Chapter

Spying on the Spy: Security Analysis of Hidden Cameras

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Hidden cameras, also called spy cameras, are surveillance tools commonly used to spy on people without their knowledge. Whilst previous studies largely focused on investigating the detection of such a camera and the privacy implications, the security of the camera itself has received limited attention. Compared with ordinary IP cameras, spy cameras are normally sold in bulk at cheap prices and are ubiquitously deployed in hidden places within homes and workplaces. A security compromise of these cameras can have severe consequences. In this paper, we analyse a generic IP camera module, which has been packaged and re-branded for sale by several spy camera vendors. The module is controlled by mobile phone apps available on iOS and Android. By analysing the Android app and the traffic data, we reverse-engineered the security design of the whole system, including the module’s Linux OS environment, the file structure, the authentication mechanism, the session management, and the communication with a remote server. Serious vulnerabilities have been identified in every component. Combined together, these vulnerabilities allow an adversary to take complete control of a spy camera from anywhere over the Internet, enabling arbitrary code execution. This is possible even if the camera is behind a firewall. All that an adversary needs to launch an attack is the camera’s serial number, which users sometimes unknowingly share in online reviews. We responsibly disclosed our findings to the manufacturer. Whilst the manufacturer acknowledged our work, they showed no intention to fix the problems. Patching or recalling the affected cameras is infeasible due to complexities in the supply chain. However, it is prudent to assume that bad actors have already been exploiting these flaws. We provide details of the identified vulnerabilities in order to raise public awareness, especially on the grave danger of disclosing a spy camera’s serial number.KeywordsInternet of ThingsSecurityVulnerabilityIP CameraSpy Camera

