Exploiting network-enabled digital cameras

Consumers can now add digital cameras to the list of purchases that come with built-in networking functionality, which means said cameras can also be added to the list of items at risk of being compromised or disabled by remote attackers. Two security researchers presented a talk at Schmoocon 2013 in February detailing a series of attacks against high-end Canon digital cameras. While the speakers did not address a wide range of manufacturers, they were able to access and control the Canon camera with very little effort. Part of the vulnerability stems from poor security engineering on the camera-maker's part, but part of it is baked into the feature set.

Speakers Daniel Mende and Pascal Turbing are both researchers at German IT security firm ERNW. They presented their talk ("Paparazzi over IP") on February 16, although it made headlines in late March when the video from the session was publicized by Help Net Security. Mende and Turbing set out to compromise an EOS 1D X digital SLR (DSLR), Canon's current flagship model, retailing at just under US $7000. The 1D X includes built-in Ethernet connectivity that is used to enable many of the same features typically run over USB in less expensive models: file download, browsing and deleting images, tethered shooting, and so on. It also sports an accessory port, to which a Canon-made WiFi dongle can be attached.

The target

Mende and Turbing were able to successfully mount a number of attacks against the camera, resulting in denial of service, man-in-the-middle attacks which could disclose or delete camera information, and hijacking authorized network sessions. The camera offers several means for accessing the contents of its memory cards remotely (which is rarely a feature desired by the security-conscious), but its remote-control functionality (i.e., tethering the camera to a computer) was insecure, too. At the moment, the team admits, only high-end Canon models are affected by their findings, but network functionality is found in high-end Nikon hardware as well, and virtually all manufacturers are bringing networking to their less expensive camera offerings.

Mende and Turbing noted that the 1D X included a more-or-less complete IPv4 stack, which allowed for attacks at several networking levels. They attempted a few of them, they said, but turned the majority of their time to the more interesting challenge of attacking the custom services offered by the camera. But they did mention a few attacks that would prove useful later on.

At Layer 2, for example, they pointed out that both ARP spoofing and ARP flooding were possible. By spoofing ARP packets from anywhere else on the same Ethernet segment or WiFi network, an attacker could intercept any traffic between the camera and a computer and get man in the middle access. They also noted that the embedded controller has very little memory, so a denial-of-service was possible by sending the camera just 100 ARP packets per second. At the TCP/IP layer, mounting a TCP reset attack was similarly trivial.

Canon at your service

Naturally, the whole point of including a built-in TCP/IP networking stack in the camera is for the manufacturer to run services over it. As Mende and Turbing explained, the 1D X offers four networked services: FTP Upload mode, Digital Living Network Alliance (DLNA) mode, Wireless File Transmitter (WFT) Server mode, and EOS Utility mode. In FTP Upload mode, images shot by the camera are automatically uploaded to a pre-configured FTP server (which could be a very important feature for photojournalists in dangerous locations or under time pressure); DLNA mode is also used for network access to the images on the camera, but by providing a general-purpose DLNA media source that other DLNA products can easily discover and read from.

The final two modes offer control of camera functions. In WFT Server mode, a built-in web server provides browser-based access to tethered shooting functionality, while EOS Utility mode offers more or less the same functions by connecting the camera to Canon's desktop camera control application. The tethering capabilities of the two modes are essentially the same, and are often used in studio photography set-ups. All four networking modes, it should be noted, must be activated on the camera, and cannot be switched on remotely, a limitation which does provide some protection for the camera owner.

FTP Upload mode allows the shooter to relay images to a remote server as they are taken; this could be useful (for example) for photojournalists in the field when time is of the essence. The FTP server address and its authorization credentials must be entered manually on the camera's configuration menu, so completely hijacking an unattended camera is not possible. However, as is common knowledge, FTP credentials are transmitted in the clear, so the entire session can be sniffed; when used in conjunction with the ARP spoofing attack mentioned earlier, an attacker could even spoof the FTP server side of the connection entirely.

DLNA mode is no more secure, and again it is the underlying protocol that is to blame. DLNA is designed for consumer electronics used in the home; there is no real attempt to make connections or service discovery private or secure. DLNA devices broadcast their network address over UPnP, and they offer up all of their content to other DLNA devices (in theory, "renderers"—media player front-ends like TVs) over HTTP. There is no authentication or access control. Anyone on the same network segment can see the UPnP advertisements sent out by the camera, and can access all of its stored media.

WFT mode and EOS Utility mode both offer a bit more of a security story, but both of them have grave flaws. WFT mode uses a tiny built-in web server to deliver a JavaScript-powered web application to the browser, Mende and Turbing reported. The server uses HTTP basic authentication, and stores a session identifier (of the form sessionID=40b1) as a plaintext cookie on the authenticated browser. A man in the middle can sniff this transaction, they said, but the session ID is also a mere four bytes in length. If a user is logged in, someone else can connect to the web server and guess the cookie value with brute force—Mende and Turbing wrote a six-line Python script that could brute-force the session ID in about twenty minutes (depending on how busy the camera is). There is no notification to the logged in user that someone else is impersonating the session.

