Check Point Research, the threat intelligence arm of the company, discovered vulnerabilities in the internationally standardized protocol for the transfer of digital images from camera to PC, known as the Picture Transfer Protocol (PTP).
It is suggested that the Picture Transfer Protocol (PTP) functionality found in DSLRs can easily be exploited, given that the PTP is unauthenticated.
Attackers that already hacked a user's PC can exploit the USB connection to infect the camera. In a report published by Checkpoint research, the company details the steps by which a digital DSLR can be planted with Ransomware.
Security firm Check Point Research chose to explore how straightforward it might be for someone with nefarious intent to compromise a camera, and discovered that it wasn't as hard as you might hope. The fact that cameras do not connect to the internet - the primary source of cyberattacks, might make you think they are immune to attacks.
Researchers at Israeli cybersecurity firm Check Point Software Technologies Ltd. say they have found that digital cameras are vulnerable to hacking attacks such as ransomware and malware through their USB and WiFi network connections.
If you use a Canon DSLR and haven't seen a firmware update in a while, it's probably an excellent idea to keep an eye on Canon's support page until you do. Currently, there have been no confirmed cases of these vulnerabilities being used to cause harm, and Canon was informed of the issue long before the public announcement which gave them some time to fix it. Though Check Point's research only examined the flaw in Canon cameras, cameras from other manufacturers could be affected as well. It advises users to avoid connecting to an unsecured network such as free Wi-Fi spots, disabling the camera's network functions when not in use, and updating the official firmware via a download from Canon's website. "As the PTP protocol offers a variety of commands, and is not authenticated or encrypted in any way, he demonstrated how he (mis) used the protocol's functionality for spying over a victim", Check Point stated in a post.