CANON EOS 350D FIRMWARE HACK UPDATE
“ not only did we find the AES (encryption) functions, we also found the verification and decryption keys for the firmware update process,” researchers wrote. But thanks to a meticulous reverse engineering of the firmware, researchers were able to take advantage of AES encryption, native to the firmware. The challenge of delivering ransomware to a DSLR camera wasn’t slight. “Now that we are sure that all of our vulnerabilities indeed work, it’s time to start the real exploit development,” Itkin wrote. But still, the researchers’ work was not done. This means that even if all of the implementation vulnerabilities are patched, an attacker can still infect the camera using a malicious firmware update file,” researchers wrote. “There is a PTP command for remote firmware update, which requires zero user interaction. One of the more sinister attack scenarios involved exploiting a bug (CVE-2019-5995) in the firmware that allows for a silent and malicious firmware update. Infecting it with ransomware is only one of many options.”
CANON EOS 350D FIRMWARE HACK CODE
Such a remote code execution scenario will allow attackers to do whatever they want with the camera. “Simulating attackers, we want to find implementation vulnerabilities in the protocol, hoping to leverage them in order to take over the camera. “In our research we aim to advance beyond the point of accessing and using the protocol’s functionality,” Check Point said. It was Check Point’s intent to find exploitable bugs, not just spy.
“ demonstrated how he (mis)used the protocol’s functionality for spying over a victim,” Check Point wrote.
In 2013, Mende gave a talk at the security conference Hack in The Box called “Paparazzi over IP.” “Once the attacker is within the same LAN as the camera, he can initiate the exploit,” the researcher said.Īccording to Check Point, its proof-of-concept attack builds off previous camera firmware research by Daniel Mende. The wireless attack is triggered when the camera connects to the rogue access point.
The second attack involves placing a rogue Wi-Fi access point in a public setting to leverage a remote attack against the targeted camera.
One scenario included an attacker that takes over a PC, and can leapfrog an infection into a camera via a USB connection. “ vulnerability in PTP can be equally exploited over USB and over Wi-Fi,” he wrote.ĭuring the DEF CON session, Itkin outlined two attack scenarios against the Canon EOS 80D model camera. The researcher wrote, in a technical paper released Sunday, that PTP is a ripe target, given it is an unauthenticated protocol that supports dozens of different complex commands. PTP is an industry standard protocol used by device makers for transferring images via wired or wirelessly from a digital camera to a computer. Eyal Itkin, the Check Point researcher giving the talk, said flaws were found in Canon’s implementation of Picture Transfer Protocol (PTP). The research comes from Check Point that found six bugs when it reverse engineered Canon’s EOS 80D DSLR firmware. Eyal Itkin, researcher with Check Point ahead of a session at DEF CON titled “Say Cheese-How I Ransomwared Your DSLR Camera”
0 kommentar(er)
