Are WiFi Digicams a Security Vulnerability?|
Mike Pasini, The Imaging Resource
(Monday, August 7, 2006 - 17:41 EDT)
Informit emulates a Nikon P1 wireless transfer to a Windows computer to send an executable file as a JPEG. But many other WiFi digicams use the same PTP/IP transfer code as the P1. Is it a problem?
Informit, a site devoted to information technology, has published "Wireless Gadget Vulnerabilities: The Nikon Coolpix P1," a report (http://www.informit.com/guides/content.asp?g=security&seqNum=211&rl=1) detailing the wireless vulnerabilities of the Nikon Coolpix P1 when communicating with a host computer. The report did not discuss connections from the digicam to a printer or router.
After describing the communication sequence between the two devices, the report explains the Multicast Dynamic Naming Service protocol (http://www.multicastdns.org) used to manage the connection. iTunes uses mDNS for its Shared Lists and the Xbox 360 also uses them to connect to systems running Windows Media Connect service, informit said. But the protocol transmits packets of information in uncoded plaintext and has no built-in authentication measures.
That prompted informit to monitor and duplicate a picture transfer session using a Linux machine to play the role of the digicam. They were able to create a Denial of Service attack by continually sending the end-of-transfer code to the computer, interrupting any attempt to make a legitimate connection.
They were also able to "capture and replay an image transfer to the host PC," a Windows system. By substituting the image file name, they found they were able to transmit non-Nikon images, including an infected JPEG. They masked a Windows executable known as winshell.exe with a JPEG icon and successfully uploaded it to the host computer.
Informit reported the problem to Nikon via their Web site, they said.
While informit limited its warning to the Nikon P1 it emulated, the networking code in the P1 is used by many WiFi digicams, including those made by Canon and Kodak.
Licensed from FotoNation (http://www.fotonation.com), the Picture Transfer Protocol over IP networks or PTP/IP code provides key software components allowing the development and integration of both plug-and-play wired or wireless networking into imaging devices that require no or minimal configuration, according to the company. It has also been recently adopted as an international standard by the Camera & Imaging Products Association (http://www.cipa.jp/ptp-ip/index_e.html).
A partial list of PTP/IP cameras published by the gPhoto site (http://www.gphoto.org/doc/ptpip.php) includes the Canon PowerShot SD430; Kodak EasyShare One; and Nikon Coolpix P1, P2, P3, P4 and S6.
Nikon's Wireless Transmitter WT-1 for its dSLRs, in contrast, uses File Transfer Protocol as its transmission protocol, requiring configuration on both the camera and the computer to be able to transfer data.
Rating the Threat
The vulnerability exposed in the report describes a situation that exists for just the few minutes that the camera communicates with a host computer. This situation would be most compromising in a public area where other devices would be within snooping distance. But it would terminate as soon as you quit the transfer program (Nikon PictureProject, Kodak EasyShare, Canon ZoomBrowser EX) or shut down your computer.
A lost or stolen WiFi digicam, however, can be mined for its configuration data just like a stolen laptop compromising the router until its password was changed.
We contacted both FotoNation and Nikon for comment and will update this report with their responses.
Informit is a subsidiary of Pearson Education, a publisher of technology and education content whose partners include Addison-Wesley Professional, Adobe Press, Cisco Press, New Riders, Peachpit Press, Prentice Hall Professional Technical Reference, Que, Safari Tech Books Online and Sams.