Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wi-Fi Enabled Digital Cameras Easily Exploitable

Posted by Unknown on from the say-cheese dept.

An anonymous reader writes with some news that might make you think twice before getting a network-enabled camera. From the article: "Users' desire to share things online has influenced many markets, including the digital camera one. Newer cameras increasingly sport built-in Wi-Fi capabilities or allow users to add SD cards to achieve them in order to be able to upload and share photos and videos as soon as they take them. But, as proven by Daniel Mende and Pascal Turbing, security researchers with ERNW, these capabilities also have security flaws that can be easily exploited for turning these cameras into spying devices. The researchers chose to compromise Canon's EOS-1D X DSLR camera and exploit each of the four ways it can communicate with a network. Not only have they been able to hijack the information sent from the camera, but have also managed to gain complete control of it."

16 of 96 comments (clear)

  1. Excellent! by ColdWetDog · · Score: 5, Insightful

    Now it should be simple to make a smartphone app to control the camera. Before, you had to get the API from the manufacturer, sign an NDA, often pay money and then pour through the poorly documented mess.

    Progress!

    --
    Faster! Faster! Faster would be better!
  2. Toxic content by Anonymous Coward · · Score: 5, Funny

    Hijacking thousands of vacation pictures may prove fatal to the pirates who steal them, contracting terminal boredom. Meanwhile, spies and celebrities should avoid using cameras with remote access vulnerabilities

  3. Security never was a concern by Nyder · · Score: 3, Interesting

    The makers of the camera's want to produce the cheapest camera for the highest amount of profit possible. Spending money on securing the add features that consumers want (ie. wifi) cuts into the bottom line.

    Will it stop consumers from buying the models? My guess is no.

    What will the camera makers do? Make a new model, same as the old model, but with added security features. Of course, you will pay 50% more for the new "model".

    --
    Be seeing you...
    1. Re:Security never was a concern by Ford+Prefect · · Score: 4, Interesting

      Yes, delete button is right there, and will happily help you corrupt all of your data on the card, in $4000 camera. Thats the point.

      What on Earth are you doing with your cameras? I've been deleting unnecessary photos from cameras for years, as well as using the memory cards for general file storage (somehow I still have no USB memory whatsits) - and I've yet to suffer from any file corruption. I do tend to reformat cards that need emptying rather than mass-deleting files, but that's mainly 'cause it's much quicker that way. I've frequently had full cards that I've pruned photos from so I can take some more. (Experience mainly with Canon dSLRs, but also with Fujifilm, Minolta, Panasonic etc.)

      I suspect my habit of only buying decent memory cards has caught up with me yet again. :-(

      --
      Tedious Bloggy Stuff - hooray?
    2. Re:Security never was a concern by m.dillon · · Score: 3, Informative

      I do sometimes delete photos in-camera, usually three or four out of every 100 or so I take, but generally I recommend (and also for myself) NOT to delete photos in-camera because it's easy to miss things you might want to keep when you try to review pictures on such a small display.

      But I've never had an issue with any of my Canon's corrupting the SD card.

      -Matt

    3. Re:Security never was a concern by m.dillon · · Score: 3, Informative

      EYE-FI SD cards are cool, but storage capacities trail what you can get with a straight storage card. So for example you can get a 16G EYE-FI card, but a SanDisk Extreme SDXC card comes in capacities up to 128G.

      EYE-FI has other problems, including fairly slow WIFI transfer speeds. WIFI tends to drop out unless you are transferring to a storage device on your belt, and a 4G hotspot setup doesn't work very well when you are taking RAWs. I would not rate EYE-FI as a professional-level product, frankly.

      Sometimes quality and dependability trump convenience. My preference is to stick to normal storage cards and not have to worry about some WIFI snafu messing up my ability to take pictures. EYE-FI has its benefits, but it also has a lot of moving parts (software-wise).

      -Matt

    4. Re:Security never was a concern by kwbauer · · Score: 3, Informative

      I don't know how many times i've had to try to recover photos because somebody used the delete button....WTF?

      Yeah. WTF are you talking about. I've deleted individual photos on camera and on the computer with both Nikon's and Canons. I've even added folders and stored photoshop and word docs on them and put them back in the camera and they work just fine. They simply ignore those files (and folders) and remove the space they use from the available space.

      I suggest that the reason you have to recover so many photos is because people, you know, used the delete button and it, you know, performed exactly as advertised: It removed the chosen file from the list of files and added its space back to the free space. Just be glad they didn't implement secure delete functionality.

  4. Things that don't need to be connected to the inte by jazzdude00021 · · Score: 4, Interesting

    Seriously, this is one of them. I love the idea of sharing and all, but we can wait to see your vacation or ...other... pics more than 15 minutes after you take it. A camera does not need to be directly connected to the internet, and all it does is open up potential security flaws. Find a good way to remotely exploit this and next thing you know, you can just take a vacation vicariously, through someone's (unsuspecting) lens. With the way tablets, smartphones etc are going, they can be great and (more) secure gateways to posting things, plus it gives you the chance to *filter* your photos...

