Accessing the camera in that mode wasn't as easy as gaining control via FTP or the session ID, according to Mende.
To access the mode, an attacker has to listen for the camera's GUID (Globally Unique Identifier) that is broadcasted obfuscated. The attacker than needs to de-obfuscate the authentication data, disconnect the connected client software and connect to the camera using the PTP/IP protocol, or picture transfer protocol that is used to transfer images to connected devices, according to Mende's presentation.
"We not only can download all the taken pictures, we can also get a more or less live stream from the camera," Mende said. "We've successfully made the camera into a surveillance device."
Attackers are also able to upload pictures to the camera in Utility mode, he said.
Canon has not fixed the vulnerabilities yet, according to Mende, who said he wasn't able to find anyone at Canon willing to listen to him. "The camera is designed to work exactly like this. From Canon's point of view there is probably no bug," Mende said.
"[But] people who use the camera should be aware of this. That's why I'm standing here today without speaking to Canon," he told conference attendees.
Canon EOS-1D X owners should take countermeasures to prevent the attacks from succeeding, said Mende. They should only enable network connections in trusted networks, he said. And users should always use a secure password for trusted WLAN networks, he said.
Canon did not immediately reply to a request for comment.
Sign up for Computerworld eNewsletters.