Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
AI Sony

Nikon, Sony and Canon Fight AI Fakes With New Camera Tech (nikkei.com) 109

Posted by msmash from the moving-forward dept.
Nikon, Sony Group and Canon are developing camera technology that embeds digital signatures in images so that they can be distinguished from increasingly sophisticated fakes. From a report: Nikon will offer mirrorless cameras with authentication technology for photojournalists and other professionals. The tamper-resistant digital signatures will include such information as date, time, location and photographer. Such efforts come as ever-more-realistic fakes appear, testing the judgment of content producers and users alike.

An alliance of global news organizations, technology companies and camera makers has launched a web-based tool called Verify for checking images free of charge. If an image has a digital signature, the site displays date, location and other credentials. The digital signatures now share a global standard used by Nikon, Sony and Canon. Japanese companies control around 90% of the global camera market. If an image has been created with artificial intelligence or tampered with, the Verify tool flags it as having "No Content Credentials."
This discussion has been archived. No new comments can be posted.

Nikon, Sony and Canon Fight AI Fakes With New Camera Tech More

Nikon, Sony and Canon Fight AI Fakes With New Camera Tech

Comments Filter:

  • Comment removed (Score:3, Informative)

    by account_deleted ( 4530225 ) on Monday January 01, 2024 @08:09PM (#64123089)
    Comment removed based on user account deletion

    • Re:AI (Score:5, Informative)

      by thegarbz ( 1787294 ) on Monday January 01, 2024 @08:43PM (#64123133)

      Until someone will use AI to figure out how the signature is embedded, replicate it.

      Are you suggesting AI can now magically guess cryptographic signatures? That would be a real feat for a system that can't count to 5 ;-)

      Honestly if that works then we have far bigger concerns than just images.

    • You don't need to use "AI" at all, all it takes is someone to write the software to forge whatever their authentication is. If it's anything like their previous attempt, which was slightly above the level of a sticker saying "Prease do not folge this image", then I'd give it about a week.

    • Re: (Score:1)

      by rgmoore ( 133276 )

      The whole point of good cryptography is that the algorithm can be widely known without the system being compromised. I'd have to look at their implementation, but this is probably a fairly standard digital signature system. Basically, the camera takes a hash of the image and encrypts it with a private key. Anyone can decrypt the hash with the published public key and compare it to a hash of the file they received. If the two are identical, it's evidence the image hasn't been tampered with.

      Public key c

  • I've used photoshop for almost 30 years. In the past year, they added the generative AI tool. It makes taking out unwanted material from a photograph painless, to a degree. What's to prevent someone from editing a photo, not just snapping a photo and saying it is real.

    • Re:What about edited photos (Score:5, Informative)

      by EvilSS ( 557649 ) on Monday January 01, 2024 @08:14PM (#64123095)
      Presumably editing it would break the cryptographic signature just like any other signed file. Also anyone wanting to verify it would probably ask for the verification to be done against the RAW file.

      • Presumably editing it would break the cryptographic signature just like any other signed file. Also anyone wanting to verify it would probably ask for the verification to be done against the RAW file.

        The security you get from a cryptographic signature is based upon the receiver looking at the message and seeing it as comprehensible. This is a simple thing with text as any additions or deletions to match the hashed value would show up as nonsense. With an image, you can subtly change a few pixels to cause a hash collision with the original image and have it be reported as cryptographically the same but the eye will not notice the 'noise'.

        TL;DR,Using cryptography to sign images is a LOT more tricky than i

    • What's to prevent someone from editing a photo, not just snapping a photo and saying it is real.

      That's. ... well. ... umm... the whole point. Digital signatures verify something hasn't changed. Photoshopping obviously invalidates the signature.

      • >> Photoshopping obviously invalidates the signature.

        As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it. So tell me again how this is useful?

        • You have to think of it as proof they shot it, not "the finished pic I sell". It's a chain-of-evidence type thing: "I have the original photo and can prove it was a real photo I shot and then made this other thing from."

        • >> Photoshopping obviously invalidates the signature.

          As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it. So tell me again how this is useful?

          Indeed if you edit it in any way its entire provenance is gone. That is actually the whole point. You can cryptographically sign edited images too. Other people not so much.

        • The photographer is supposed to present the unedited original file when questioned in court, not the adjusted publishes.

