The Library
Spying on the spy : security analysis of hidden cameras
Tools
Herodotou, Samuel and Hao, Feng (2023) Spying on the spy : security analysis of hidden cameras. In: NSS 2023: 17th International Conference on Network and System Security, University of Kent, Canterbury, UK, 14-16 Aug 2023. Published in: Lecture Notes in Computer Science, 13983 pp. 345-362. ISBN 9783031398278. doi:10.1007/978-3-031-39828-5_19 ISSN 0302-9743.
PDF
WRAP-spying-on-the-spy-security-analysis-hidden cameras-2023.pdf - Accepted Version Embargoed item. Restricted access to Repository staff only until 7 August 2025. Contact author directly, specifying your specific needs. - Requires a PDF viewer. Download (7Mb) |
Official URL: https://doi.org/10.1007/978-3-031-39828-5_19
Abstract
Hidden cameras, also called spy cameras, are surveillance tools commonly used to spy on people without their knowledge. Whilst previous studies largely focused on investigating the detection of such a camera and the privacy implications, the security of the camera itself has received limited attention. Compared with ordinary IP cameras, spy cameras are normally sold in bulk at cheap prices and are ubiquitously deployed in hidden places within homes and workplaces. A security compromise of these cameras can have severe consequences. In this paper, we analyse a generic IP camera module, which has been packaged and re-branded for sale by several spy camera vendors. The module is controlled by mobile phone apps available on iOS and Android. By analysing the Android app and the traffic data, we reverse-engineered the security design of the whole system, including the module’s Linux OS environment, the file structure, the authentication mechanism, the session management, and the communication with a remote server. Serious vulnerabilities have been identified in every component. Combined together, these vulnerabilities allow an adversary to take complete control of a spy camera from anywhere over the Internet, enabling arbitrary code execution. This is possible even if the camera is behind a firewall. All that an adversary needs to launch an attack is the camera’s serial number, which users sometimes unknowingly share in online reviews. We responsibly disclosed our findings to the manufacturer. Whilst the manufacturer acknowledged our work, they showed no intention to fix the problems. Patching or recalling the affected cameras is infeasible due to complexities in the supply chain. However, it is prudent to assume that bad actors have already been exploiting these flaws. We provide details of the identified vulnerabilities in order to raise public awareness, especially on the grave danger of disclosing a spy camera’s serial number.
Item Type: | Conference Item (Paper) | ||||||
---|---|---|---|---|---|---|---|
Divisions: | Faculty of Science, Engineering and Medicine > Science > Computer Science | ||||||
Series Name: | Lecture Notes in Computer Science | ||||||
Journal or Publication Title: | Lecture Notes in Computer Science | ||||||
Publisher: | Springer | ||||||
ISBN: | 9783031398278 | ||||||
ISSN: | 0302-9743 | ||||||
Official Date: | 7 August 2023 | ||||||
Dates: |
|
||||||
Volume: | 13983 | ||||||
Page Range: | pp. 345-362 | ||||||
DOI: | 10.1007/978-3-031-39828-5_19 | ||||||
Status: | Peer Reviewed | ||||||
Publication Status: | Published | ||||||
Reuse Statement (publisher, data, author rights): | This version of the contribution has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: http://dx.doi.org/10.1007/978-3-031-39828-5_19. Use of this Accepted Version is subject to the publisher’s Accepted Manuscript terms of use https://www.springernature.com/gp/open-research/policies/accepted-manuscript-terms. | ||||||
Access rights to Published version: | Restricted or Subscription Access | ||||||
Copyright Holders: | © 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG | ||||||
Date of first compliant deposit: | 31 May 2023 | ||||||
Conference Paper Type: | Paper | ||||||
Title of Event: | NSS 2023: 17th International Conference on Network and System Security | ||||||
Type of Event: | Conference | ||||||
Location of Event: | University of Kent, Canterbury, UK | ||||||
Date(s) of Event: | 14-16 Aug 2023 | ||||||
Related URLs: |
Request changes or add full text files to a record
Repository staff actions (login required)
View Item |