Cyber criminals can find out if people are not at home by viewing information sent over Wi-Fi by security cameras, scientists say.
Internet-connected security cameras that track potential burglars, such as Google’s Nest Cam and Amazon’s Ring range, can be attacked by attackers.
These devices, which are becoming an increasingly common feature of people at home, generate huge amounts of hackable personal data.
British and Chinese researchers were given access to a dataset of smart home camera uploads from an unnamed device manufacturer.
They found that online traffic generated by the cameras, which are often caused by motion, can be monitored and used to predict when a house is occupied or not.
A lack of traffic during a working day can indicate that a home owner is absent, for example, and makes the house vulnerable to burglary if it is linked to address data.
Scroll down for video
Investigators from the Chinese Academy of Sciences and Queen Mary University of London tested whether an attacker could infer privacy-compromising information about a camera owner by simply passively following the uploaded data without inspecting the video content itself
Home IP security cameras are connected to the Internet and can be installed in homes. Many have the option for owners to remotely track them online via a Wi-Fi link.
This connection – and when activated – can be hijacked by hackers, even if the content of the videos is encrypted.
These cameras are gaining popularity and the global market is expected to reach $ 1.3 billion by 2023.
“Once considered a luxury item, these cameras are now commonplace in homes around the world,” said Dr. Gareth Tyson, a senior lecturer in internet data science at Queen Mary University of London who collaborated with researchers from the Chinese Academy of Sciences in Beijing .
As they become ubiquitous, it is important to continue to study their activities and potential privacy risks.
While countless studies have looked to our best knowledge of online video streaming, such as YouTube and Netflix, this is the first study to look in detail at the video streaming traffic generated by these cameras and quantifying the risks involved.
“By understanding these risks, we can now look for ways to minimize the risks and protect the privacy of users.”
In fact, the researchers found that future activity in the home could be predicted based on past traffic generated by the camera, putting users at greater risk of burglary by discovering when the house was empty
WHAT IS THE INTERNET OF THINGS?
Although the term ‘Internet of Things’ (IoT) first appeared in 2005, there is still no generally accepted definition.
The term generally describes a concept involving normal everyday objects that connect to the internet.
IoT includes gadgets purchased by consumers, as well as products and services designed for businesses to help machines communicate with each other.
Almost anything can be turned into an IoT device – from watches to refrigerators and light bulbs.
Most of the internet traffic is now video, dominated by Netflix, YouTube, and live e-sports service Twitch, among others, the researchers say.
However, the advent of cheap cameras with Internet access has resulted in “the arrival of a rather different type of video streaming service.”
While Internet of Things (IoT) security cameras were once considered a luxury, they have since entered the mainstream and brought new privacy and security concerns.
Home security cameras follow an on-demand model, with video streaming only when a user requests it or when motion is detected.
Investigators used data from a “large” home internet protocol (IP) security camera provider, which the team would not disclose to MailOnline.
“We signed an NDA [non-disclosure agreement] in analyzing their data, ”said Dr. Tyson.
“In fact, this company shared data that allowed us to characterize the magnitude of the problem for hundreds of thousands of users.”
The dataset included 15.4 million streams from 211,000 active users and included a mix of free and premium users.
Internet-connected security cameras to track potential burglars, such as Google’s Nest Cam and Amazon’s Ring range, can be disrupted by attackers
Assuming the attacker’s role, the scientists evaluated the potential privacy risks to users of the increasingly popular security equipment.
Investigators tested whether a real attacker could gather privacy-compromising information about a camera owner by simply passively following the uploaded data without inspecting the video content itself.
TIPS FOR USERS OF SMART HOME CAMERAS
Change any passwords: Many wireless cameras have weak default passwords, such as ‘admin’.
Set a secure password between any three words you can remember.
Keep your camera up to date: Not only does this keep your devices safe, it often adds new features and other improvements.
When in doubt, unplug or turn off the power: Nobody wants to worry about someone snooping at home, so turn the camera off if you’re concerned.
If you are not using the feature that allows you to access the camera remotely from the Internet, it is recommended that you disable it.
SOURCE: Which one?
Attackers were able to detect when the camera uploaded motion and even distinguish between certain types of motion, such as sitting or running, they found.
This was done without inspecting the video content itself, but by looking at the speed at which cameras uploaded data over the internet.
In fact, scientists found that future activity in the home could be predicted based on past traffic generated by the camera, which could put users at greater risk of burglary by discovering when the house is empty.
An attacker with access to this “passive network data” may be able to infer the camera owner’s household activity by inspecting the home security camera management.
For example, a camera that uploads motion-activated video at 6:00 PM may indicate that family members are coming home at that time.
The team discovered that premium users are more vulnerable to privacy risks due to their heavier usage and the exclusive availability of the motion detection mode, which was not available to normal users.
“Home security cameras have become a commodity likely to increase in use,” the researchers conclude their report.
“Because they are often located in intimate locations, it is important that we continue to investigate their activities and potential risks.”
The findings are presented virtually International IEEE conference on computer communication this week.
According to Javvad Malik, security awareness attorney at KnowBe4, smart home camera companies should implement their own layered controls to ensure IoT devices cannot be accessed from the public internet.
Consumers, meanwhile, can ‘harden’ them whenever possible by changing default passwords.
Consumers should also judge whether all of their IoT devices are essential or just ‘fun to do’.
“It could be the difference between suffering a security incident or not,” Malik told MailOnline.
Boris Cipot, senior security engineer at Synopsys, said that there is currently no standard around the minimum data security and access requirements that IoT devices must meet before they hit stores.
“While users should be encouraged to configure security settings based on their risk appetite, users cannot be expected to be security experts,” Cipot told MailOnline.
“Ultimately, the responsibility lies with device manufacturers who must supply devices for which users are not required to actively configure their devices to be safe.”
WHAT SMART HOUSEHOLD GADGETS ARE VULNERABLE FOR CYBER ATTACKS?
From appliances that order our groceries to smart toys that appeal to our children, high-tech home gadgets are no longer science fiction.
But even if they change our lives, they endanger families by criminal hackers who take advantage of security flaws to gain virtual access to homes.
A June 2017 Which? study examined whether popular smart gadgets and devices, including wireless cameras, a smart padlock, and children’s Bluetooth toys, could withstand a potential hack.
The survey of 15 devices found that eight devices were vulnerable to hacking over the internet, Wi-Fi, or Bluetooth connections.
Eng: Which one? Said ethical hackers broke into the CloudPets toys and let it play its own voice messages. They said any stranger could use the method of talking to outside children
The test showed that the Fredi Megapix CCTV home camera system worked over the internet with a standard administrator account without a password, and which one? found thousands of similar cameras that were available to anyone to view the live feed over the internet.
The watchdog said a hacker could even pan and tilt the cameras to track activity in the house.
SureCloud has hacked CloudPets’ stuffed toy, which allows family and friends to send messages to a child via Bluetooth and let them play their own voice messages.
Which? said it had contacted manufacturers of eight affected products to warn them of flaws as part of the investigation, with the majority updating their software and security.