malware-infested Firmware in perm. storage of the camera possible? - General Discussion and Assistance - CHDK Forum  

malware-infested Firmware in perm. storage of the camera possible?

  • 3 Replies
  • 2020 Views
Advertisements
Hello,

I got a question regarding the Canon Dixital Ixus 40.

As far as I understand the CHDK-Projekts, the Modification-firmware is "just" copied onto the SD-Card and is read into the RAM of the camera, when it is started.

So, the original firmware in the camera is actually not changed.

My question is if it is theoretically thinkable that somebody flashes a manipulated (malware-infested) firmware into the Ixus 40 itself, in its permanent storage? And such that, when the camera is connected to a PC, malware will contaminate the PC?


And additionally: Is there a way to 100% prove that the firmware, which is on the camera is original and not manipulated?

Thanks in advance
Nethaniel

*

Offline reyalp

  • ******
  • 12934
Re: malware-infested Firmware in perm. storage of the camera possible?
« Reply #1 on: 03 / April / 2010, 19:16:50 »
I got a question regarding the Canon Dixital Ixus 40.
None of your questions are specific to the ixus 40.
Quote
My question is if it is theoretically thinkable that somebody flashes a manipulated (malware-infested) firmware into the Ixus 40 itself, in its permanent storage?
Of course. The firmware is stored in flash memory, functions exist to write flash memory. Everything else is just details.
Quote
And such that, when the camera is connected to a PC, malware will contaminate the PC?
This might be possible in theory, but it would be extremely difficult, especially to do it silently without user action. USB devices can provide drivers, but Canon cameras do not, so this would be implemented from scratch. CHDK supported cameras use PTP rather than USB mass storage, so autorun tricks aren't available. There is always the possibility of exploitable flaws in one of the drivers somewhere in the USB stack that interacts with the camera.
Quote
And additionally: Is there a way to 100% prove that the firmware, which is on the camera is original and not manipulated?
Dump the firmware and compare it with the correct firmware. While it would be theoretically possible for the hacked firmware to detect and intercept this, in practice there's no way it could anticipate every possible variation. To avoid this theoretical possibility, a suitably equipped lab could read the on board flash without running anything on the camera.

Note that some areas of the onboard flash change in normal operation (camera preferences, crash logs, calibration tables etc are all stored there), so you can't just do a straight comparison of a full dump.
Don't forget what the H stands for.

Re: malware-infested Firmware in perm. storage of the camera possible?
« Reply #2 on: 04 / April / 2010, 07:50:03 »
Firstly, thank you very much for your detailled answer!

This might be possible in theory, but it would be extremely difficult, especially to do it silently without user action. USB devices can provide drivers, but Canon cameras do not, so this would be implemented from scratch. CHDK supported cameras use PTP rather than USB mass storage, so autorun tricks aren't available. There is always the possibility of exploitable flaws in one of the drivers somewhere in the USB stack that interacts with the camera.

Honestly I fear i did not fully understand this (english is not my mother-tongue).
Would you be so kind to answer some questions regarding your last post?


"[...]silently without user action[...]" What exactely do you value as user action?

With "USB devices can provide drivers" do you mean that some USB-devices are capable of installing drivers to the PC but Canon cameras cannot? How does this fact affect the problem?

"implemented from scratch" -> would have to be programmed totally from the beginning so the original firmware could not be used as basis?

"CHDK supported cameras use PTP rather than USB mass storage, so autorun tricks aren't available."
You mean, when i connect the camera to the PC, there cannot autorun sth. from the camera?
But if i connect it to the PC i see a "permanent storage" in the explorer (Vista 32b). Couldnt sth. autorun fromt that storage? Or is that just a way for Vista to display that and doesnt have to mean that its really a mass storage?

About that PTP: When i plugged the camera via usb, windows said "installing drivers" (although PTP does not need dirvers? hmm). And this happens with ever USB-slot which the cam was not plugged with before. (Alike its the case with USB-sticks)

Thanks in advance
« Last Edit: 04 / April / 2010, 14:13:38 by Nethaniel »

*

Offline reyalp

  • ******
  • 12934
Re: malware-infested Firmware in perm. storage of the camera possible?
« Reply #3 on: 04 / April / 2010, 18:51:34 »
"[...]silently without user action[...]" What exactely do you value as user action?
Clicking OK on something, or clicking on a file. Something that requires the user to do something that results in the malware being installed.
Quote
With "USB devices can provide drivers" do you mean that some USB-devices are capable of installing drivers to the PC but Canon cameras cannot?
Yes. Even in the case where USB devices provide their own drivers, you will probably be prompted before installing them.
Quote
How does this fact affect the problem?
A malicious driver would be one obvious approach to spreading malware from a USB device, and this method is not readily available on CHDK cameras.
Quote
"implemented from scratch" -> would have to be programmed totally from the beginning so the original firmware could not be used as basis?
Right.
Quote
Or is that just a way for Vista to display that and doesnt have to mean that its really a mass storage?
Exactly. The cameras support by CHDK only support PTP.  Autorun is specific to drive type devices. In recent versions of windows, you are generally prompted before auto-running anything anyway.

For PTP devices, you will be prompted to do something with the content (although you can set a default to always be performed for that device), but this generally does not include running programs.

Actually, this is a bit speculative. I'm not sure what would happen if you hacked PTP to provide an autorun.inf and corresponding .exe.
Quote
About that PTP: When i plugged the camera via usb, windows said "installing drivers" (although PTP does not need dirvers? hmm). And this happens with ever USB-slot which the cam was not plugged with before. (Alike its the case with USB-sticks)
Windows does some configuration for that device (so it can remember your preference of what to do when it is plugged in, for example), but the driver comes from windows, not the camera.
Don't forget what the H stands for.


 

Related Topics