Stealing photos and spying: backdoors to networked cameras
Cameras with Wi-Fi connectivity and a web server are supposed to make it easier to take pictures and upload photo files, but they aren't very secure against attackers. As two team members at security company ERNW of Heidelberg demonstrated at the Troopers 13 security conference, some of the communication protocols can be misused to steal and manipulate photos, turning the camera into a spy system.
Daniel Mende and Pascal Turbing used Canon's EOS-1D X as an example. Canon's current flagship DSLR model offers four ways to communicate with a network: FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the "EOS Utility Mode", which first uses MDNS and then PTP/IP. Mende and Turbing provided attack scenarios for all of the protocols. Out of the box, the EOS-1D X can connect to a network with an Ethernet cable; it can only use Wi-Fi once a WFT-E6 Wireless File Transmitter has been added.
If photos are sent directly to an FTP server, attackers can get a hold of login data by "listening in" on the unencrypted FTP network traffic. For DLNA, which is based on UPNP-AV, XML is used to exchange information via HTTP. The photos are accessible via HTTP without any authentication required.
The camera's Wireless File Transmitter (WFT) is another opportunity for attack. If the transmitter is accessed with a web browser, an AJAX application allows the camera to be controlled – which means that pictures can be taken and downloaded. In this case, there is authentication based on the HTTP basic authentication standard, but once that hurdle is cleared, the session ID consists of HEX characters and is only four bytes long. The 65,536 possible session IDs can be tested in just a few minutes, leaving the web server wide open.
The "EOS Utility Mode", which helps the camera connect to Canon software, is also far from invincible. MDNS is first used to find the camera; the Utility Mode then communicates using PTP/IP (Picture Transfer Protocol over Internet Protocol) to make a connection and share login information. Mende and Turbing say they have managed to get around authentication in this case as well.
Mende has announced in a blog post that the team will release more information soon on how these cameras with networking capabilities can be attacked. This will be a bumpy ride for manufacturers of networked cameras, and those who own such cameras should, of course, refrain from connecting to a wireless network they're not familiar with.