Author Topic: Canon WiFi vulnerabilities - new firmwares will be released  (Read 867 times)

Sapporo

  • Freshman
  • **
  • Posts: 75
Canon WiFi vulnerabilities - new firmwares will be released
« on: August 07, 2019, 07:10:21 AM »
An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates.
(CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001)

Due to these vulnerabilities, the potential exists for third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.

At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.

    Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
    Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
    Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
    Disable the camera’s network functions when they are not being used.
    Download the official firmware from Canon’s website when performing a camera firmware update.

Models Affected

These vulnerabilities affect the EOS-series digital SLR and mirrorless cameras PowerShot SX740 HS, PowerShot SX70 HS, PowerShot G5X Mark II.


https://www.usa.canon.com/internet/portal/us/home/support/product-advisories/detail/the-vulnerability-in-canon-digital-cameras

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6001

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6000

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5999

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5998

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5994

kitor

  • Contributor
  • Member
  • *****
  • Posts: 127
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #1 on: August 07, 2019, 11:53:00 AM »
Quote
EOS R firmware version 1.3.0 and earlier

Hmm, I'm sure the latest public one is 1.2.0 ::)

Anyway, seems like a possible entrypoint to enable bootflag on R.
EOS R

Sapporo

  • Freshman
  • **
  • Posts: 75
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #2 on: August 11, 2019, 09:40:50 PM »
https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/

Possible to encrypt all files. Perhaps a new feature for ML instead of io_crypt?

walter_schulz

  • Contributor
  • Senior
  • *****
  • Posts: 393
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #3 on: August 11, 2019, 10:08:11 PM »
Any word about the fix affecting the key currently used by ML devs?

EDIT: And why aren't other D5 cams like 650D, 100D, M/M2, 700D *not* vulnerable (according to Canon)?

chris_overseas

  • Member
  • ***
  • Posts: 219
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #4 on: August 12, 2019, 09:35:01 AM »
Any word about the fix affecting the key currently used by ML devs?

I doubt this is a concern, the vulnerabilities found aren't related to the firmware encryption. I also wonder if it's even possible for Canon to update the AES key with a firmware update.

EDIT: And why aren't other D5 cams like 650D, 100D, M/M2, 700D *not* vulnerable (according to Canon)?

"Even though our camera model doesn’t support Bluetooth, some Bluetooth-related commands were apparently left behind, and are still accessible to attackers. In this case, we found a classic Stack-Based Buffer Overflow" - maybe those cameras don't have the Bluetooth code in their firmware, or different versions of it that aren't vulnerable?
5D Mark IV 1.1.2 | 5D Mark III v1.2.3 | Canon 16-35mm f4.0L | Tamron SP 24-70mm f/2.8 Di VC USD G2 | Canon 70-200mm f2.8L IS II | Canon 100-400mm f4.5-5.6L II | Canon 800mm f5.6L | Canon 100mm f2.8L macro | Sigma 14mm f/1.8 DG HSM Art | Yongnuo YN600EX-RT II

Sapporo

  • Freshman
  • **
  • Posts: 75
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #5 on: August 12, 2019, 10:14:53 AM »
I doubt this is a concern, the vulnerabilities found aren't related to the firmware encryption. I also wonder if it's even possible for Canon to update the AES key with a firmware update.

"Even though our camera model doesn’t support Bluetooth, some Bluetooth-related commands were apparently left behind, and are still accessible to attackers. In this case, we found a classic Stack-Based Buffer Overflow" - maybe those cameras don't have the Bluetooth code in their firmware, or different versions of it that aren't vulnerable?
They are vulnerable according to CVE. 7D together with WFT-E5 isn't on the other hand mentioned.

chris_overseas

  • Member
  • ***
  • Posts: 219
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #6 on: August 12, 2019, 11:48:49 AM »
This quote is an interesting one from a security PoV, and potentially problematic for ML going forwards:

"There is a PTP command for remote firmware update, which requires zero user interaction. This means that even if all of the implementation vulnerabilities are patched, an attacker can still infect the camera using a malicious firmware update file"

Of course this approach requires the secret AES key, but the attackers have demonstrated this isn't too difficult to obtain. The specific vulnerability covering this is https://nvd.nist.gov/vuln/detail/CVE-2019-5995. It's interesting they describe it as a "missing authorization" problem. That seems to imply the fix involves the addition of an authorization step (to the PTP negotiation or call?) rather than an overhaul of the encryption itself. If so then ML shouldn't be impacted, but I think that still remains to be seen.

As a side note, I need to take my 5DIV in for a service this week due to a sticky scroll-wheel. They normally update to the latest firmware as part of the service, so I'll find out soon enough where things stand on the 5DIV at least.

