Your Security Cameras Could Be Snitching On You
New research from Queen Mary University of London and the Chinese Academy of Sciences says that home security cameras could be tipping off thieves as to when nobody is home.
Bad actors don't even need to see live video—they can tell when you're not home simply by looking at how much data a given feed is generating.
They published their findings on Monday at the IEEE International Conference on Computer Communications.
The rise of the smart house has brought with it many conveniences, chief among them the ability to keep tabs on your house when you're away. But with those comforts, come vulnerabilities because it turns out that your home security camera could be betraying you. The very cameras that are supposed to protect your property could be doling out intel to hackers, alerting them to the times that you're away from home.
Security researchers from Queen Mary University of London and the Chinese Academy of Sciences in Beijing detailed their findings in a new paper, "Your Privilege Gives Your Privacy Away: An Analysis of a Home Security Camera Service." They published it Monday at the IEEE International Conference on Computer Communications, taking place from July 6 to 9.
"Once considered a luxury item, these cameras are now commonplace in homes worldwide," Gareth Tyson, a senior lecturer at Queen Mary University of London, and one of the study authors, said in a prepared statement. "As they become more ubiquitous, it is important to continue to study their activities and potential privacy risks."
To conduct their study, the team obtained a dataset from a major home security camera provider in China. The sample covers 15.4 million streams from 211,000 active users and includes a mix of free and paid services. Specifically, the devices are IP home security cameras, which are connected to the internet and don't require a computer to upload streams online. These include cameras from 360, Nest, Netgear, Hikvision, and XiaoMi.
These cameras stream directly to a cloud platform, making all video content available remotely accessible for users without relying on any local storage, the researchers say. Despite the fact that these home video cameras are "unicast" in nature, meaning that the content is only viewable to the owner of the camera, bad actors can passively track the uploaded data to determine whether or not the home is occupied at a given time.
It comes down to the pure volume of data. When the camera uploads video footage to the cloud, there is more data when the camera is recording something moving. The team figured out that burglars could even discern between certain types of motion, including sitting or running.
So if a bad actor sat in a car outside a person's home, they can tell when someone is home based on the upload speed and the amount of data that the camera is generating, all without actually looking at the live feed.
This requires some technical sleuthing, but it's technically possible that a hacker could create a program to automate the process. To combat that risk, camera owners or companies need to pump some random data into their systems so that it's harder for potential burglars to discern a pattern.
"The root cause of the [security risk] is that there is a correspondence between the traffic rate and the working state of the camera," the authors note in their paper. "It is therefore necessary to mitigate this correspondence. They suggest that companies selling the home security cameras should generate random streams to undermine the attacks, the researchers say.
But in the meantime, you can protect yourself by "artificially triggering camera activity to introduce noise" to the data stream, the authors suggest. Just place a moving object, like a clock or a metronome, in front of the camera. In effect, you'll scramble any patterns, making it impossible for the bad guys to come to any conclusions about your whereabouts.
You Might Also Like