        • As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it.

          Actually no it doesn't. Yeah advanced edits break the signature, but the ones you list as fundamental in the process of creating and displaying an image and are stored as metadata with RAW files, and can be included as part of the signature. This is how Nikon's previous software worked. You could use either the camera or Nikon's software to make the very edits you're talking about without breaking the cryptographic signature, and the software told you that the image properties changed but the content remain

        • It's useful because you can have a digitally signed original file? Mk1 eyeball would be more than enough to compare the original file with the edited and published one if authenticity of a published photo were ever challenged in court.

        • >> Photoshopping obviously invalidates the signature.

          As does cropping, rotating, scaling, adjusting contrast, color balance and all the other things that photographers would do to a legit photo before publishing it. So tell me again how this is useful?

          Is genuinely useful: if the authenticity of your edited photo is questioned, you can provide the original raw and prove it. I maintain the website for a photography contest, the rules say the jury has the right to request the raws in case they want to clear authenticity.

          There is a famous case [extremetech.com] where image forensics had to inspect the raw source and the photographer was finally cleared.

        • Re: (Score:2)

          by bn-7bc ( 909819 )
          Well meby not rotating, but that depends on how the trotation is done, if it is justba question of a param in the header it could potentially not invalidate the signsture depending on how it's done, but yea color balance and other operations that changes the actual pixels will ofc invalidate the signature. But yea a straight md5 signature of the entire file will be invalidated

    • Re: (Score:2)

      by gweihir ( 88907 )

      Any edit will invalidate the signature.

  • Any information on how it works? It could be made secure, by using PKI, although it would need to cope with a camera updating its certificate and signing software. It could also be made obscure, and soon to be cracked.

  • How long until someone reverse engineers this? (Score:3)

    by jcochran ( 309950 ) on Monday January 01, 2024 @08:25PM (#64123109)

    Root problem is that the camera is signing it. Hence, all the crypto is stored in the camera. So, reverse engineering is rather easy.

    • Sony got burnt with the steal of PlayStation5 encryption keys https://arstechnica.com/gaming... [arstechnica.com] so they could have made progresses in protecting the crypto chips.

    • Re: (Score:2)

      by EvilSS ( 557649 )
      I also think this is the major problem with a scheme like this. Usually the owner of the signing cert is inherently trusted (say for code signing of your own programs or signing an email you send), and we build systems to keep other people from gaining access to those certs. In this case, you also would have to find a way to protect the key from the owners of the camera as well. When those owners have control of the physical hardware that is doing the signing, that's a tall order.

      • Re: (Score:2)

        by ls671 ( 1122017 )

        When those owners have control of the physical hardware that is doing the signing, that's a tall order.

        This doesn't make sense. PKI is made to be used by people who have access to the hardware. All you need is a unique cert for each camera which is signed by whatever cert. Somebody hacking a single camera would only get the cert specific to that camera which can easily be revoked.

        • The sentence before the one you quoted explains the problem you are not understanding.

          • Re: (Score:2)

            by ls671 ( 1122017 )

            In this case, you also would have to find a way to protect the key from the owners of the camera as well.

            No you don't, with properly done PKI you don't need to protect that, the key would be unique for each camera and if the camera gets its own specific cert revoked, so does the cert private key and it becomes useless and won't pass validation as properly signed. Again all they need to implement is a specific unique cert for each camera which is signed by whatever cert and the camera obviously doesn't have the private key of the cert used to sign the camera cert. Nobody needs to have to private key of the sign

            • Re: (Score:2)

              by EvilSS ( 557649 )
              You need to protect the cert on the camera FROM THE OWNER THEMSELVES ABUSING IT. Owner finds way to extract, signs fake photos as THAT SPECIFIC CAMERA, which now have a valid digital signature and appear real. Yes you can revoke the cert but you have to know you need to revoke it. If the evil owner is careful and does not make the fraud exceedingly obvious, they could in theory get away with it.