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Given the near-universal adoption of embedded cameras and the critical information they could capture such as the private activities and personnel information in offices and households, it is imperative to prevent unauthorized access to camera data. While previous research examined the data eavesdropping vulnerabilities in networked IP cameras' software stack [3], [15], [23], [38], the hardware design of these embedded camera devices has not been scrutinized yet. To understand the threats more thoroughly, our work investigates a § Yan Long and Qinhong Jiang are co-first authors. ...
... Ling et al. demonstrated the feasibility of performing an online brute-force attack to uncover IP camera's password because many cameras only have only four-digits long passwords [23]. Herodotou et al. found that a generic camera module used by many spy camera manufacturers can be controlled by adversaries over the internet as long as the serial number of the camera is known [15]. Tekeoglu et al. successfully reconstructed 253 JPEG images from about 20 hours of video track by sniffing an IP camera's unencrypted network traffic [38]. ...
... Processing the wireless traffic data is resource-intensive, especially if the IoT device runs on a battery. The cloud application handles the processing using statistical models based on existing data collected from other spy cameras to identify possible threats [15]. ...
Article
Full-text available
Recently, the spy cameras spotted in private rental places have raised immense privacy concerns. The existing solutions for detecting them require additional support from synchronous external sensing or stimulus hardware such as on/off LED circuits, which require extra obligations from the user. For example, a user needs to carry a smartphone and laboriously perform preset motions (e.g., jumping, waving, and preplanned walking pattern) for synchronous sensing of acceleration signals. These requirements cause considerable discomfort to the user and limit the practicability of prevalent solutions. To cope with this, we propose CSI:DeSpy, an efficient and painless method by leveraging video bitrate fluctuations of the WiFi camera and the passively obtained Channel States Information (CSI) from user motion. CSI:DeSpy includes a self-adaptive feature that makes it robust to detect motion efficiently in multipath-rich environments. We implemented CSI:DeSpy on the Android platform and assessed its performance in diverse real-life scenarios, namely; (1) its reliability with the intensities of physical activities in diverse multipath-rich environments, (2) its practicability with activities of daily living, (3) its unobtrusiveness with passive sensing, and (4) its robustness to different network loads. CSI:DeSpy attained average detection rates of 96.6%, 96.2%, 98.5%, and 93.6% respectively.
Article
Full-text available
Spy cameras planted in various private places, such as motels, hotels, homestays ( i.e., Airbnb), and restrooms, have raised immense privacy concerns. Wi-Fi spy cameras are used extensively by various adversaries because of easy installability, followed by size reduction. To prevent invasions of privacy, most studies have detected wireless cameras based on video traffic analysis and require additional synchronous data from external sensors or stimulus hardware to confirm the user’s motion. Such supplements make the users uncomfortable, requiring extra effort and time for setting. This paper proposes an effective spy camera detection system called DeepDeSpy to detect the recording of a spy camera with no effort from the user. The core idea is using the channel state information (CSI) and the network traffic from the camera to detect whether the wireless camera records the movements of the user. The CSI signal is prone to motion, and detecting motion from an enormous amount of CSI data in real-time is challenging. This was handled by leveraging the convolutional neural network (CNN) and bidirectional long short-term memory (BiLSTM) deep learning methods. Such synergistic CNN and BiLSTM deep learning models enable instant and accurate detection by automatically extracting meaningful features from the sequential raw CSI data. The feasibility of DeepDeSpy was verified by implementing it on both a PC and a smartphone and evaluating it in real-life scenarios (e.g., various room sizes and user physical activities). The average accuracy achieved in different real-life settings was approximately 96%, reaching 98.9% with intensive physical activity in the large-size room. Moreover, the ability to achieve instant detection on a smartphone within only a one-second response time makes it workable for real-time applications.
Conference Paper
Full-text available
While the Internet of Things (IoT) applications and devices expanded rapidly, security and privacy of the IoT devices emerged as a major problem. Current studies reveal that there are significant weaknesses detected in several types of IoT devices moreover in several situations there are no security mechanisms to protect these devices. The IoT devices' users utilize the internet for the purpose of control and connect their machines. IoT application utilization has risen exponentially over time and our sensitive data is captured by IoT devices continuously, unknowingly or knowingly. The motivation behind this paper was the vulnerabilities that exist at the IP cameras. In this study, we undertake a more extensive investigation of IP cameras' vulnerabilities and demonstrate their effect on users' security and privacy through the use of the Kali Linux penetration testing platform and its tools. For this purpose, the paper performs a hands-on test on an IP camera with the name (“Intelligent Onvif YY HD”) to analyzes the security elements of this device. The results of this paper show that IP cameras have several security lacks and weaknesses which these flaws have multiple security impacts on users.
Conference Paper
Full-text available
The rapid proliferation of wireless video cameras has raised serious privacy concerns. In this paper, we propose a stimulating-and-probing approach to detecting wireless spy cameras. The core idea is to actively alter the light condition of a private space to manipulate the spy camera's video scene, and then investigates the responsive variations of a packet flow to determine if it is produced by a wireless camera. Following this approach, we develop Blink and Flicker -- two practical systems for detecting wireless spy cameras. Blink is a lightweight app that can be deployed on off-the-shelf mobile devices. It asks the user to turn on/off the light of her private space, and then uses the light sensor and the wireless radio of the mobile device to identify the response of wireless cameras. Flicker is a robust and automated system that augments Blink to detect wireless cameras in both live and offline streaming modes. Flicker employs a cheap and portable circuit, which harnesses daily used LEDs to stimulate wireless cameras using human-invisible flickering. The time series of stimuli is further encoded using FEC to combat ambient light and uncontrollable packet flow variations that may degrade detection performance. Extensive experiments show that Blink and Flicker can accurately detect wireless cameras under a wide range of network and environmental conditions.
Conference Paper
Full-text available
Peer-to-Peer (P2P) networks work on the presumption that all nodes in the network are connectable. However, NAT boxes and firewalls prevent connections to many nodes on the Internet. For UDP based protocols, the UDP hole-punching technique has been proposed to mitigate this problem. This paper presents a study of the efficacy of UDP hole punching on the Internet in the context of an actual P2P network. To the best of our knowledge, no previous study has provided similar measurements. Our results show that UDP hole punching is an effective method to increase the connectability of peers on the Internet: approximately 64% of all peers are behind a NAT box or firewall which should allow hole punching to work, and more than 80% of hole punching attempts between these peers succeed.
Article
Full-text available
Many authentication schemes depend on secret passwords. Unfortunately, the length and randomness of user-chosen passwords remain fixed over time. In contrast, hardware improvements constantly give attackers increasing computational power. As a result, password schemes such as the traditional UNIX user-authentication system are failing with time.
Article
Hidden cameras in sensitive locations have become an increasing threat to personal privacy all over the world. Because the camera is small and camouflaged, it is difficult to detect the presence of the camera with naked eyes. Existing works on this subject have either only covered using wireless transmission to detect cameras, or using other methods which are cumbersome in practical use. In this paper, we introduce a new direction that leverages the unintentional electromagnetic (EM) emanations of the camera to detect it. We first find that the digital output of the camera's image sensor will be amplitude-modulated to the EM emanations of the camera's clock. Thus, changes in the scope of the camera will directly cause changes in the camera's EM emanations, which constitutes a unique characteristic for a hidden camera. Based on this, we propose a novel camera detection system named CamRadar, which can filter out potential camera EM emanations from numerous EM signals quickly and achieve accurate hidden camera detection. Benefitting from the camera's EM emanations, CamRadar will not be limited by the camera transmission types or the detection angle. Our extensive real-world experiments using CamRadar and 19 hidden cameras show that CamRadar achieves a fast detection (in 16.75s) with a detection rate of 93.23% as well as a low false positive rate of 3.95%.
Article
Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing an increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam, a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets. Yet, DeWiCam overcomes the difficulty and can detect nearby wireless cameras reliably. To further identify whether a camera is in an interested room, we propose a human-assisted identification model. Extension functions of DeWiCam enable the video resolution and audio channel inference to provide further protection. We implemented DeWiCam on the Android platform and evaluated it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99% within 2.7 s.
Conference Paper
Wireless cameras are widely deployed in surveillance systems for security guarding. However, the privacy concerns associated with unauthorized videotaping, are drawing an increasing attention recently. Existing detection methods for unauthorized wireless cameras are either limited by their detection accuracy or requiring dedicated devices. In this paper, we propose DeWiCam, a lightweight and effective detection mechanism using smartphones. The basic idea of DeWiCam is to utilize the intrinsic traffic patterns of flows from wireless cameras. Compared with traditional traffic pattern analysis, DeWiCam is more challenging because it cannot access the encrypted information in the data packets. Yet, DeWiCam overcomes the difficulty and can detect nearby wireless cameras reliably. To further identify whether a camera is in an interested room, we propose a human-assisted identification model. We implement DeWiCam on the Android platform and evaluate it with extensive experiments on 20 cameras. The evaluation results show that DeWiCam can detect cameras with an accuracy of 99% within 2.7 s.
Using a nanny cam in the home
  • F Laljee
Many Airbnbs have cameras installed, especially in the US
  • D Janssen