Five months after discovering vulnerability in Canon’s Original Data Security System, ElcomSoft apparently found a similar problem with Nikon’s Image Authentication System. The system enables users to determine whether an image has been altered after capture, providing proof of image authenticity for the purposes of law enforcement, insurance, and so on. ElcomSoft claims to have identified a major flaw in the manner the secure image signing key is being handled, allowing forged images to pass validation with Nikon Image Authentication Software. “The signing cryptographic key can be extracted from the camera and used to sign any picture, genuine or not,” the company said in a statement, adding that “all past and current Nikon cameras supporting Image Authentication are affected, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs”.

A number of clearly manipulated images that are claimed to have passed validation with Nikon Image Authentication Software can be viewed online at the website below.

Website: ElcomSoft

Elcomsoft Press Release

ElcomSoft Claims to Have Discovered Vulnerability in Nikon’s Image Authentication System

ElcomSoft Co. Ltd. researched Nikon’s Image Authentication System, a secure suite validating if an image has been altered since capture, and claims to have discovered a major flaw in the manner the secure image signing key is being handled. The original signing key was extracted from a Nikon camera; manipulated images with valid authentication signature were produced. The forged images successfully pass validation with Nikon Image Authentication Software. ElcomSoft asserts that all past and current Nikon cameras supporting Image Authentication are affected, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs. ElcomSoft notified Nikon and CERT about the issue. No response was received from the vendor.

Moscow, Russia (PRWEB) April 28, 2011

About Nikon Image Authentication System

Nikon Image Authentication enables users to determine whether an image has been altered after being shot. According to Nikon, the system provides proof of image authenticity for the purpose of law enforcement, insurance, businesses, and media agencies.

Background

Credibility of photographic evidence is vital. Courts, insurance companies and the media may accept digitally signed photographs as valid evidence. Many famous fakes were produced by enthusiast photographers, journalists, editors, political parties, and even the US Army.

To address the issue, Canon and Nikon developed image authentication systems. In 2010, ElcomSoft claimed to have found a major security flaw in Canon’s image authentication system, which has not been addressed up to this day.

ElcomSoft believes that a similar vulnerability exists in Nikon’s system, allowing image authentication data to be forged. As a consequence, they believe the system cannot be trusted, and that successful image verification by Nikon Image Authentication Software cannot be treated as proof of authenticity.

The Issue

ElcomSoft believes that the ultimate vulnerability lies in the way the image signing key is being handled. The signing cryptographic key can be extracted from the camera and used to sign any picture, genuine or not. The signed image successfully passes validation with Nikon Image Authentication Software.

About ElcomSoft Co.Ltd.

Founded in 1990, ElcomSoft Co.Ltd. develops state-of-the-art computer forensics tools, provides computer forensics training and consulting services. Since 1997, ElcomSoft has been providing support to businesses, law enforcement, military and intelligence agencies. ElcomSoft tools are used by most of the Fortune 500 corporations, multiple branches of the military all over the world, foreign governments, and all major accounting firms.

Manipulated images passing validation by Nikon Image Authentication Software are available at http://nikon.elcomsoft.com

Your Comments