ElcomSoft Co. Ltd., a developer of computer forensics tools, has found a vulnerability in Nikon’s software suite that validates images to ensure that they have not been altered. The vulnerability is in the way the secure image signing key is handled by Nikon’s Image Authentication System. The result is that it is possible to produce manipulated images with a fully valid authentication signature.
ElcomSoft has produced a set of forged images that successfully pass validation with Nikon’s Image Authentication Software. The vulnerability exists in all current Nikon cameras supporting Nikon’s Image Authentication, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X, D2Hs, and D200 digital SLRs.
The authenticity of photographic evidence is paramount to everyone, from simple court cases to military operations. Recent history has shown that journalists aren’t imune from doctoring pictures to make a headline. In 2006 Adnan Hajj took a photo in Beirut just after the Israeli bombing. He altered the picture in Photoshop and sent it to Reuters, who then published it. In 2003 Brian Walski, a Los Angeles Times staff reporter, merged two photos together for “greater impact.” He was fired as a result.
Like MD5 it looks like Nikon’s Image Authentication System is a thing of the past.