Say Cheese - How I Ransomwared Your DSLR Camera

Conference:  Defcon 27



The presentation discusses the process of analyzing and exploiting vulnerabilities in Canon cameras, with a focus on the EOS 80D model. The main goal is to install ransomware on the camera and encrypt all images, potentially leading to a payout from the victim. The presentation also highlights the unique challenges and advantages of working with Canon's proprietary real-time operating system.
  • Canon cameras are a popular target for exploitation due to their widespread use and emotional attachment to stored memories
  • The EOS 80D model was chosen for its support of both USB and Wi-Fi interfaces
  • Canon's proprietary real-time operating system presents unique challenges and advantages for vulnerability analysis
  • The goal is to install ransomware on the camera and encrypt all images, potentially leading to a payout from the victim
  • The presentation also discusses the process of finding new research ideas and the importance of attending conferences and checking new technologies
  • Modding communities like Magic Lantern and CHDK provide an open-source community for reverse-engineering and extending camera functionality
The presenter discusses how their father's Canon camera was the inspiration for this research, as it was a highly valued possession that was taken to important events and carefully protected. This emotional attachment to cameras and the memories they store makes them a prime target for ransomware attacks.


It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked. This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.



Post a comment