Does the new Zeiss ZX1 pose a security/hacking risk that other cameras don't?

[Dan Wells]

I'm surprised that nobody has brought up the drawback of the new Zeiss - it seems like it might be all too easy to hack (in the negative sense of the term)...

Since it can connect to all manner of cloud services (without a phone), it has to be able to store authentication credentials for those services - you're not going to be typing in incredibly complex passwords every time you send an image to Dropbox or Facebook. Many of those services store credit card numbers, so there is some risk (depending on how well they store the card numbers) that a hacker could steal passwords from the camera and then use them to grab things of real-world value like card numbers... For a pro photographer, a hacker getting into Dropbox or Zenfolio could be disastrous even without stolen card numbers - how about someone deleting your web presence that is stored on a site where you've set the Zeiss to reach an upload folder (but your client projects use the same password). Sure, you have those projects on a drive in your studio, too - but what if you're a wedding photographer and some hacker puts porn in all your client final folders...

We normally don't think of cameras as vulnerable devices, because their connectivity is limited and their operating systems are proprietary. Not really worth the effort - the worst  a hacker could do is break the camera itself with a malicious firmware update.

The ZX1 is exponentially more connected, and it runs (a seemingly standard version of) the most vulnerable operating system there is. Android is a security nightmare even on phones, where there is supposed to be an update mechanism. Internet of Things devices (like the ZX1) have a terrible record of getting updates, and the expected sales of the ZX1 are probably a small fraction of many other devices, simply because of the cost. 

Maybe it's highly locked-down Android, and there's no way to get apps other than Zeiss Camera Control (or whatever they call it) and Lightroom on it, or the way of adding apps is limited and highly vetted by Zeiss.  If not, don't you have to treat it as an unusually vulnerable Android phone (limited updates and security apps) as much as a camera?

[Telecaster]

Yeah, the camera will likely need to be treated as a smartdevice. With all the security issues and risks that entails.

-Dave-

[Kirk_C]

...and it runs (a seemingly standard version of) the most vulnerable operating system there is. Android is a security nightmare even on phones,...

Android is a security nightmare when there's local data stored that's vulnerable. If it doesn't store or cache login data for whatever system or service you're transferring photos it's not creating vulnerable device, conceivably.

...highly locked-down Android...

That's an Oxymoron.

[Dan Wells]

I'd find it hard to imagine that it could avoid caching login data. Imagine having to type in today's complex passwords every time on a screen the size of the original iPhone's, probably with sub-optimal touch response (Zeiss may not be able to get the very best for a product that sells in the tens of thousands - those manufacturers are interested in things that sell in the millions), while holding a camera by the lens...

[Kirk_C]

I'd find it hard to imagine that it could avoid caching login data. Imagine having to type in today's complex passwords every time on a screen the size of the original iPhone's, probably with sub-optimal touch response (Zeiss may not be able to get the very best for a product that sells in the tens of thousands - those manufacturers are interested in things that sell in the millions), while holding a camera by the lens...

I said cache, as in a temporary file. An encrypted stored login should be secure.

I'm on https://forum.luminous-landscape.com which is secure. So could be any connection the camera makes if the users chooses and login to that could be with an encrypted set of credentials.