High-end DSLR cameras come with a multitude of features for sharing pictures, but do they really reveal the contents only to their owners? According to security researchers Daniel Mende and Pascal Turbing, digital cameras such as the Canon EOS 1DX can be manipulated to take pictures and upload them without the userâ€™s explicit consent.
This particular camera model comes with a built-in server called WFT (Wireless File Transmitter) that can be accessed via a regular browser. It allows the user to control â€œmajor functions of the camera,â€ such as getting preview pictures, taking pictures and downloading them on a location the camera has access to.
Access to the server is conditioned by a combination of usernames and password, but its implementation is far from secure.
â€œOn the first visit the web server asks for the credentials configured on the camera via HTTP Basic Auth. The Basic Auth is only performed once and a session id is used afterwards,â€ reads the report. â€œNow one could complain about not using HTTPS and the authentication being HTTP Basic and not Digest, so a Man-in-the-Middle can sniff either the credentials or the used session id. But in reality its worse, you donâ€™t need to be in the data stream, as the session id is just 4 bytes long and containing hex characters.â€ This means that an attacker can get in by brute-forcing 65536 different ids.
Even though this type of attack is highly unlikely to take place in your home while connected to your Wi-Fi network, it may become a reality if youâ€™re transferring files via a hotspot you donâ€™t control, such as those in public places, parks, hotel rooms â€“ basically any place where you might like to take an interesting photo and upload it to the cloud.