      • Re: (Score:1)

        by rgmoore ( 133276 )

        I don't think this is a huge problem as long as you make the keys specific to each camera. The camera owner can then fake pictures by extracting the key from their camera and using it to sign fakes, but the images are still traceable to their camera. They could also create a signed fake by printing it at sufficiently high resolution and photographing it, which you can never stop. It's not a perfect system, but it substantially raises the bar for creating fakes. The important point is to make fakes trace

        • Re: (Score:2)

          by EvilSS ( 557649 )

          I don't think this is a huge problem as long as you make the keys specific to each camera. The camera owner can then fake pictures by extracting the key from their camera and using it to sign fakes, but the images are still traceable to their camera.

          I agree it raises the bar, but that is a double edge sword since the signed photos would carry more weight as authentic. If the evil owner was careful in how they made the fakes and what they put out (so no bigfoot but realistic, very infrequent, plausable images that are hard to refute without other photos/video of the same event that conflict with them), being signed would lend a lot of credibility to the fake images.

          My big concern here is we end up going in a circle. Today we (general public "we") tend

    • Re: (Score:2)

      by gweihir ( 88907 )

      Well, they can put in a TPM to make it harder, but unless they have the TPM do the signatures, that does not help either. And even TPMs have been broken by now. But TPMs cost money, so my guess would be the signature key is just right there in the firmware, probably obfuscated in some way.

    • Re: (Score:2)

      by HiThere ( 15173 )

      No. The root problem is that Sony and Nikon don't make all the cameras. Are you going to claim that every photo taken with, say, your cell phone, is fake?

      • No. The root problem is that Sony and Nikon don't make all the cameras. Are you going to claim that every photo taken with, say, your cell phone, is fake?

        Are you going to claim they're not?
        The proof will fall on you.
        Other people will doubt your cell photo, you can't just expect them to "trust me bro".

  • Previous attempt at this lasted 6 years (Score:5, Informative)

    by thegarbz ( 1787294 ) on Monday January 01, 2024 @08:40PM (#64123125)

    This is not new. Nikon introduced image authentication with the Nikon D2X back in 2005 that used a digitals signature tied to the camera's sensor to verify the image. The market for this at the time was digital cameras for forensic analysis with the thought at the time that courts needed some proof that an image hadn't been tampered with. Nikon charged an extortionate 200EUR for the software to verify the signature.

    Anyway it was cracked in 2011 at which point a few images were published clearly photoshopped which none the less showed as "authentic" when the digital signature was verified.

    This sounds like very much the same thing except that it appears to be cross platform. Given the original was cracked due to a bug in a camera firmware, the addition of several more companies makes it all the likely that this won't last long either.

    • Re: (Score:3)

      by gweihir ( 88907 )

      Probably only took 6 years because nobody competent was interested. "Secure hardware" is basically a myth these days and a non-secured signature done with a key in firmware should take a competent hardware hacker less than a weekend to get.

      • "Secure hardware" is basically a myth these days and a non-secured signature done with a key in firmware should take a competent hardware hacker less than a weekend to get.

        Except that is quite easily disproven given how there's virtually no attacks demonstrated on TPM or Secure Enclave, and how the vast majority of exploits involving hardware based security involve finding some bugs in implementation of official software to work around. Hardware security is in fact incredibly resilient, even in popular devices with a large number of "competent hackers" looking at it.

        Not only hardware, but software too. You can see that in popular AAA titles with Denuvo taking a really long ti

        • Re: (Score:1)

          by Ed Avis ( 5917 )
          But you don't have to crack the TPM or the secure enclave. You just have to replace the camera sensor with a custom device that outputs the image you want, and if necessary set the camera's date and time or fake some GPS signals. You could even keep the hardware untouched and use a slide duplicator attachment to make an authenticated copy of any image you want.

        • Except that is quite easily disproven given how there's virtually no attacks demonstrated on TPM

          That took me 5 seconds to find with a search on Yahoo! [arstechnica.com] That one took 3 seconds. [wired.com]

          INB4 "Those are side-channel attacks!1!": TPM and the Secure Enclave are designed for remote attestation. Compromising even one of them risks the entire world that depends on them regardless of how that compromise came about. To say nothing about local data that depends on the TPM in the system it's stored on.

          how the vast majority of exploits involving hardware based security involve finding some bugs in implementation of official software to work around.

          Congrats. You just described every hack ever made. Or do you think that every exploit in active use was intentionally

          • That took me 5 seconds to find with a search on Yahoo!

            What part of my post are you having problems with? The word virtually? Or the fact that TPM had held up for 12 years by this point?

