Nikon struggles with security problems in photo authentication
A security gap in the authentication function of the Z6 III has forced Nikon to take a drastic step: The service has been temporarily suspended.
(Image: Nikon)
Nikon is struggling with security vulnerabilities in photo authentication according to C2PA (Coalition for Content Provenance and Authenticity) that cannot simply be closed. An attentive user of the online forum DPReview managed to uncover a serious vulnerability in the C2PA process of the Nikon Z6 III at the beginning of September 2025. Adam Horshack demonstrated how the integrated multiple exposure function could be misused to bypass the authenticity check. Nikon then announced that it had temporarily suspended the image origin verification service.
Vulnerability exploited
Horshack's approach to uncovering the vulnerability was as simple as it was effective: a raw file from any camera without C2PA capability is copied to the memory card of a suitably equipped Z6 III. Within the camera, this foreign image is then combined with a neutral, e.g., black, image using multiple exposures. The result is alarming: the camera falsely signs the resulting composite image with a valid C2PA certificate, thereby confirming its supposed authenticity. Horshack did not have to crack the camera's cryptographic mechanism to do this but was simply able to bypass it. Meanwhile, he even managed to verify an obvious AI image with a pug as the pilot of an aeroplane as a genuine image. However, this required more effort.
It has since emerged that Nikon cannot create a complete solution on its own. The English-language news portal PetaPixel, in collaboration with Horshark, explained that Z6-III cameras continue to sign images if they have been updated in advance but have not been connected to the Nikon Imaging Cloud meanwhile. Only a connection to the online service will eliminate the possibility of false verification. Online validation tools for C2PA recordings validate these recordings, because, although it would be possible, the standard procedure does not currently check whether the certification of a camera has been revoked. However, Nikon itself cannot intervene here.
A final solution will therefore probably require a firmware update for the Z6 III. Nikon has not yet given a timetable for this. The company emphasizes that it is taking the matter very seriously and wants to restore confidence in its services.
Videos by heise
Nikon plans its watermark technology with AFP
Irrespective of the current security vulnerability, Nikon has been working on developing its own solution for some time. As the company announced on 9 January 2024, Nikon is working on a new watermarking technology in cooperation with Agence France-Presse (AFP). Integrated directly into the firmware of future cameras, this is intended to make the origin and integrity of images verifiable even if conventional metadata has been removed or damaged. However, Nikon has not yet communicated a concrete timetable for the implementation of this function.
However, this development harbours the risk of market fragmentation. While Sony is already cooperating with the Associated Press (AP) and Canon with Reuters, Nikon is now also going its own way with the AFP. Such proprietary, isolated solutions contradict the original aim of the Content Authenticity Initiative (CAI) to establish a universal and manufacturer-independent standard for the verification of image content.
Nevertheless, the AFP sees the co-operation as an important step forward. It sees it as an opportunity to uphold the standards of professional journalism and strengthen the public's trust in visual media. For the global news agency, which is represented in 151 countries, the cooperation represents a decisive step towards safeguarding the credibility of visual material.
(tho)
