Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nikon's Image Authentication Insecure

Posted by timothy on from the pictures-don't-lie-cameras-lie dept.

silanea writes "Elcomsoft claims to have broken Nikon's Image Authentication system which — apparently only in theory — ensures that a photograph is authentic and not tampered with through a digital signature. They were able to extract the signing key from a camera and use it to have a modified image pass the software verification, rendering the rather expensive feature mostly marketed to law enforcement all but useless. So far Nikon has not given a statement. Canon's competing system was cracked by the same company last December."

16 of 106 comments (clear)

  1. This is great news by gnick · · Score: 3, Funny

    Whew - I've always hated having to wear a ski mask when I "work". Now I can just claim image tampering.

    --
    He's getting rather old, but he's a good mouse.
  2. The danger of these systems is they appear secure by SuperKendall · · Score: 5, Insightful

    This is great news, because now people will be able to cast doubt on images when there is cause to instead of being told "it's not possible it's a fake, it's signed". You know that if someone cracked it publicly someone else (probably many someone else's) have cracked it in private, and have kept around the ability to forge photographs in case of emergency... that ability is now reduced.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  3. Easy to fake by jdbannon · · Score: 5, Insightful

    Just take a picture of the photo-shopped image with your Nikon camera. Bam! That was sure hard to crack.

    1. Re:Easy to fake by Gordo_1 · · Score: 2

      Ah yes, the ever present analog loophole. How soon before the camera manufacturers come up with a technology that prevents the digital signature from being applied to a picture when a large 2-dimensional plane parallel to the sensor is detected? And how long before some Julian Beever wannabe finds a way around that?

    2. Re:Easy to fake by thegarbz · · Score: 2

      I've heard this before, but how exactly do you propose to do this? Every image taken of a displayed medium be it paper under theoretical perfect lighting, or monitors with theoretical perfect backlight suffers quality issues that make it plainly bloody obvious that the picture was taken of a picture. There's no way around this for a few reasons.

      Firstly the resolution of cameras will clearly show the defects in the material
      Secondly the gamuts of printed paper and displays are smaller than those of the camera sensor and nature leading to muted colours
      And Thirdly assuming we have a 10mpxl screen with a perfect backlight and perfect colour reproduction you'd still suffer a moire effect of the grid on the sensor not lining up with the grid on the display pixels.

      Try this yourself. Take a photo of your monitor and have a look at just how god awful it turns out.

    3. Re:Easy to fake by jdbannon · · Score: 2

      I think you could do a pretty good job with a semi-pro ten color inkjet. The gamut will be near sRGB. You can upscale the image and blur a bit to kill moire. Reducing the camera capture resolution and compression quality a touch would further hide any defects. Most importantly, if you tell a courtroom "Look, the picture looks good and Nikon cameras make magic pictures that can't lie." They are going to say "OK!" not "Why don't we analyze the image gamut and maybe look for double vignetting or warping that isn't quite consistent with a standard Nikon lens. Not only is this possible, it's how everything was actually done not too many years ago. The technique of "Cut up some printed images or film and lay them out to be photographed again" was the way that books, newspapers and magazines were created for many, many years. Do you think pre-1990s National Geographic pictures are too ugly and unbelievable to pass muster in a courtroom?

    4. Re:Easy to fake by jdbannon · · Score: 2

      This is a better objection. But as a rough plan, I'd put on a manual focus lens, and connect the circuitry to an auto-focus lens laid next to it. Tell the camera to focus into the distance, but focus your inline manual lens as you need to.

      And... at this point it's easier probably to use the software crack. The point, though, is that next week there will be a new and "truly unbreakable" version of the software that closes whatever hole was found, but it sure seems like access to the hardware lets you defeat any possible system that could be designed.

  4. Re:Does it really matter? by 0123456 · · Score: 2

    Has there ever been a case whose outcome depended on the authenticity of a digital image?

    If I remember correclty, three or four years ago a driver in the UK got out of a fine because he was able to prove that the photo used as evidence was faked. I don't remember the details, I think he parked in a car park and they tried to claim he overstayed using a doctored photograph as evidence?

  5. Re:The danger of these systems is they appear secu by roc97007 · · Score: 4, Interesting

    I think the authorities will still say "it's not possible it's a fake, it's signed" and it'll be up to the victim (or the victim's lawyer) to know that the signage has been broken.

