In the area of the Internet of Things, cloud-based camera surveillance systems are ubiquitously available for industrial and private environments. However, the sensitive nature of the surveillance use case imposes high requirements on privacy/confidentiality, authenticity, and availability of such systems. In this work, we investigate how currently available mass-market camera systems comply with these requirements. Considering two attacker models, we test the cameras for weaknesses and analyze for their implications. We reverse-engineered the security implementation and discovered several vulnerabilities in every tested system. These weaknesses impair the users' privacy and, as a consequence, may also damage the camera system manufacturer's reputation. We demonstrate how an attacker can exploit these vulnerabilities to blackmail users and companies by denial-of-service attacks, injecting forged video streams, and by eavesdropping private video data - even without physical access to the device. Our analysis shows that current systems lack in practice the necessary care when implementing security for IoT devices.
[1]
Aurélien Francillon,et al.
A Large-Scale Analysis of the Security of Embedded Firmwares
,
2014,
USENIX Security Symposium.
[2]
Dimitrios N. Serpanos,et al.
Security and Privacy in Distributed Smart Cameras
,
2008,
Proceedings of the IEEE.
[3]
Bernhard Rinner,et al.
Security and Privacy Protection in Visual Sensor Networks
,
2014,
ACM Comput. Surv..
[4]
Srivaths Ravi,et al.
Security as a new dimension in embedded system design
,
2004,
Proceedings. 41st Design Automation Conference, 2004..
[5]
Bernhard Rinner,et al.
Secure embedded visual sensing in end-user applications with TrustEYE.M4
,
2015,
2015 IEEE Tenth International Conference on Intelligent Sensors, Sensor Networks and Information Processing (ISSNIP).