Ben-Gurion University of the Negev researchers have demonstrated that security cameras infected with malware can receive covert signals and leak sensitive information from the very same surveillance devices used to protect facilities.
Infrared (IR) light is invisible to humans, but cameras are optically sensitive to it. They are also equipped with IR LEDs (used for night vision), which can be used to send out data.
The researchers have devised several encoding schemes for the data, and used the cameras’ own APIs to control the IR LEDs.
“In the exfiltration scenario, malware within the organization access the surveillance cameras across the local network and controls the IR illumination. Sensitive data such as PIN codes, passwords, and encryption keys are then modulated, encoded, and transmitted over the IR signals. An attacker in a public area (e.g., in the street) with a line of sight to the surveillance camera records the IR signals and decodes the leaked information,” researchers explained.
“In an infiltration scenario, an attacker standing in a public area (e.g., in the street) uses IR LEDs to transmit hidden signals to the surveillance camera(s). Binary data such as command and control (C&C) and beacon messages are encoded on top of the IR signals. The signals hidden in the video stream are then intercepted and decoded by the malware residing in the network.”
Data can be exfiltrated at a rate of 20 bit/sec per camera, and infiltrated at a rate of over 100 bit/sec per surveillance camera, but the transmission rates can be upped if the attackers use several cameras.
To receive the exfiltrated data, attackers must be positioned within tens to hundreds of meters away from the target camera – if they are in its line of sight. Sending the data into the network through the camera can be effected from hundreds of meters to kilometers away from the camera. If the attackers are not in line-of-sight of the cameras, the maximum distance for the techniques to work is tens of meters.