Here’s the issue. For starters, home security cameras could be tipping off thieves when nobody’s home. New research from the Queen Mary University of London and the Chinese Academy of Sciences shows this. Researchers published their findings at the IEEE International Conference on Computer Communications. Their conclusions suppose that surveillance systems may not be taking care of the security of your house. In fact, they may be doing just the opposite. Burglars don’t even need to see any live video to spy on you. They can tell when you’re not home by looking at how much data a given feed is generating.
The necessity to conduct the research
Let’s take a quick look at the introduction of their very detailed research. ‘The majority of Internet traffic is now video streaming from Netflix, YouTube, Periscope, and Twitch. Yet, the advent of low-cost Internet-enabled cameras has resulted in the arrival of a new, rather different, type of video streaming service […] Although a few years ago these were considered a luxury, they have since entered the mainstream and, with that, we have witnessed emerging privacy and security concerns. Most importantly, their growth is still high. The global HSC market will probably reach $1.3 billion by 2023.
- What are the usage patterns of HSCs?
- How often do motion-triggered cameras upload videos, and what percentage of them will be watched?
- What level of predictability do motion-triggered uploads and user access patterns have?
- Are there any privacy risks, and could a tractable adversary exploit them?
- What mitigation would address these privacy concerns?
HSC vs. traditional video streaming platforms?
HSCs are standalone devices that connect to the Internet. They don’t need an attached computer. They stream content to a cloud platform, which makes it accessible in a remote mode (often without any local storage). Secondly, HSCs are “unicast” in nature. The owner of the camera is the only one that can view the content. It means that the content is private. Lastly, HSCs follow an on-demand model. This means video streaming begins only when a user requests it, or when motion is observed.
What is the drawback?
The main takeaway is that the on-demand functionality may constitute a privacy leak. An attacker with access to passive network data may be able to infer the camera owner’s household activity by inspecting HSC traffic. And it boils down only to the pure volume of data! In other words, when the camera uploads video footage to the cloud, there is more data when the camera is recording something moving.
The correspondence between the traffic rate and the working state of the camera
The smart houses’ arrival has brought with it many conveniences. The most appreciated one is the ability to keep tabs on your house while you’re away. However, it turns out that your home security camera could be betraying you. For example, it could be doling out intel to hackers and alerting them that you’re away from home. Gareth Tyson, a senior lecturer at the Queen Mary University of London, underlines: ‘As they become more ubiquitous, it is important to continue to study their activities and potential privacy risks.’
The course of the study
To conduct the study, the team obtained a dataset from a major home security camera provider in China (15.4 million streams from 211,000 active users). The devices are internet-connected IP home security cameras that don’t need a computer to upload streams online.
Among them: 360, Nest, Netgear, Hikvision, and Xiaomi. They stream directly to a cloud platform, making all video content remotely accessible for users, without relying on any local storage.
Bad actors can passively track the uploaded data to determine whether the home is occupied at a given time. Burglars could even discern between certain types of motion, including sitting or running. A skilled hacker can create a program to automate the process. Sounds terrifying, doesn’t it? However, there’s an antidote.
How to protect ourselves?
To make it difficult to discover a pattern, camera owners need to pump some random data into their systems. This way, potential burglars will have a hard time discerning a pattern. We can protect ourselves by artificially triggering camera activity to introduce noise to the data stream. Place a moving object, like a clock or a metronome, in front of the camera. Thanks to that you’ll scramble any patterns and make it impossible to come to any accurate conclusions.