Cameras with Wi-Fi connectivity and a web server are supposed to make it easier to take pictures and upload photo files, but they aren't very secure against attackers. As two team members at security company ERNWGerman language link of Heidelberg demonstrated at the Troopers 13 security conference, some of the communication protocols can be misused to steal and manipulate photos, turning the camera into a spy system.
Daniel Mende and Pascal Turbing used Canon's EOS-1D X as an example. Canon's current flagship DSLR model offers four ways to communicate with a network: FTP, DLNA (Digital Living Network Alliance), WFT (Wireless File Transmitter) and the "EOS Utility Mode", which first uses MDNS and then PTP/IP. Mende and Turbing provided attack scenarios for all of the protocols. Out of the box, the EOS-1D X can connect to a network with an Ethernet cable; it can only use Wi-Fi once a WFT-E6 Wireless File Transmitter has been added.If photos are sent directly to an FTP server, attackers can get a hold of login data by "listening in" on the unencrypted FTP network traffic. For DLNA, which is based on UPNP-AV, XML is used to exchange information via HTTP.
The photos are accessible via HTTP without any authentication required.The camera's Wireless File Transmitter (WFT) is another opportunity for attack. If the transmitter is accessed with a web browser, an AJAX application allows the camera to be controlled – which means that pictures can be taken and downloaded. In this case, there is authentication based on the HTTP basic authentication standard, but once that hurdle is cleared, the session ID consists of HEX characters and is only four bytes long. The 65,536 possible session IDs can be tested in just a few minutes, leaving the web server wide open.
No comments:
Post a Comment