Most likely is either extracting the private key from the camera or getting the camera to sign arbitrary data. If the signing isn't part of the sensor die itself there's a bus where the image data gets transferred from sensor to signer, so an attacker can inject arbitrary data onto that bus to get it signed, even though they never actually extract the signing key.