How Easily Can Hackers Use IR Lights to Steal Data through Cameras?
While researchers say data can be stolen through security camera’s infrared lights, a security expert says it is no easy feat.
Researchers say surveillance cameras can be used for exfiltration and infiltration from different angles and positions.
Researchers at Israel’s Ben-Gurion University of the Negev have discovered how hackers can use IR security cameras “to establish bi-directional covert communication between the internal networks of organizations and remote attackers.”
According to researchers, hackers can flash the infrared lamp of a camera on and off to transmit data to anyone in range without people being able to see that the camera is behaving strangely, since humans cannot see infrared light.
In an exfiltration scenario, malware within an organization accesses surveillance cameras across the local network and controls the IR illumination, where sensitive data such as PIN codes, passwords and encryption keys are then modulated, encoded and transmitted over the IR signals.
In an infiltration scenario, an attacker standing in a public area can use IR LEDs to transmit hidden signals to a surveillance camera. Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The signals hidden in the video stream are then intercepted and decoded by the malware residing in the network, according to the researchers.
The researchers say the attackers can communicate with the cameras at a distance of tens to hundreds of meters away, stating, “Data can be leaked from [a] network at a bit rate of 20 bit/sec (per camera) and be delivered to the network at bit rate of more than 100 bit/sec (per camera).”
This all happens unbeknownst to the end user. Fortunately for them, SSI asked resident security expert Bob Grossman for his take on the findings, and he disagrees:
This is just silly.
While it is possible in theory, you’d need to modify the hardware on the camera and the system software to do it. You don’t have very fine control over camera IR lighting, and there’s significant latency (the lag between when you tell the light to go on and when it goes on) so I don’t know how you’d flash the lights on any commercially available camera. And high security installations generally use light as well, meaning they can disable the IR illuminators either in hardware or software.
So, this isn’t something someone could do to an existing system just by hacking into an installation. And with proper network design, cameras are isolated from the outside world so there’s no direct access to their firmware.
But it’s an interesting “what if” story…
So there you have it. Instead of being worried about getting hacked through your IR cameras, instead focus on having a solid password for your network and change any default login credentials that come with your security cameras.
The above article originally ran in Campus Safety’s sister publication Security Sales & Integration.
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Related Content
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
