Say Cheese - How I Ransomwared your DSLR Camera
2019-10-22, 14:00–14:45, Europe

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?

In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.

But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.

This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.


Outline:

  • Who am I?
  • Motivation
  • People really care about their DSLR cameras
  • Would they pay to get it back?
  • PTP 101
  • Picture Transfer Protocol
  • Does much more than just copying pictures
  • Works over USB and over Wifi
  • Introducing our target:
  • Canon DSLR cameras
  • Modding a camera - Magic Lantern
  • Getting the firmware
  • Firmware update is encrypted
  • ML has a ROM Dumper
  • Starting the RE
  • DryOS RTOS
  • PTP uses unique constants, how nice of it
  • Finding Vulnerabilities
  • ~150 PTP commands
  • found 5 different 0-Days just in this layer
  • Exploiting the vulnerabilities
  • Blind Sleep-based debugging didn't work
  • The camera fights back
  • Err 70
  • Blind Crash-based exploit development
  • Writing a ransomware
  • Scout Debugger
  • We need some crypto
  • Firmware update has crypto
  • Firmware update
  • Symmetric crypto ?!
  • Extracting the keys
  • Asking the camera to sign our firmware update
  • Win!
  • Live-Demo of our exploit + Ransomware
  • Bonus: PoC of our own firmware update
  • Conclusions
  • Obscurity != Security
  • Don't invent your own crypto