IE 11 is not supported. For an optimal experience visit our site on another browser.

Photo Forgery: Nikon Image Validation System Cracked

In digital photos, what you see is not always what you get.
/ Source: SecurityNewsDaily

In digital photos, what you see is not always what you get.

Take this image, for instance. Can you tell which one's real and which is fake?

Taken by Lebanese photographer Adnan Hajj, the photos captured the aftermath of an Israeli Defense Forces (IDF) attack on Beirut in 2006. But it's hard to tell which one is the original, and which was tampered with.

If you think the one on the right is real, you're dead wrong.

But don't feel too bad — the manipulated photo was good enough to fool Reuters into publishing it. (Reuters was then forced to issue a public apology and cut its ties with the photographer.)

Since then, camera companies have been building software into high-end digital cameras to make it more difficult to manipulate original images.

Now, nearly five years later, a Russian security researcher is showing that that software may itself be easy to alter.

Vladimir Katalov, from the security firm ElcomSoft, has discovered a flaw in Nikon's Image Authentication System, which allows manipulated digital photos to appear completely legitimate and pass validation with Nikon's authentication software.

ElcomSoft researchers were able to extract the obscure image-signing key from a Nikon digital SLR camera, and then use the encryption key to publish forged photos that included a "fully valid authentication signature."

The glitch affects all models of Nikon SLR cameras, including Nikon D3X, D3, D700, D300S, D300, D2Xs, D2X and D200, The Register reported.

Because digital photographic evidence is so often relied upon in court, as well as in politics, Katalov says Nikon's image problem could have serious ramifications.

"The existence of this vulnerability proves that image authentication data can be forged, and thus Nikon Image Authentication System cannot and shall not be relied upon," Katalov wrote.

"If ElcomSoft, a small company, has done it, there's no guarantee whatsoever it has not been done before or will not be done after," Katalov added.

Nikon did not return a call for comment.