Russian Software Firm Breaks Canon’s Authenticity Verification, Big Time

Dmitry Sklyarov of Russian software company ElcomSoft announced yesterday that the encryption system used by Canon to prove the authenticity of photographs is flawed and unfixable. This is the system that’s used to prove that images were not altered after being captured by the camera, and has applications in things such as court cases.

To prove their point, ElcomSoft published a series of ridiculous and obviously “Photoshopped” images (e.g. the astronaut planting a Soviet flag seen above) that all correctly pass Canon’s authenticity verification.

This proves that UFOs are real, and possibly spawn from Mount Fuji.

Stalin actually introduced the iPhone decades ago, but the world just didn’t notice.

If you didn’t think this is what the Statue of Liberty looked like, you probably weren’t paying attention when you saw it in the past.

In the announcement, ElcomSoft writes,

The credibility of photographic evidence becomes vital in numerous situations for insurance companies and courts, as they may accept digital image as indisputable evidence if it can be proven genuine. However, the discovered vulnerability in Canon Original Data Security system proves that verification data can be forged and, thus, the whole verification system cannot be relied upon.

To learn more about the technical details behind this hack, head on over to the announcement.

OSK-E3 is proved useless (via Boing Boing)

  • ac

    This can’t be good. Hopefully this doesn’t get released in the mainstream, or there’ll be trouble. ;)

  • BigTallGates

    I’ve seen it elsewhere already.

    It’s good that it’s out there. If you were in court framed by a doctored Canon photo, you’d be happy that you could prove it.

  • Richard Horsfield

    It’s not good that they cracked it, but it is good that we know it can be hacked. As BigTallGates said, if your life/freedom/reputation was in doubt due to a “doctored” image at least you are now able to suggest that it’s not a real image.

  • Rick Lewis

    This is not good news but I’m glad they went public. Canon needs to fix this ASAP.

  • Dadsasd

    w DUPE niemozliwe!!

  • 5D Mark II TEAM

    Hi Michael, why was our previous comment deleted? it had no link, no spam, just a real situation that Canon should fix that we already reported to them and is affecting lot of users.

    Thanks in advance.

  • Michael Zhang

    Hey, it doesn’t look like you left a previous comment here… We checked both Disqus and our email notifications, and couldn’t find it. Are you sure you left it here?

  • 5D Mark II TEAM

    Really sorry! Ours sincere apologizes. The comment was posted on other topic.

    Please feel free to delete the above and this one.

    Thanks a lot for your really fast response!

  • Michael Zhang

    Haha, it’s okay… we’ll just leave them. Glad you figured out what happened =)

  • Steve Hoefer

    This -is- good news. False security is a lot more dangerous than no security at all.

    It also shows why its important to have third parties to vet security measures. It sounds like Cannon (which is in no way a security company, despite their fantastic cameras) thought it could create something secure by simply keeping it secret. This is an amateur mistake.

  • ktos.

    He talked about it, two days ago on Confidence in Prague.

  • faceleg

    Proving something possible is enough, they don’t need to release the source code.

  • faceleg

    What? You mean adding an attribute is_secure=true isn’t enough??

  • raj

    And why couldn’t Canon use regular digital signature system for this? SHA1 or similar hash from the image signed with the camera-specific private key by a commonly used crypto chip (like the one used on crypto cards that store X.509 certificates) built into the camera… what else would you need?

  • Pingback: Cool Links #103: The One About the Storm Before The Calm « TEACH J: For Teachers of Journalism And Media()

  • Pingback: Water St in Oregon « The Voices Inside My Headphones()

  • Pingback: Nikon Image Authentication System Cracked Just Months After Canon’s()