A few weeks ago we reported about an issue all WiFi-enabled Canon cameras have. The WiFi issue could allow someone to steal photos from your camera, or let hackers upload images on the camera. But most scaring: one could get in control of you camera and use as a spy camera (through Live View mode).
German security researcher Daniel Mende discussed the issue again at the Hack in the Box security conference in Amsterdam, again using the Canon EOS-1D X (price & specs) to exemplify the problem. According to Mende the WiFi implementation Canon featured on the EOS-1D X was not designed with security in mind:
If a photographer uses an insecure network like a hotel Wi-Fi network or a Starbucks network, than almost anybody with a little bit of knowledge is able to download images from the camera
Attackers could access the camera in various ways. For instance, when using the FTP upload mode everything is send over the network in clear text (credentials inclusive). Sniffing data is made easy, and pictures that are uploaded can be extracted from the network traffic. Moreover, the cam has an DNLA (Digital Living Network Alliance) mode for sharing pictures and videos between devices without requiring authentication:
In this mode, the camera fires up like a network server […] In this mode, it is also not hard to get your fingers on the footage, you just have to browse to the camera and download all images you like.
The camera also has a built-in web server that does require authentication, but the method uses a 4-byte session ID cookie that can easily be overcome using a brute force attack (using a 6 lines Python script):
Checking all IDs takes about 20 minutes because the web server is not that responsive […] You could for instance make yourself the author of a photo. That would come in handy when you try to sell them
One could also get access to the EOS Utility Mode, hence remotely controlling the camera through the Canon EOS Utility software. If you consider that the software provides Live View functionality, you may easily figure out what it means. Mende says that Canon was not yet willing to listen to him:
The camera is designed to work exactly like this. From Canon’s point of view, there is probably no bug
Daniel Mende’s full presentation, with all the technical details can be seen here.