            My point remains unchanged. Hardware attacks are insanely difficult to achieve even in the face of competent people who give a shit about this stuff.

        • Re: (Score:2)

          by gweihir ( 88907 )

          Except that is quite easily disproven given how there's virtually no attacks demonstrated on TPM or Secure Enclave,

          Well, if that were true, sure. It is not true, but due to you, as usual, being badly informed and mouthing off.

          • Oh thank god, you should go tell the NSA and CIA who have been desperate to break into iPhones for decades now. You solved it!

  • All it takes is to reverse engineer one camera that makes these signatures and really it only requires to extract the signature key. Say, 1 day max for an experiences hardware hacker.

  • Hasn't Digimarc been doing this for decades?
  • Cropping, contrast / color adjustment, noise filtering, conversion to different file formants, rescaling, are all widely used and necessary to have high quality photos. I don't see how that type of (IMHO harmless) processing can be distinguished from AI manipulation by an embedded signature. It may be possible to for example verify that an image was generated by the New York times, which has some real value but only if the technology is widely used
  • Would be nice if Nikon and Canon released firmware for previous generations of camera to add this functionality. I know mirrorless is what many people are migrating to, but there are some of us sweeping up the legacy equipment out there for cheap. Would it be prohibitively expensive for Nikon to release firmware for the higher-end models with shutters that feature this signature functionality? I'd appreciate that.

    • Re: (Score:2)

      by jaa101 ( 627731 )

      Would be nice if Nikon and Canon released firmware for previous generations of camera to add this functionality.

      The camera needs a secure chip or the ability to sign is easy to reverse engineer. That's not something that can be added with just a firmware update.

      • Re: (Score:3)

        by gweihir ( 88907 )

        Actually, it can be added and such functionality has been added in the past in other contexts. It is, of course, entirely insecure doing that in software. Firmware is far too often crap anyways and the manufacturers do not care. So that is not a hurdle. What is a hurdle is that they will expect you to pay extra.

  • I recall that Canon did add a proprietary system for signing pictures, around 10-15 years ago. However, it needed special parts to verify everything.

    These days, whatever the camera makers do, they need to make a common system. It will take some engineering, and it will take more than just GPG signing the picture info. What would be nice is if there were a way to put picture deltas into the image and sign those, so a picture could start with its initial signature on the RAW data (or PNG/JPEG if image qual

    • Re: (Score:2)

      by micheas ( 231635 )
      And it was broken six years after it was introduced. This was demonstrated by people signing obviously photoshopped images.

      • Exactly. This is why having signing as part of the EXIF standard, so anything, regardless of camera can validate the signature. Downside is who validates that the key on Bob's camera is an actual genuine key from Canon, and not just something used to tack a signature from an AI generated photo or a deepfake? This requires root certificates, a CA system, and a ton of security all the way down (as in root certs in a HSM, etc.) Maybe even a facility for CRLs, so if Charlie's camera is hacked and signatures

    • I recall that Canon did add a proprietary system for signing pictures, around 10-15 years ago.

      You're thinking of Nikon and it didn't need special parts, those were part of every camera of the time introduced with the D2X. You did need special software and Nikon did try and fuck you over with the $200+ price tag for it.

      What would be nice is if there were a way to put picture deltas into the image and sign those

      This is how Nikon's system worked. Any option for adjusting the RAW post processing which was capable via the camera was signed independently. The verification software was able to say if the image content changed or just the image properties like contrast, white balance, saturation, e

      • Re: (Score:2)

        by Zarhan ( 415465 )

        You're thinking of Nikon and it didn't need special parts, those were part of every camera of the time introduced with the D2X. You did need special software and Nikon did try and fuck you over with the $200+ price tag for it.

        Canon did that same too, all the way back. It was a bit of metadata and could be verified using Canon Data Verification Kit. (Three versions, DVK-E1, DVK-E2, OSK-E3). I think it was also phased out because it was based on a key shared across all cameras. I couldn't really find info on

  • and after looking at enough of AI generated images i can tell the difference between AI generated images and actual photos of real people, the AI images will look too perfect, sometimes so perfect it's uncanny looking,
  • This is great and really needed but I worry what happens if someone figures out a way to break it. If it gets broken, then everything that came before it gets invalidated? Maybe every picture validated this way should go into an image bank of non-volatile read only storage, maybe ceramic media. If there is ever any question, then a reference number embedded in the image could be used to retrieve the original.