[edit: https://www.magiclantern.fm/forum/index.php?topic=17360.msg219613#msg219613 implies the patch isn't a problem as far as ML is concerned]
5D Mark IV 1.1.2 | 5D Mark III v1.2.3 | Canon 16-35mm f4.0L | Tamron SP 24-70mm f/2.8 Di VC USD G2 | Canon 70-200mm f2.8L IS II | Canon 100-400mm f4.5-5.6L II | Canon 800mm f5.6L | Canon 100mm f2.8L macro | Sigma 14mm f/1.8 DG HSM Art | Yongnuo YN600EX-RT II

kitor

  • Contributor
  • Member
  • *****
  • Posts: 127
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #7 on: August 12, 2019, 01:47:27 PM »
I asked Eyal Itkin directly and from what he told me - they tested this only on 80D. List of affected cameras was prepared by Canon themselves.
EOS R

names_are_hard

  • Contributor
  • Freshman
  • *****
  • Posts: 60
  • 200D idiot
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #8 on: August 15, 2019, 04:55:52 PM »
I was at the conference where this was released, but I didn't attend that talk, sadly (I'll be able to watch the video in a few weeks).

The Scout debugger sounds like it could be useful, but I don't think there's enough info yet for us to use it:
Quote
We can’t say that switching to the WiFi interface worked out of the box, but eventually we had a Python script that was able to send the same exploit script, this time over the air. Unfortunately, our script broke.
[...]
Armed with our new vulnerability, we finished our exploit and successfully loaded Scout on the camera.

So, they had to do quite a lot of work to install a network debugger via an exploit.  Code for Scout is available, but the installation code for Canon isn't.  We can happily run arbitrary code direct from SD so it's easier for us in theory, but we have no expertise with their debugger (which requires working wifi comms to a custom client).  Being able to do live inspection would be pretty cool so it might be worth the effort to get it working - I would suggest doing this on a cam with a nice stable ML implementation first.

71m363nd3r

  • New to the forum
  • *
  • Posts: 14
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #9 on: August 15, 2019, 07:07:55 PM »
The whole process is interesting from my point of view.

a1ex

  • Administrator
  • Hero Member
  • *****
  • Posts: 12241
  • Maintenance mode
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #10 on: Yesterday at 09:27:47 AM »
These vulnerabilities are about anyone being able to execute custom code remotely (e.g. via the Wi-Fi network), without user interaction, or even without user knowledge. The same is true via USB, but that's arguably less of a concern, as you'd have to physically connect the cable.

[edit: https://www.magiclantern.fm/forum/index.php?topic=17360.msg219613#msg219613 implies the patch isn't a problem as far as ML is concerned]

Right. At least on 80D 1.0.3, the portable ROM dumper worked out of the box without any changes (same old FIR file).

I also wonder if it's even possible for Canon to update the AES key with a firmware update.

They can, by reflashing the bootloader, but that would disable the ability to run previous firmware updates (i.e. it would no longer be possible to downgrade). They did not touch the bootloader in the 80D 1.0.3 update.

[...] potentially problematic for ML going forwards [...]

The impact, in my opinion, is that it's now harder for Canon to silently ignore us, as we were mentioned quite a few times in the writeup.

Not sure how to proceed from here, though.

nikfreak

  • Developer
  • Hero Member
  • *****
  • Posts: 1132
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #11 on: Yesterday at 04:46:05 PM »
a1ex do you expect negative impact for us? Mentioning ML several times in the article hopefully won't harm future research on upcoming cameras but my gut feeling says that Canon hopefully won't change anything relevant on existing cameras.

Did anyone from CP contact you?

@Canon if you read this: How about sponsoring ML, please  ;D.
70D.112 & 100D.101

names_are_hard

  • Contributor
  • Freshman
  • *****
  • Posts: 60
  • 200D idiot
Re: Canon WiFi vulnerabilities - new firmwares will be released
« Reply #12 on: Yesterday at 06:18:32 PM »
I am not alex, but I am a software security guy, and have worked with bounty programs, bug reports etc extensively.  I can only guess, but I have seen these kinds of reports from both sides and know some patterns in responses.

There's not much technical risk for Canon here, but there is some PR risk.  Tech-wise, their dev teams will hopefully get more time / money to improve quality in networking code, as well as removing ability to do a silent firmware update without physical access (this last part especially!  Why does PTP allow this?).  This would have no impact on ML.  They may choose to make firmware updates generally more difficult / authenticated to perform, but I would guess not; there's not much value for an attacker in firmware update attacks that require physical access to typically consumer, typically non-networked devices that don't hold business critical data.  And if you do make updating firmware harder, useful updates are harder as well as higher risk (which means higher testing cost) that you accidentally break cams in the field - which customers really hate.  The dev team product manager probably just wants to fix the specific bugs, maybe harden the code in that area, and then get back to the massive backlog of known bugs, feature requests, new versions for new hardware, etc.

*If* management judge the PR hit is sufficiently bad that they need to have a big visible response to reassure customers, then it's more likely ML and other after-market players will see problems.  I don't think this is likely in this case.  It rarely happens with non-networked consumer devices, most buyers simply don't know or don't care, so companies aren't motivated to make changes (which is honestly reasonable; it means buyers get the things they want, cheaper).  With stuff like phones, routers, PCs, there's more media coverage, and the impact is bad enough if it does get exploited, that consumers get scared and management drives bigger changes.

TL;DR - low risk ML gets shut out, but we can only guess.