Researchers crack Nikon image authentication system
Posted on 28 April 2011.
Credibility of photographic evidence may be extremely important in a variety of situations. Courts, news agencies and insurance companies may accept digitally signed photographs as valid evidence. If such evidence is forged, consequences can be severe. The most famous fakes include cases of fraud committed by enthusiast photographers, photo journalists, editors, political parties, and even the US Army.

ElcomSoft researched Nikonís Image Authentication System, a secure suite validating if an image has been altered since capture, and discovered a major vulnerability in the manner the secure image signing key is being handled. In turn, this allowed the company to extract the original signing key from a Nikon camera.

The vulnerability, when exploited, makes it possible to produce manipulated images with a fully valid authentication signature. ElcomSoft was able to successfully extract the original image signing key and produce a set of forged images that successfully pass validation with Nikon Image Authentication Software.

When designing a digital security system, it is essential to equally and properly implement all parts of the system. The entire system is only as secure as its weakest link. In the case of Nikonís Image Authentication System, the company has not done at least one thing right.

The ultimate vulnerability lies in the way the image signing key is being handled. As the signing cryptographic key is handled inappropriately, it can be extracted from the camera. After obtaining the signing key, one can use it to sign any picture, whether or not itís been altered, edited, or even computer-generated. The signed image will then successfully pass as a valid, genuine piece when verified by Nikon Image Authentication Software.

The vulnerability exists in all current Nikon cameras supporting Nikon Image Authentication, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs.

ElcomSoft has notified CERT and Nikon about the issue, and prepared a set of digitally manipulated images passing as originals when verified with Nikonís secure authentication software. Nikon has provided no response nor expressed any interest in the existence of the issue.


New Zeus variant targets users of 150 banks

Posted on 19 December 2014.  |  A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Dec 22nd