  • Just make fake image, display it on your laptop and photo laptop screen with this "fake-resistant" camera.
    You can also use GPS jamming technology to fake location, but in most cases it is enough to place your laptop couple of blocks from the place of event you fake.

    • Just make fake image, display it on your laptop and photo laptop screen with this "fake-resistant" camera.

      Obligatory XKCD for you https://xkcd.com/1814/ [xkcd.com]
      It's clear you've never taken a photo of a screen before.

    • you'd need a display that has a couple bits more colour depth than the image sensor in question, and as far as I understand those displays don't exist. High-end Camera sensors now offer 12, 14 or even 16 bits per channel, that is way more than you can expect from any display technology we have, or likely will get, because (other than this application of spoofing image signatures) this kind of technology would be useless and expensive. That said, the technology would only be credible if the audit trail of CA

  • Fundamentally no way to win this one (Score:3)

    by stevenm86 ( 780116 ) on Tuesday January 02, 2024 @06:34AM (#64123893)
    There's a huge long tail on ways to defeating the fundamental idea here. Some are more silly than others, but still. I've had to deal with this problem for a while, and fundamentally there is no way for a camera to be able to authenticate an image with full certainty, since there is no way to establish a root of trust that is rooted in the real world.

    What will happen if I display an AI-generated image on a large TV screen, then take a carefully-framed photo of that screen?

    What about GPS? GPS simulators (with time/date/trajectory replay) are a bit pricey (it's a somewhat niche market) but they definitely exist.

    As for the date/time... unless the camera sets the date/time via GPS, *and* that signal is somehow authenticated (which it isn't, in the civilian world), *and* the camera implements some kind of anti-rollback protection for the RTC, this is going to be a tough one at best (and it's arguably the least interesting piece of metadata to protect).

    And even then, what are the digital signatures really proving? That the given scene was captured by the camera? So what? I could project a mural onto a white wall, or hire actors, etc.

    • ... project a mural onto a white wall, or hire actors ...

      The article clearly states this will counter edited or fake images. Much of the Facebook 'news' about the wars in Israel and Ukraine came from FPS computer games.

      Your plan won't work because the date and location signature will be wrong.

      • Date and location can be spoofed using a GPS simulator. This is a device that generates a fake GPS signal for a given date/time/location/trajectory. Connect an antenna to it and point it at the camera. Select constellation type. Put in a date and some cooridinates. Then point camera at studio or screen.

        Will the photo auth technology raise the barrier for passing off faked RAWs as genuine? Yes. Will it actually provide assurance that a photo is of what is being claimed? Absolutely not.

        Then again, that'

    • Re:Fundamentally no way to win this one (Score:4, Interesting)

      by codebase7 ( 9682010 ) on Tuesday January 02, 2024 @07:52AM (#64123999)
      You forgot the most exploitable thing in the entire chain: Human willingness to believe in the lie. At the end of the day, it doesn't matter if the image is fake. As long as the target is convinced, how they got to that conclusion is irrelevant.

      Just look at the problem this is trying to solve: We can't even get people to validate TLS certs for website connections / software / email / etc. And you think that having a big green lock icon next to an image is somehow going to fix "deepfakes"? Hell, we had to get rid of the lock icon in web browsers. And there are plenty of ways around this proposed solution as to make it just as (un)reliable.

      The problem isn't the software, firmware, or hardware. It's the wetware that refuses to look at reality with any level of objectivity or facts-based reasoning, and then getting violent towards others because of what they thought up on their own.

  • ... digital signatures now share a global standard ...

    I'm guessing this is steganography. So, flip each bit in the image and see if the signature changes. (Aside: One would use changing block-sizes, similar to quicksort, to avoid long byte arrays that don't contain signature data.) After mapping which bits belong to the signature, it's possible to replace all other bits in the image. Cameras having limited processing power means the map is the same (or there will be a not-encoded map number in the signature) for all cameras (with that CPU). Then, generati

  • after all these years, the best we can come up with is still just trusting some server somewhere?

    https://sslmate.com/resources/... [sslmate.com]

Slashdot Top Deals

Life is a healthy respect for mother nature laced with greed.

Close