Canon Security Advisory for EOS DSLRs, Mirrorless and PowerShot Cameras

Canon recently issued a global security advisory relating to the PTP (Picture Transfer Protocol) communication system. The potential vulnerability was detected by Check Point Software Technologies, Ltd.  

What they found was a potential for third-party attacks on a list of around 32 digital cameras that offer the Wi-Fi transfer capabilities. These attacks would most likely occur when a camera is connected to a PC or mobile device with an unsecured network. 

Here is the official word from Canon:  

An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates. 

(CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001 

Due to these vulnerabilities, the potential exists for a third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network. 

At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue. 

  • Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used. 
  • Do not connect the camera to a PC or mobile device that is being used in an unsecured network, such as in a free Wi-Fi environment. 
  • Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections. 
  • Disable the camera’s network functions when they are not being used. 
  • Download the official firmware from Canon’s website when performing a camera firmware update. 

There is an increase in use of PCs and mobile devices in an unsecured (free Wi-Fi) network environment where customers are not aware of the network security. As it has become prevalent to transfer images from a camera to a mobile device via a Wi-Fi connection, we will implement firmware updates for the following models that are equipped with the Wi-Fi function. 

These vulnerabilities affect the following EOS-series digital SLR and mirrorless cameras: 

EOS-1DX*1 *2 

EOS 6D Mark II 

EOS 760D 

EOS M5 

EOS-1DX MK II*1 *2 

EOS 7D Mark II*1 

EOS 77D 

EOS M6 

EOS-1DC*1 *2 

EOS 70D 

EOS 1300D 

EOS M10 

EOS 5D Mark IV 

EOS 80D 

EOS 2000D 

EOS M100 

EOS 5D Mark III*1 

EOS 750D 

EOS 4000D 

EOS M50 

EOS 5DS*1 

EOS 800D 

EOS R 

PowerShot SX70 HS 

EOS 5DS R*1 

EOS 200D 

EOS RP 

PowerShot SX740 HS 

EOS 6D 

EOS 250D 

EOS M3 

PowerShot G5X Mark II 


*1 If a WiFi adapter or a Wireless file transmitter is used, WiFi connection can be established.
 

*2 Ethernet connections are also affected by these vulnerabilities. 

Firmware update information will be provided for each product, in turn, starting from products for which preparations have been completed. 

Canon will be issuing a security firmware for each camera effected. The Canon 80D is the first camera to come out with the firmware. If you have not already done so, make sure to register your camera. Once registered, Canon will send you future announcements regarding your product.

0 comments

Leave a reply

Comments are be approved before they are published.