  5. Been paranoid since the printers got wifi by eksith · · Score: 4, Insightful

    This trend of making all things that exist wireless can have pretty bad consequences if companies aren't held accountable for what they produce. I'm sorry, it's not hard. It just takes code correctness and some discipline to not take a route only cause it's easy. I'm not naive; I understand being first out of the gate matters, but making that a priority at the cost of some basic security is unacceptable.

    If the programmers aren't delivering on time or creating insecure code, then part of the problem may be management. As Scott Adams wrote today, Management exists to minimize the problems created by its own hiring mistakes. It's some kind of endmic disease that technical people are expected to push through a product quickly first, securely second.

    --
    If computers were people, I'd be a misanthrope.
  6. Re:Things that don't need to be connected to the i by Anonymous Coward · · Score: 5, Insightful

    Interesting, but the article itself mentions a camera body that's meant for professionals who are handed contracts to deliver photos within a time frame following events. (most MAJOR sporting events the photos need to be uploaded from the camera back to a central repo within 4 hours of the event, so they can go to print for the following morning. )

    Saving a few minutes here and there is KEY to getting ahead in that industry.

  7. Re:Things that don't need to be connected to the i by fustakrakich · · Score: 5, Interesting

    On the contrary. When recording the police, it's best to upload live, so when they steal your camera, they don't get the footage.

    --
    “He’s not deformed, he’s just drunk!”
  8. Re:Editors are people who EDIT! by YrWrstNtmr · · Score: 4, Informative

    We can achieve cameras by adding SD cards? What?

    We can achieve adding Wi-Fi capabilities to cameras by adding an SD card, yes.
    Eye-fi. And yes, mine works quite well.

  9. At first glance,homesecurity looks like a cash cow by GoodNewsJimDotCom · · Score: 4, Funny

    The cost for web cams and 100' USB cables is like 20$. So give a home 5 security cameras for $100. Hook em up on their computer and have code that records a buffered state so far back. Or if you're concerned about disk space, attach motion sensors to the recording states. Write some software that allows them to check out their house on their smart phone. Installation shouldn't take more than a a few hours.

    So if you wanted to start your own security system, you'd be back 100$ for 5 cameras/cables. You'd need to write some code, or have someone write it for you, but this is only a one time cost. And you can charge people 45$/month or a one time fee of 500-700$, and that is way cheaper that what is on the market, and what is on the market doesn't let you check your security cameras from your smart phone.

    Home security looks like a cash cow at first glance, what am I missing besides lawyer stuff?

    --
    God spoke to me
  10. Re:Things that don't need to be connected to the i by Ford+Prefect · · Score: 5, Informative

    It takes about 10 seconds to remove the memory card and plug it into a tablet/laptop/whatever. Unless you need photos uploaded essentially as you shoot them (which I suspect woudn't work very well at the same time you were taking new pictures), there is no reason to have the camera able to connect to a network.

    You're kind of assuming the photographer is right next to the cameras - professional wireless whatsits (e.g. Nikon and Canon) are intended for full remote control of multiple cameras. So at a sports event, a photographer might have one down behind the goal with a wide-angle lens, another pointing at the other goal, etc. etc. etc. - all uploading to the photo agency for up-to-the-moment imagery. Newspapers needed things soon, the internet needs it now.

    Still decidedly embarrassing if they are so easily compromised, of course.

    --
    Tedious Bloggy Stuff - hooray?
  11. Not unexpected but... by m.dillon · · Score: 4, Informative

    Not unexpected, but its kinda hard to take candid photos from a hijacked camera when the lens cap is on. And those WIFI systems are not generally left on anyhow.

    I don't understand why they used a 1Dx though, which would require an external WIFI adapter to even have a WIFI capability. I would be more interested in penetration testing something like the Canon 6D which has the WIFI built-in. I fully expect there to be holes, Canon's WIFI software has always been quite primitive and even the new stuff is still quite primitive.

    But if we make enough noise and Canon will fix it in a software update.

    Currently I only use the 6D's built-in WIFI to be able to review pictures in-camera from an android tablet... quite a useful feature. I'm not particularly worried about hijacking there since the Camera's WIFI transmitter has rather limited range. And most of the time the WIFI is turned off anyway since it eats the battery otherwise.

    -Matt

  12. Re:Things that don't need to be connected to the i by Sigg3.net · · Score: 3, Interesting

    So a devious photographer may create an automated wifi entry and corruption script and fire it up on a critical event, walking away with the only usable money shot.

    --
    Defining Statistics and Social Research