Privacy fears over home security cameras as Wi-Fi signals can be hacked by criminals to tell when people are home or not
- Homeowners are being put at risk by the rise of hi-tech home security cameras
- These devices stream video when motion is observed and upload it to the web
- Attackers can track uploaded data without inspecting any of the content itself
- Patterns in these upload times can suggest whether the homeowner is out or not
Cyber criminals can work out if people are away from home by examining information transmitted over Wi-Fi by home security cameras, say scientists.
Internet-connected security cameras that track potential burglars, such as Google’s Nest Cam and Amazon’s Ring range, can be interfered with by attackers.
These devices, which are becoming an increasingly common feature of people’s homes, generate huge amounts of hackable personal data.
UK and Chinese researchers got access to a data set of smart home camera uploads from an undisclosed device maker.
They found online traffic generated by the cameras, which are often triggered by motion, could be monitored and used to predict when a house is occupied or not.
A lack of traffic throughout a working day could indicate that a homeowner is out, for example, leaving the home vulnerable to a burglary if linked with address data.
Scroll down for video
Researchers from the Chinese Academy of Sciences and Queen Mary University of London tested if an attacker could infer privacy-compromising information about a camera’s owner from simply from tracking the uploaded data passively without inspecting any of the video content itself
IP home security cameras are internet-connected and can be installed in homes. Many have the ability for owners to remotely monitor them online via a Wi-Fi link.
This connection — and when it is activated — can be hijacked by hackers, even if the content of the videos is encrypted.
These cameras are growing in popularity and the global market is expected to reach $1.3 billion by 2023.
‘Once considered a luxury item, these cameras are now commonplace in homes worldwide,’ said Dr Gareth Tyson, a senior lecturer of internet data science at Queen Mary University of London, who worked with researchers at the Chinese Academy of Sciences in Beijing.
‘As they become more ubiquitous, it is important to continue to study their activities and potential privacy risks.
‘Whilst numerous studies have looked at online video streaming, such as YouTube and Netflix, to the best of our knowledge, this is the first study which looks in detail at video streaming traffic generated by these cameras and quantifies the risks associated with them.
‘By understanding these risks, we can now look to propose ways to minimise the risks and protect user privacy.’
Although the term ‘Internet of Things’ (IoT) first appeared in 2005, there is still no widely accepted definition.
The term generally describes a concept where normal everyday objects that are becoming connected to the internet.
IoT includes gadgets bought by consumers, as well as products and services designed for businesses to help machines ‘communicate’ with each other.
Nearly anything can be turned into an IoT device—from watches to fridges and lightbulbs.
The majority of internet traffic is now video, dominated by the likes of Netflix, YouTube and live e-sports service Twitch, the researchers say.
However, the advent of low-cost internet-enabled cameras has resulted in ‘the arrival of a rather different type of video streaming service’.
While Internet of Things (IoT) home security cameras were once considered a luxury, they have since entered the mainstream and brought fresh privacy and security concerns with them.
Home security cameras follow an on-demand model, where video is only streamed when a user requests it, or when motion is observed.
Researchers used data from a ‘major’ home internet protocol (IP) security camera provider, which the team wouldn’t disclose to MailOnline.
‘We signed an NDA [non-disclosure agreement] when analysing their data,’ Dr Tyson said.
‘Basically, this company shared data allowing us to characterise the scale of the problem across hundreds of thousands of users.’
The data set covered 15.4 million streams from 211,000 active users and contained a mix of free and premium users.
Internet-connected security cameras to track potential burglars, such as Google’s Nest Cam and Amazon’s Ring range, can be interfered with by attackers
Assuming the role of the attacker, the scientists evaluated the potential privacy risks for users of the increasingly popular security devices.
Researchers tested if a real-life attacker could gather privacy-compromising information about a camera’s owner from simply tracking the uploaded data passively without inspecting any of the video content itself.
TIPS FOR SMART HOME CAMERA USERS
Change any passwords: Many wireless cameras have weak default passwords, such as ‘admin’.
Set a secure password connecting three random words that you’ll be able to remember.
Keep your camera updated: Not only does this keep your devices secure, but it often adds new features and other improvements.
If in doubt, unplug it or turn it off: No one wants to have to worry about someone snooping in on their home, so deactivate the camera if you’re at all concerned.
If you do not use the feature that lets you remotely access the camera from the internet, it is recommended you disable it.
Attackers could detect when the camera was uploading motion and even distinguish between certain types of motion, such as sitting or running, they found.
This was done without inspecting the video content itself but, by looking at the rate at which cameras uploaded data via the internet.
Scientists even discovered that future activity in the house could be predicted based on past traffic generated by the camera, which could leave users more at risk of burglary by discovering when the house is unoccupied.
An attacker with access to this ‘passive network data’ may be able to infer the camera owner’s household activity by inspecting home security camera traffic.
For example, a camera consistently uploading motion-triggered video at 6pm might indicate that family members arrive home at that time.
The team found that premium users are more vulnerable to privacy risks due to their heavier usage and the exclusive availability of the motion detection mode, which was not available for normal users.
‘Home security cameras have become a commodity which will likely increase in usage,’ the researchers conclude in their report.
‘As they are often placed in intimate locations, it is important we continue to investigate their activities and potential risks.’
The findings are being presented at the virtual IEEE International Conference on Computer Communications this week.
According to Javvad Malik, security awareness advocate at KnowBe4, smart home camera firms should implement their own layered controls to ensure that IoT devices aren’t accessible from the public internet.
Consumers, meanwhile, can ‘harden’ them where possible by changing default passwords.
Consumers should also review whether all of their IoT devices are essential or simply ‘nice to haves’.
‘It could be the difference between suffering a security incident or not,’ Malik told MailOnline.
Boris Cipot, senior security engineer at Synopsys, said there is currently no standard around the minimum data security and access requirements that IoT devices need to satisfy before they hit the shops.
‘While the users do need to be encouraged in configuring security settings based on their risk appetite, users cannot be expected to be security experts,’ Cipot told MailOnline.
‘Responsibility ultimately falls to device manufacturers who must provide devices that don’t require users to actively configure their devices to be secure.’
WHICH SMART HOUSEHOLD GADGETS ARE VULNERABLE TO CYBER ATTACKS?
From devices that order our groceries to smart toys that speak to our children, high-tech home gadgets are no longer the stuff of science fiction.
But even as they transform our lives, they put families at risk from criminal hackers taking advantage of security flaws to gain virtual access to homes.
A June 2017 Which? study tested whether popular smart gadgets and appliances, including wireless cameras, a smart padlock and a children’s Bluetooth toy, could stand up to a possible hack.
The survey of 15 devices found that eight were vulnerable to hacking via the internet, Wi-Fi or Bluetooth connections.
Scary: Which? said ethical hackers broke into the CloudPets toy and made it play its own voice messages. They said any stranger could use the method to speak to children from outside
The test found that the Fredi Megapix home CCTV camera system operated over the internet using a default administrator account without a password, and Which? found thousands of similar cameras available for anyone to watch the live feed over the internet.
The watchdog said that a hacker could even pan and tilt the cameras to monitor activity in the house.
SureCloud hacked the CloudPets stuffed toy, which allows family and friends to send messages to a child via Bluetooth and made it play its own voice messages.
Which? said it contacted the manufacturers of eight affected products to alert them to flaws as part of the investigation, with the majority updating their software and security.
Source: Read Full Article