In this talk we present how to reverse-engineering Canon Powershot digital cameras and take control of most of them to exploit interesting security threats. We present a novel attack method that allows taking control of a digital camera through a compromised memory card. This is a realistic attack scenario, as using the card in unsecured PCs is a common practice among many users. This attack vector leaves users of digital cameras vulnerable to many threats including privacy invasion and those targeting the camera storage (e.g., deletion and ransomware).
To implement the attack we abuse testing functionalities of the in-factory code. We will show how to analyze the code running in the camera's CPUs and find the parts relevant to the attack. We further show how to debug an emulated copy of the firmware in QEMU.
In contrast with firmware-modding projects like CHDK, our method doesn't require as much user interaction or firmware modification, and our techniques are mostly model-independent.
Finally, we show same proof-of-concept attacks launched from the camera to PCs.
In the first video we show how an attacker can backdoor a Canon Powershot digital camera to spread a malware leveraging the .LNK attack (MS08-038,CVE-2010-2568)
In the next two videos we show a owned Canon Powershot digital camera running some proof-of-concept code: