Internet-connected cameras placed inside your home might allow would-be burglars to easily determine when nobody is home, even if the evildoers can neither access your video feeds nor see the cameras.
Most Internet of Things (IoT) cameras record and transmit information – usually video feeds or files themselves – to cloud-based storage locations, and do so only when triggered by motion occurring within their lines of sight. As a result, patterns of data transmission from the cameras to relevant cloud providers easily expose when a human being is moving around within a camera-protected home.
While it is important to password-protect all connected devices (including cameras), criminals need not hack cameras in order to obtain sufficient information, nor do they need physical access to the devices; they just need to examine the traffic emanating from the cameras and/or the cameras’ network. In fact, even if video files are stored locally, and no information is transmitted across the Internet by a camera system, or if a VPN is used to prevent monitoring of communications, patterns of transmissions from wireless cameras themselves can potentially still leak relevant, sensitive data; of course, greater technical sophisticated is needed in some cases than in others, but, eventually, automated hacker tools may open the door for technical novices to spy in most scenarios.
Encryption, while important, will not on its own solve the problem either. Criminals (or others) need not be able to view the video feeds or files – all they need to know is when video is being recorded, which can often be determined simply by seeing that a camera is transmitting or seeing that communications are being sent to a relevant cloud provider.
A demonstration exploiting the aforementioned weaknesses to reveal, based on camera transmissions, that homes were empty, was recently conducted by researchers from Queen Mary University of London and the Chinese Academy of Science. In some cases, in which cameras were present in multiple areas of a home, researchers were able to go further, and determine additional privacy-compromising information from camera feeds – such as where in the home people were located at what times; obviously, all sorts of potentially private information can be extrapolated from such data.
While the new research focused on IoT cameras, the risk of exposing sensitive information by the pattern of transmission from devices – rather than from the content of such transmissions – has been well known for decades; the possibility of data leaking in such a fashion is one of the reasons that many sensitive environments either regularly send random transmissions, or, whenever possible, transmit constantly. (Transmitting constantly also makes it difficult for any unauthorized listener to determine when real communications begin and end, which also complicates attempts at cryptanalysis).
Ideally, IoT camera manufacturers would offer similar options in their products. Until then, however, we should ask:
How can you best protect against criminals learning from your camera feeds that nobody is home?
Here are some suggestions:
1. Turn off internal cameras when you are home
If possible, turn off internal cameras when you are home – while you can deactivate cameras manually (usually from an app), many smart camera systems allow you to configure cameras to automatically stop recording and transmitting if you turn off your alarm or enter a specific room while carrying a specific phone/device.
2. Set your cameras to transmit constantly
Alternatively, set your cameras to transmit constantly. If that is not feasible, consider at least “going live” when you are not home. Many IoT cameras allow you to use an app to see what they see as they see it – which means the cameras will transmit even when there is no motion.
3. Secure your cameras and their environment
• Of course, if a hacker breaches one or more of your cameras, the monitoring of camera data transmission patterns will be the least of your problems. So, do not use cameras that cannot be properly secured, and do not connected cameras to networks that cannot be properly secured. Instead, secure the cameras and the network to which they are attacked, and make sure that each and every device is transmitting using either a wired connection (preferred) or a properly encrypted wireless connection. Keep all cameras up to date with software patches. And, if you are connecting cameras to a network to which other devices are connected, be sure that those devices are secure, too.
Of course, these recommendations are for a typical home user – if you are looking to secure a more sensitive environment there are other techniques available, many of which may not be palatable for most other folks.