Nikon’s C2PA Signature Problems

Nikon has had to pull the plug on one of the Z6 III’s headline features after a serious problem came up. The big firmware update in late August introduced C2PA support, a system meant to verify whether a photo is authentic or altered. But photographer Adam Horshack found a way around it almost immediately. Nikon has now suspended the service, revoked all existing certificates, and emailed users to say the feature won’t come back until the vulnerability is properly fixed.

Horshack’s discovery showed just how shaky things were. At first, he proved the Z6 III could sign files that weren’t even taken with a certified camera. Then he went a step further, creating a fully AI-generated photo (in this case, a pug flying an airplane (seen above)) and managed to get it signed and validated by Nikon’s system. He pulled it off by embedding the AI image into a Nikon NEF file and using the camera’s multiple exposure function, essentially tricking the system into treating it as a real shot. The scary part is that most validation tools showed the fake as legitimate.

For now, suspending the service only stops new users from adding certificates. Those who already have them can still sign images if they avoid syncing their cameras with Nikon’s cloud. The bigger issue is that most of the current validation tools don’t check whether a certificate has been revoked, so fakes can still slip through unless you dig deeper. Nikon is expected to release another firmware update to patch the hole soon.