The high-end Canon EOS-1D X camera can be hacked for use as a remote surveillance tool, with images remotely downloaded, erased and uploaded, a researcher said during the Hack in the Box security conference in Amsterdam on Wednesday.
The digital SLR camera has a Ethernet port and also supports wireless connection via a WLAN adapter. That connectivity is particularly useful for photojournalists who can quickly upload the photos to a FTP server or a tablet, according to German security researcher Daniel Mende of ERNW.
However, the camera's connectivity was not designed with security in mind, said Mende. "If a photographer uses an insecure network like a hotel Wi-Fi network or a Starbucks network, than almost anybody with a little bit of knowledge is able to download images from the camera," he said.
The camera can be accessed by attackers in a number of ways, Mende said. Because FTP upload mode sends information in clear text, credentials and the complete data transmission can be sniffed, so uploaded pictures can be extracted from the network traffic, Mende said.
The camera also has an DNLA (Digital Living Network Alliance) mode that allows the sharing of media between devices and requires no authentication and has no restrictions, Mende said. DNLA uses the UPnP (Universal Plug and Play) networking protocols for discovery, and media can be accessed via HTTP and XML in DNLA mode, he said.
"In this mode the camera fires up like a network server," Mende said, adding that every DNLA client can download all images from the camera. Because a browser can serve as a DNLA client it's relatively easy to do this, he said. "In this mode it is also not hard to get your fingers on the footage, you just have to browse to the camera and download all images you like," he said.
The camera also has a built-in Web server called WFT server that does have authentication, he said. But the authentication method used has a 4-byte session ID cookie that can easily be overcome via brute force with six lines of Python script, said Mende.
"Checking all IDs takes about 20 minutes because the web server is not that responsive," Mende said. But whoever figures out the ID can get access to stored photos on the device and to camera settings, he said. "You could for instance make yourself the author of a photo. That would come in handy when you try to sell them," Mende said.
Attackers can also gain remote access to the camera's EOS Utility Mode, which comes closest to gaining root access on the camera, Mende said. The utility mode allows users to wirelessly control the camera through Canon's EOS Utility software interface, which provides Live View functionality, movie mode, and the ability to wirelessly transfer images from a camera to a remote computer.
Sign up for CIO Asia eNewsletters.