To help us provide you with free impartial advice, we may earn a commission if you buy through links on our site. Learn more

Security hole found in DSLR cameras could let hackers install ransomware and steal your photos

Check Point researchers found the vulnerability via the Picture Transfer Protocol on Canon cameras

Security researchers have discovered a fundamental flaw in DSLR cameras that could leave your photos at risk of hackers.

Experts at Check Point Software Technologies were able to install malware on a Canon DSLR via the camera’s Picture Transfer Protocol software.

The researchers began by searching for and “dumping” the firmware of a free open-source software called Magic Lantern, used by a modding community of Canon owners to add new features to the cameras.

Once obtained, they were able to hunt out vulnerabilities in the cameras themselves; in particular, flaws that could be used by hackers to install malware via the camera’s Picture Transfer Protocol.

This protocol is how the camera transfers images to a computer or other device and uses both USB and Wi-Fi. Once a hacker has access to your camera, they could identify your location via an IP address or from geotagged images; infect PCs and other users on the same Wi-Fi network; and steal photos and then blackmail you for vast sums of money to get your images back. An attack involving what’s known as ransomware.

Lead researcher Eyal Itkin explains in the report, and an accompanying video demonstrating the hack, that the Picture Transfer Protocol is a perfect way to install malware because it’s unauthenticated. It could be passed onto a camera via an unsecured Wi-Fi access point, for instance, potentially making it a widespread attack.

The camera used in the attack was the Canon EOS 80D but it applies to any Canon model using the standardised protocol and could extend to other makes and models of DSLR if their particular firmware was exposed.

Check Point told Canon about the vulnerability at the end of March and the firm confirmed the flaw two months later, on 14 May.

READ NEXT: Best camera 2019

On 8 July, Canon issued a security advisory telling owners to avoid using public, unsecured Wi-Fi networks, to turn off network functions when the camera was not being and to update its latest security patch onto the camera.

This patch was developed in consultation with Check Point and has been approved. The security patch was issued on 6 August. To protect your camera and photos, install this patch as soon as possible. 

Lead image courtesy of Check Point Software Technologies

Read more