    The last time I was stopped in a speed trap (on motorcycle), I knew it was coming up (they always put a speed trap in this particular construction zone on weekends because people ignore the temporary "35" signs 'cause there's nobody working on Sunday, but I digress) and had slowed way down before taking the turn, but was waved over anyway. I was pretty sure he'd tracked the (obviously faster) car one lane over instead of me, and said so. He said "the gun can't be wrong, I had a firm lock on you." I can see the stupid radar gun in his hand right there, and it's not like there's a scope on it, or even if he actually had me in crosshairs, that it could tell the difference between a slow moving object in the foreground and a much faster object in the background. I maintained that he could not possibly have locked on me, because he would have read 33 MPH, which is what my speedo was displaying at the time. I said it obviously had "locked" on the car that passed me shortly after the corner. The cop said that this was impossible, radar guns don't make that kind of mistake.

    Well hell, there's a huge body of evidence that radar guns make "mistakes" all the time. I laid out exactly how the error could have occurred, he continued to insist that the gun can't make mistakes. I finally said "ok, whatever. We'll see what the judge says." He went away, talked to his cohorts for awhile, came back and issued me a "verbal warning", let me go. Now, I strongly suspect that if I'd acted like I knew nothing about the technical details of radar guns, I'd have gotten a ticket.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  6. Re:Nikon didn't learn from DRM by fuzzyfuzzyfungus · · Score: 2

    As long as the signing key is unique per-camera(which I would bloody well hope it is, for forensic purposes), "tamper-evident" is arguably good enough, and probably easier to approach(as with any hardware security measure, the approach to the ideal is more or less asymptotic, with price spiking to near infinity as you reach the goal).

    If the camera is tamper-evident, anybody who suspects manipulation of photos ostensibly from that camera can attack the credibility of the camera on technical grounds, just as they might a witness: "Your honor, the camera has probe traces on its 'secure' ROM pins, its private key could easily have signed more shit than John Hancock."

    In such a case, anybody who wanted to use the camera for evidence gathering would be required to maintain physical security around it, as is necessary.

    The problem crops up if the key can be extracted silently, or is shared between multiple cameras. Tamper-proof is optional. Tamper-evident is absolutely necessary, or doubt is cast on every image signed.

  7. Re:Nikon didn't learn from DRM by RightSaidFred99 · · Score: 2

    Yeah, just look at that thriving Xbox 360 pirate game environment.

    With enough effort any DRM can be broken somehow. The only thing the content owner has to do is ensure that it's difficult and/or expensive enough to not be worth it.

    And in case you didn't read the..summary, the camera is supposed to help provide a chain of evidence. Not sure why anyone would put "feature" in double quotes and act like nobody would buy a camera that supports this.

  8. Re:Don't take my Kodachrome away by PopeRatzo · · Score: 2

    Film contains a holographic image

    I didn't know that. Can you point me to any information about this? I'm googling here and not coming up with anything about emulsion negatives containing holograms, but probably because I'm not formulating the search very well.

    If you have any links I'd really appreciate it.

    --
    You are welcome on my lawn.
  9. Re:Don't take my Kodachrome away by $RANDOMLUSER · · Score: 2

    "Kodachrome" is exactly right. I worked in a large (3M) film processing lab (factory, really) back in the early 70's. Probably once a week, the local sheriff or PD would have an officer come by with some SLIDE (chrome) FILM (typically autopsy or crime-scene photos) to process - they'd stand by and watch while their film was processed - maintaining the CHAIN OF CUSTODY at all times, and requiring signatures from workers when the film was out of sight (like in a darkroom). They never had their slides mounted, they'd just walk away with the whole processed roll. I don't know for a fact, but I'd be willing to bet that it's still the standard way to handle film evidence (that really matters) even today - except on NCIS or CSI.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
  10. Re:Don't take my Kodachrome away by adolf · · Score: 2

    If you think of the emulsion layer as being a three-dimensional object that has some depth to it, instead of a two-dimensional plane with zero thickness, I believe that you'll find that it is obvious: It will not be exposed equally throughout that depth, and there will be definite and observable paths that the light has followed within the emulsion layer.

    I don't know if I'd call it "holographic," just due to the confusion that the term itself presents in common use (as GP pointed out), but it seems like an adequate and correct description nonetheless.

    --
    Kid-proof tablet..
  11. Re:Nikon didn't learn from DRM by Zerth · · Score: 2

    And also prove you don't have a second camera that has been tampered with to have the same key as the untampered camera?

  12. Re:Nikon didn't learn from DRM by RDW · · Score: 2

    'It is unique per camera, it says so in the press release which I linked in a separate post.'

    I may be missing something, but I can't see this in the press release, so there may well just be a single key. However, every camera model with the image authentication feature also writes its (unencrypted) serial number to an EXIF tag. If image authentication had remained secure, you could have 'proved' which camera took the photo simply by reading the serial number from the metadata of an authenticated image (tampering with the number would invalidate the image).