precautions regardless of this particular vulnerability."

Ransomware has seen somewhat of a resurgence in 2019, according to figures from SonicWall in July.

Attacks of this type on UK businesses fell in early 2019 but had surged 195% by the second half of the year - 6.4 million cases in total.

Elsewhere, two Floridian towns paid ransoms to regain control of their municipal systems which, when combined, cost more than $1 million. Baltimore was also attacked a month earlier.