Burglars could spy on you using your home security cameras, according to researchers from Queen Mary University of London (QMUL) and the Chinese Academy of Science. Criminals could tell when someone was at home without watching the footage. The reason is that the cameras uploaded data in unencrypted form, which increases in size when a camera is recording something moving. This type of information could allow criminals to differentiate various types of motion, such as sitting or running. The research utilized data from a large Chinese manufacturer of connected Internet Protocol (IP) cameras. The study was the first to investigate the privacy risks of video streaming traffic generated by the cameras and was published at the IEEE International Conference on Computer Communications.
The nature of the study
The joint researchers analyzed over 15.4 million streams of data from 211,000 active home security camera users of both free and paid services. The devices used in the study were IP home security cameras directly connected to the internet and which do not require a computer to upload data. Some of the brands investigated include 360, Hikvision, Nest, Netgear, and Xiaomi.
Privacy risks found in the home security cameras
The associated privacy risks originate from the operational design of the home security cameras. To keep production costs low, the cameras are designed to upload data every time motion is detected. The volume of data uploaded in the unencrypted form increased when motion was detected.
This creates a predictable pattern that allows third parties to know when someone was present at home without the need to watch the footage.
The attackers could monitor the traffic from home security cameras over an extended period and discover the pattern. Using this information, they could predict when the homeowner was most likely to be in the house.
Dr. Gareth Tyson, a Senior Lecturer at Queen Mary University of London, said the attacker requires modest technical knowledge to monitor the data, although there was a chance that someone could develop a program for that purpose and sell it online.
The researchers noted that they had not witnessed this form of attack in the wild, but it remains a possibility.
The study authors found that the privacy risks were present even on brands such as Xiaomi and Google-owned Nest.
Mitigating the privacy risks
The researchers said vendors should randomly inject data into their systems to mitigate the privacy risks stemming from the predictable pattern generated by motion detection. They were also working on ways to maintain video clarity after injecting the electronic noise into the home security cameras.
The scientists advocated for the development of intelligent home security cameras that understood the privacy risks associated with predictably uploading data. Such cameras could assess the level of risk associated with the motion detected and only upload when threats were found. For example, the camera could ignore motion associated with pets or children and only upload when a human intruder was detected.
Home security cameras have become very popular, with the global market expected to reach $1.3 billion by 2023. The increase in the number of home security cameras will open a new attack landscape, thus putting more people at risk. While the research did not dwell on the risks associated with uploading data in unencrypted form, IP camera vendors should also address the issue to reduce the possibility of interception of live video footage.