Quite wonderfully, our new Canon SX740 HS camera we bought last October 2019 has built in ransomware in its firmware. Isn’t that just great?
So today since I had time I decided to update it. Here’s how.
First I googled ‘Canon SX740 HS Upgrade’ and I got to the ‘Powershot SX740 HS Support’ page. Then click Drivers and Downloads for Windows and you’ll see the listing of the Firmware Update 1.02, released less than a month to this day Nov. 13, 2019
True enough reading the Details (which you should always do when doing an update), it says this is to ‘Corrects a PTP communications vulnerability’ and ‘Corrects a vulnerability related to firmware update.‘
I then downloaded the firmware file “sx740hs-v102-win.zip“, file Size : 32864758KB. I unzipped it and it had two items, a ‘update-procedure-pdf‘ folder containing ‘camera-firmwareupdate-en.pdf‘ also in 4 other languages and the actual firmware update file ‘SX740HS102.FIR‘
I read ‘camera-firmwareupdate-en.pdf’ and it described two different firmware update methods. Method 1 involves transferring the SX740HS102.FIR file to the camera via an SD card and Method 2 which involves using an ‘EOS Utility’ software. Since Method 1 was so much more simpler and did not need another Utility software to install I chose that.
Transferring the file to an SD card using Windows 10 proved to be super difficult. I kept getting an error when trying to write the file to my main SD card and a spare one. When I tried to format my spare SD card I would get ‘Disk is write protected’. I tried diskpart and even a free utility but eventually decided to try Ubuntu instead. Using it’s default Disks Utility I was quickly able to reformat it and even re partition it.
Once done transferring the file to my SD card it was just a simple matter of returning the SD card to the camera and then turning it on. Then you click the Menu button and go to the SET UP screen, and choose Tab 5 with the Firmware details underneath. Here you can see it still on Ver. 1.0.1
I then clicked that and this page appeared:
Followed by this:
Press OK and then this.
Overall it only took 3 or 4 minutes tops. It will shut down by itself afterwards. Once I turned it on again it now reports its using Ver 1.0.2
I’ve only taken a few pictures since the update but everything feels normal so far.
Shame on Canon for letting such a goof happen. As per the article that reported the issue it involves up to 33 of their cameras including top of the line EOS and Mark II models.
Updating firmware is not a simple task. Not only does it require an hour or two to focus on it (I spent most of that time dealing with the SD card insisting its not writable), you also have to find time. Finally if you screw up a firmware update there is a very real possibility of ‘bricking‘, or rendering your gadget useless.
I try and avoid firmware updates as much as I can. I only do it when it’s a security update like this one. But if it’s just a feature upgrade, and I don’t really need it, I leave it alone.
Imagine some top photographer’s images being held for ransom because of this. Apparently what happens is the PTP protocol is not secure so someone can upload malware that can encrypt photos then demand ransom from the owner to un encrypt them. I particularly blame camera manufacturers for not applying standard security protocols for their camera operating systems. Transferring files and images securely is a normal daily thing for programmers all over the world. Why couldn’t Canon just use what we normally use? They’re proven to work for decades and are freely available to implement.
Considering how fewer people are buying cameras because of mobile phones, and that competition has always been tough among camera manufacturers to begin with from so many options, Canon can’t afford to drop the ball like this especially with such a basic issue.
Here’s a video from Checkpoint, the company that discovered the issue: