Canon issued a security advisory stating that 33 of its cameras, including DSLRs, mirrorless and compacts, are vulnerable to third-party attacks, if connected to a PC or smartphone through an unsecured network.
Bugs inside my viewfinder! I remember my surprise when I first saw them. Tiny little bugs crossing from one side to the other, as if on a Sunday walk. They would usually come out on sunny days, when I was out photographing. I could not get rid of them easily so I learned to live with them, as they usually would not show on the final image captured by my SLRs.
Once, I used a friend’s Rollei SL for a while, and it looked like a colony of mites lived inside it. My old Canon FTb cameras had bugs, as did the two AT-1 cameras I owned, and even my A-1 had them. Those bugs that lived, apparently, on the tiny bits of film debris which were edible gelatine, did not bother me much. that was back in the 70s, last century. Now, modern digital bugs, apparently, do more harm, and if you’re not careful, someone can hijack your Canon camera. That’s what the company says.
33 cameras are vulnerable
The Canon EOS 80D is the first of 33 cameras from Canon to receive a firmware update to solve a vulnerability problem related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates. The vulnerability was discovered by an international team of security researchers that contacted Canon to tell the company of the potential danger.
Canon’s firmware version 1.0.3 for the EOS 80D does two things: corrects a PTP communications vulnerability and corrects a vulnerability related to firmware manipulation. The company says that “whilst the likelihood is small, the vulnerability detected could allow a third-party to access your Canon EOS 80D, if connected to a network. Whilst we are confident that this firmware will prevent the vulnerability, we strongly encourage you not to connect to any network that you don’t trust.”
EOS R and RP are vulnerable too
Professionals models like the EOS-1D X, humble DSLRs like the EOS 3000D, modern mirrorless like the EOS R or RP, multiple EOS M models and even some PowerShot are affected by this problem. Users of the Canon EOS 80, the first to have a firmware update, received this note: Canon is always putting customers’ security first. Recently we have been made aware of a vulnerability in the EOS 80D. To resolve this, we have released a new firmware update.
Although Canon indicates that, “at this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm”, owners of the models affected (see the list published here) should either update the firmware, which is only possible for the EOS 80D now, or follow workarounds for this issue, while waiting for a firmware update for their camera model:
- Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
- Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
- Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
- Disable the camera’s network functions when they are not being used.
- Download the official firmware from Canon’s website when performing a camera firmware update.
Beware of unsecure Wi-Fi networks
While some may laugh reading the story, the truth is that there is an increase use of PCs and mobile devices in an unsecure (free Wi-Fi) network environment where customers are not aware of the network security. As it has become prevalent to transfer images from a camera to a mobile device via Wi-Fi connection, Canon has decided to implement firmware updates for the models in the list published here, all of which are equipped with the Wi-Fi function. I wonder if we will see a similar move from other camera companies soon.
So, if you’re a Canon user, have any of these cameras and use it to share images through a live connection to a smartphone, tablet or laptop, beware that someone can “enter your camera” and, as Canon suggests, exploit the vulnerabilities to “cause harm”. Canon does not explain what type of harm, but I believe it’s different from the mite in my cameras eating little bits of gelatin. This makes me leave readers with a last questions: has your camera been hacked?