The vulnerability opens the possibility to produce images that will be positively validated by Canon's own Original Data Security Kit (OSK-E3) regardless of whether or not the images are, in fact, genuine.
The Original Data Security system was intended to ensure that images, taken with a compatible Canon camera, are unaltered in any way and contain the original valid GPS data. The system was designed to prove image originality as well as time and place of the capture.
The intent of the system was to protect the integrity of images shot as evidence. According to Canon official announcement, the credibility of photographic evidence is directly linked to its legitimacy when making legal decisions. The Canon data security system is being used by world leading news agencies including Associated Press as effective means to ensure that each agency’s photo manipulation policies are enforced.
After performing analysis of Canon hardware, ElcomSoft researchers were able to extract secret keys used to calculate authentication data from Canon EOS digital cameras, and use the keys for adding authenticity signatures to a set of manipulated digital images.
The images signed with an extracted key come validated as being original and authentic by Canon's Original Data Security Kit (OSK-E3).
The vulnerability exists in all Canon cameras manufactured to this day and having the security feature.
All current cameras are susceptible, including the entire range of consumer cameras (e.g. Digital Rebel XS, also known as EOS 1000D in Europe and Kiss F in Japan), semi-pro and professional series, including the latest EOS-1D Mark IV.
ElcomSoft is not releasing any technical detail. However, the company made Canon aware about the vulnerability by notifying the vendor as well as CERT Coordination Center as a trusted third-party.
Here are some images produced by ElcomSoft that successfully pass authenticity verification: