Security advisory for Canon digital cameras related to PTP (Picture Transfer Protocol) communication functions and firmware update functions – Added 6 August 2019
Thank you very much for using Canon products.
An international team of security researchers has drawn our attention to a vulnerability related to communications via the Picture Transfer Protocol (PTP), which is used by Canon digital cameras, as well as a vulnerability related to firmware updates.
(CVE-ID:CVE-2019-5994, CVE-2019-5995, CVE-2019-5998, CVE-2019-5999, CVE-2019-6000, CVE-2019-6001）
Due to these vulnerabilities, the potential exists for third-party attack on the camera if the camera is connected to a PC or mobile device that has been hijacked through an unsecured network.
At this point, there have been no confirmed cases of these vulnerabilities being exploited to cause harm, but in order to ensure that our customers can use our products securely, we would like to inform you of the following workarounds for this issue.
- Ensure the suitability of security-related settings of the devices connected to the camera, such as the PC, mobile device, and router being used.
- Do not connect the camera to a PC or mobile device that is being used in an unsecure network, such as in a free Wi-Fi environment.
- Do not connect the camera to a PC or mobile device that is potentially exposed to virus infections.
- Disable the camera’s network functions when they are not being used.
- Download the official firmware from Canon’s website when performing a camera firmware update.
There is an increase use of PCs and mobile devices in an unsecure (free Wi-Fi) network environment where customers are not aware of the network security. As it has become prevalent to transfer images from a camera to a mobile device via Wi-Fi connection, we will implement firmware updates for the following models that are equipped with the Wi-Fi function.
|These vulnerabilities affect the following EOS-series digital SLR and mirrorless cameras:
|EOS 6D Mark II
|EOS M6 Mark II
|PowerShot SX740 HS
|EOS 7D Mark II*1
|EOS-1DX MK II*1 *2
|EOS 5D Mark III*1
|EOS 5D Mark IV
|EOS 5DS R*1
|PowerShot G5X Mark II
|PowerShot SX70 HS
*1 If a WiFi adapter or a Wireless file transmitter is used, WiFi connection can be established.
*2 Ethernet connections are also affected by these vulnerabilities.
Firmware update information will be provided for each product in turn starting from products for which preparations have been completed.
uniFLOW Authentication issue – Revised 19 March 2019
We have identified a security issue that exists in certain circumstances of using uniFLOW and NT-Ware has issued a hotfix to resolve this. We strongly recommend you run this fix on your system as soon as possible.
There is a possibility of gaining unauthorised access where "Username/Password" is used as authentication or the card learning mechanism is utilised.
This only affects particular versions of the software, when used with these authentication methods:
• uniFLOW V5.1 SRx
• uniFLOW V5.2 SRx
• uniFLOW V5.3 SRx
• uniFLOW V5.4 SR10 (revised hotfix) and above
• uniFLOW 2018 LTS SRx (revised hotfix)
• uniFLOW 2018 v-Releases (revised hotfix)
If you are using uniFLOW V5.1 SRx, uniFLOW V5.2 SRx or uniFLOW V5.3 SRx please contact your authorised reseller or Canon support representative.
Please find instructions to install the hotfix here
We are committed to providing secure solutions to our customers and apologise for any inconvenience this situation has caused. Should you require further information regarding this advisory, please contact your local Canon office, authorised reseller or Canon support representative. If you notice any suspicious activity, please report these immediately to your account manager and IT department.
Fax Vulnerability - Added 31 August 2018
Recently, researchers reported on vulnerabilities found in the communication protocols in the fax functions of certain products. (CVE-ID: CVE-2018-5924, CVE 2018-5925). For information regarding the impact of these vulnerabilities on Canon products equipped with fax functions, please see below:
Based on our review, as they do not employ the colour G3 Fax Protocol exploited by these vulnerabilities, the following products are unaffected: imageRUNNER/iR, imageRUNNER ADVANCE, LASER CLASS, imagePRESS, FAXPHONE, GP and imageCLASS/i-SENSYS series models equipped with fax functions.
MAXIFY and PIXMA series products equipped with fax functions do make use of the Colour G3 Fax Protocol. However, we have not identified any risk of malicious code being executed via the fax circuit or risk to the security of information saved on these devices.
We will continue to monitor this situation and take appropriate action necessary to help ensure the security of our devices.
Spectre and Meltdown CPU Security Vulnerabilities - Added 08 March 2018
Vulnerabilities were recently made public regarding certain CPUs from Intel, AMD and ARM that make use of speculative execution to improve their performance. These vulnerabilities may allow an attacker to gain unauthorised access to areas of private cached memory.
Two variants of the vulnerabilities that use different techniques to exploit the speculative execution functions within the affected CPUs were identified and named. They are CVE-2017-5715, CVE-2017-5753: “Spectre” and CVE-2017-5754: “Meltdown”.
The following Canon external controller products may be impacted by the vulnerabilities. Though there is currently no known way to exploit these vulnerabilities, countermeasures are being prepared so that customers can continue to use our products without concern.
GX300 v2.0, GX300 v2.1, GX400 v1.0, GX500 v1.1
U1 v1.1, U1 v1.1.1, U2 v1.0
Y1 v1.0, Y2 v1.0
A7000 v2.1, A7000 v3.0, A7300 v1.0, A7500 v2.1, A8000 v1.1
A1200 v1.0, A1200 v1.1, A1300 v1.0, A2200 v1.0, A2200 v1.1, A2300 v1.0, A3200 v1.0, A3200 v1.1, A3300 v1.0
B4000 v1.0, B4100 v1.0, B5000 v1.0, B5100 v1.0
F200 v1.21, H300 v1.0
J100 v1.21, J200 v1.21
K100 v1.0, K200 v1.0
Q2 v2.0, Z1 v1.0
The following Canon service may be impacted by the vulnerabilities. Though there is currently no known way to exploit these vulnerabilities, countermeasures were put in place by end of February 2018.
All Canon laser multifunction printers and Canon laser printers and their related software products, except the above-mentioned, are not affected by these vulnerabilities through any known exploitation process. Customers can continue using our products reliably.
Canon is constantly working to ensure the highest level of security is reached in all our products and solutions. We take the security of our customer information seriously and its protection is our utmost priority.
Vulnerability in WPA2 Wi-Fi Encryption Protocol - Added 16 January 2018
Recently, a researcher made public a vulnerability known as KRACKs in the standard wireless LAN (Wi-Fi) encryption protocol WPA2. This vulnerability allows an attacker to intentionally intercept the wireless transmission between the client (terminal equipped with Wi-Fi functionality) and the access point (the router etc.) to perform potentially malicious activity. For that reason, this vulnerability cannot be exploited by anyone outside the range of the Wi-Fi signal or by anyone in a remote location using the internet as an intermediary.
We have yet to confirm that any issues have been encountered by users of Canon products as a result of this vulnerability, however, in order to allow customers to continue using our products with peace of mind, we recommend the following preventative measures:
•Use a USB cable or Ethernet cable to directly connect compatible devices to a network
•Encrypt data transmission from devices that enable encryption settings (TLS/IPSec)
•Use such physical media as SD cards with compatible devices
•Use such settings as Wireless Direct and Direct Connect with compatible devices
As the operation procedures and functions offered vary from device to device, please consult your device’s manual for more details. We also recommend you take appropriate measures for such devices as your PC or smartphone. For information on the appropriate measures for each device, please contact the device’s manufacturer.