Canon has put out a firmware update and a security advisory for all EOS DSLRs, Mirrorless Cameras, and PowerShot cameras that use WiFi and the Picture Transfer Protocol to transmit photos and videos wirelessly to a computer or mobile device.
Even though there has been no indication that a hacker has taken advantage of the vulnerability, the potential exists to intercept user data through an unsecured network. It's also possible that ransomware can be installed into the camera, locking up your image data, and demanding bitcoin to un-encrypt it.
In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community.
CheckPoint Software Technologies was able to discover the exploit by researching work done by Magic Lantern and then using that research to find key vulnerabilities in the PTP protocol and take advantage of it. Check out the video below by CheckPoint Software Technologies:
During our research, we found multiple critical vulnerabilities in the Picture Transfer Protocol as implemented by Canon. Although the tested implementation contains many proprietary commands, the protocol is standardized, and is embedded in other cameras.
The exploit exists on the following DSLRs and Mirrorless cameras:
- EOS-1DX*1 *2
- EOS 6D Mark II
- EOS 760D
- EOS M5
- EOS-1DX MK II*1 *2
- EOS 7D Mark II*1
- EOS 77DEOS M6
- EOS-1DC*1 *2
- EOS 70D
- EOS 1300D
- EOS M10
- EOS 5D Mark IV
- EOS 80D
- EOS 2000D
- EOS M100
- EOS 5D Mark III*1
- EOS 750D
- EOS 4000D
- EOS M50
- EOS 5DS*1
- EOS 800D
- EOS R
- EOS 5DS R*1
- EOS 200D
- EOS RP
- EOS 6D
- EOS 250D
- EOS M3
In addition, the PowerShot G5X Mark I, PowerShot SX70 HS and PowerShot SX740 HS models are also affected.
At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.
Canon is working on a firmware update for all models, but so far only the EOS 80D has gotten an update through version 1.0.3. It's available here. But for the rest, Canon advises the following workarounds until firmware updates are put out:
- Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
- Do not connect the camera to a PC or mobile device that is being used in an unsecured network, such as in a free Wi-Fi environment.
- Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
- Disable the camera’s network functions when they are not being used.
- Download the official firmware from Canon’s website when performing a camera firmware update.
CheckPoint also notes that any camera using the Picture Transfer Protocol would be vulnerable, not just Canon brands. Meanwhile, more details on How CheckPoint Software Technologies discovered the exploit can be found here.