Once authenticated, the attacker has control over most, but not all, of the camera's automatic functions: picture-taking, focus, changing settings, and so on. The attacker can even activate "live view" mode, which relays a through-the-lens view to the remote browser. In addition, the attacker can browse, download, and delete existing images.

EOS Utility mode offers many of the same features (including shooting and live view mode), but it is designed to connect to Canon's Mac OS X or Windows client applications. The connection method and communication protocol are different, however. When put into EOS Utility mode, the camera advertises itself to the network using the Simple Service Discovery Protocol (SSDP) (which is a multicast message visible to all). The very first time it is used, the camera must manually be put into pairing mode, but subsequently the desktop client and the camera perform a simple handshake, which Mende and Turbing were able to reverse engineer.

The protocol used for communicating between the client application and camera is called PTP/IP, the IP-delivered variant of the standardized Picture Transfer Protocol (PTP) commonly implemented over USB (gPhoto and many other open source applications speak PTP already). At first, Mende and Turbing said, they were concerned that the EOS Utility handshake would be difficult to crack; the authentication command contains a 16-byte ID and a hostname string. But although one would assume that the hostname would be matched against the computer paired with the camera during the first-run setup, they discovered that in fact it is not used at all. Furthermore, the 16-byte ID value is broadcast (in obfuscated form) by the camera in its UPnP messages. Ultimately, an attacker does need an authenticated user to have an active session, but the attacker can disconnect it with the TCP reset attack mentioned earlier and immediately replay the credentials, taking over the session. Of course, the attacker will probably also need a copy of Canon's client application in order to do anything useful (it is unknown if other PTP implementations like gPhoto can control the cameras directly), but Canon provides free downloads of that as a convenience.

Cinéma vérité

Mende and Turbing performed a live demonstration in their session, which revealed some additional details. For example, the camera must be pinged regularly or else it will drop the EOS Utility connection (a limitation that stealing images via the other three methods does not suffer from). The PTP/IP connection also has an upper limit on its throughput of about 2 megabits per second, which means stealing images from across the coffee shop can be time consuming. Mende and Turbing used smaller JPEG format for the images in their demonstration; raw files on the 1D X are in the 20MB range. The pair also said that they were able to disable manual control of the camera when connected in EOS Utility mode. The owner of the camera could always power-cycle the camera, of course, but this is yet another possible denial-of-service approach.

The speakers commented that activating live view mode of a camera remotely had privacy implications, since an attacker could spy on someone else through a device thought to be sitting idle. They speculated that the surveillance risk might be even higher if they find a way to activate the camera's microphone, which so far they have not been able to do. Audience members asked some interesting questions, such as whether firmware updates might patch any of the flaws discussed. Mende and Turbing replied that there had been two firmware updates since the camera's release, and that all of the attacks were carried out with the most recent release. A Bluetooth dongle is available from Canon as well, and another audience member asked about its potential for attackers. The speakers replied that it appears to be capable of connecting only to a GPS unit. But perhaps it is only a matter of time until Bluetooth becomes a problem, too; the pair ended the talk by noting that Canon's latest offering, the EOS 6D, adds a WiFi access point mode and a new protocol designed for interfacing with iOS and Android apps.

It might be hard to accurately gauge the risk of security flaws in a top-of-the-line digital camera, but as Mende and Turbing noted, the features found on the super expensive camera of today are working their way to the consumer-grade product of tomorrow. At the moment, the photographer processing images in the hotel after a big event needs to worry the most. Photographs can be stolen, altered, or even replaced if one is careless enough to trust the network.

One might reasonably argue that anybody who willingly enables FTP Upload or DLNA mode on his or her camera has no expectation of privacy; after all, photojournalists (especially those in dangerous locations) already know how important protecting their data is. For a few people such a risk might endanger their safety; for most others only their livelihood is at stake. Consider the paparazzi mentioned in the talk title, among whom being the first to bring back pictures of an event or an infant with the right parents can be worth tens of thousands. The second paparazzo to bring back the coveted picture might have a hard time proving that the first actually stole them over the network and altered the Exif data.

For open source developers, the findings in this talk offer some words of caution. Users of aftermarket firmware like CHDK or Magic Lantern need to protect their users even if Canon and Nikon do not. On the other hand, weak authentication probably makes it easier to reverse engineer the undocumented protocols often found in these cameras, so users of tethered shooting applications may actually see some benefits somewhere down the line. For the rest of the camera-buying public, though, the take-away is that cameras are just as exploitable as every other consumer electronics gadget on the network. So in 2012, celebrities and politicians may have gotten their phones hacked, but in 2013 their cameras may well be the target. The risks are exactly the same, but at least the pictures will be sharper and perhaps sport better noise-reduction.