Exploiting Digital Cameras

Presented at DEF CON 18 (2010), July 30, 2010, 3 p.m. (50 minutes).

In this talk we present how to reverse-engineering Canon Powershot digital cameras and take control of most of them to exploit interesting security threats. We present a novel attack method that allows taking control of a digital camera through a compromised memory card. This is a realistic attack scenario, as using the card in unsecured PCs is a common practice among many users. This attack vector leaves users of digital cameras vulnerable to many threats including privacy invasion and those targeting the camera storage (e.g., deletion and ransomware). To implement the attack we abuse testing functionalities of the in-factory code. We will show how to analyze the code running in the camera's CPUs and find the parts relevant to the attack. We further show how to debug an emulated copy of the firmware in QEMU. In contrast with firmware-modding projects like CHDK, our method doesn't require as much user interaction or firmware modification, and our techniques are mostly model-independent. Finally, we show same proof-of-concept attacks launched from the camera to PCs.

Presenters:

  • Oren Isacson - Exploit Writer and Researcher, Core Security Technologies
    Oren Isacson is an Exploit Writer and Researcher at Core Security Technologies. He has been interested in computer programming since an early age. He has been writing exploits, researching vulnerabilities, and researching exploitation methods for three years. He has written exploits for the Windows, Linux, AIX, Solaris, OpenBSD, and FreeBSD platforms. Previously, he worked as a security consultant doing penetration testing and writing security-related software.
  • Alfredo Ortega - PhD candidate, ITBA
    Alfredo Ortega is a PhD candidate at ITBA (Instituto Tecnologico de Buenos Aires) and Exploit Writer at Core security. His specialty is unix exploit writing and low-level reverse engineering, wining contests like Ekoparty Reverse & Go Immunity challenge, and speaking in several high-profile security conferences. You may remember him from such security research as "OpenBSD IPV6 remote exploit", "Smartphone insecurity" and "Bios rootkits II: Son of the rootkit"

Links:

Similar Presentations: